Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Highly Sensitive Password Accessed

Highly Sensitive Password Accessed

Back
Idb39e6482-ab7e-4817-813d-ec910b64b26e
RulenameHighly Sensitive Password Accessed
DescriptionThis rule will monitor access to highly sensitive passwords.

Within the Watchlist called ‘LastPass’ define passwords which are deemed highly sensitive (such as password to a high privileged application).

When an activity is observed against such password, an incident is created.
SeverityMedium
TacticsCredentialAccess
Discovery
TechniquesT1555
T1087
Required data connectorsLastPass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
Version1.0.0
Arm templateb39e6482-ab7e-4817-813d-ec910b64b26e.json
Deploy To Azure
let watchlist = (_GetWatchlist("LastPass") | project name);
LastPassNativePoller_CL
| where Data_s in (watchlist)
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s

id: b39e6482-ab7e-4817-813d-ec910b64b26e
queryFrequency: 1h
description: |
  'This rule will monitor access to highly sensitive passwords.
  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
  When an activity is observed against such password, an incident is created.'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Highly Sensitive Password Accessed
kind: Scheduled
version: 1.0.0
queryPeriod: 1h
query: |
  let watchlist = (_GetWatchlist("LastPass") | project name);
  LastPassNativePoller_CL
  | where Data_s in (watchlist)
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s  
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
  entityType: URL
requiredDataConnectors:
- dataTypes:
  - LastPassNativePoller_CL
  connectorId: LastPass
tactics:
- CredentialAccess
- Discovery
triggerThreshold: 0
severity: Medium
status: Available
triggerOperator: gt
relevantTechniques:
- T1555
- T1087