Highly Sensitive Password Accessed

Back


Id	b39e6482-ab7e-4817-813d-ec910b64b26e
Rulename	Highly Sensitive Password Accessed
Description	This rule will monitor access to highly sensitive passwords. Within the Watchlist called ‘LastPass’ define passwords which are deemed highly sensitive (such as password to a high privileged application). When an activity is observed against such password, an incident is created.
Severity	Medium
Tactics	CredentialAccess Discovery
Techniques	T1555 T1087
Required data connectors	LastPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
Version	1.0.0
Arm template	b39e6482-ab7e-4817-813d-ec910b64b26e.json

KQL

let watchlist = (_GetWatchlist("LastPass") | project name);
LastPassNativePoller_CL
| where Data_s in (watchlist)
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s

YAML

query: |
  let watchlist = (_GetWatchlist("LastPass") | project name);
  LastPassNativePoller_CL
  | where Data_s in (watchlist)
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s  
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- CredentialAccess
- Discovery
id: b39e6482-ab7e-4817-813d-ec910b64b26e
triggerThreshold: 0
version: 1.0.0
status: Available
queryFrequency: 1h
kind: Scheduled
severity: Medium
relevantTechniques:
- T1555
- T1087
description: |
  'This rule will monitor access to highly sensitive passwords.
  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
  When an activity is observed against such password, an incident is created.'  
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - LastPassNativePoller_CL
  connectorId: LastPass
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
name: Highly Sensitive Password Accessed
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "properties": {
        "alertRuleTemplateName": "b39e6482-ab7e-4817-813d-ec910b64b26e",
        "customDetails": null,
        "description": "'This rule will monitor access to highly sensitive passwords.\nWithin the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).\nWhen an activity is observed against such password, an incident is created.'\n",
        "displayName": "Highly Sensitive Password Accessed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml",
        "query": "let watchlist = (_GetWatchlist(\"LastPass\") | project name);\nLastPassNativePoller_CL\n| where Data_s in (watchlist)\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1087",
          "T1555"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}