Highly Sensitive Password Accessed

Back


Id	b39e6482-ab7e-4817-813d-ec910b64b26e
Rulename	Highly Sensitive Password Accessed
Description	This rule will monitor access to highly sensitive passwords. Within the Watchlist called ‘LastPass’ define passwords which are deemed highly sensitive (such as password to a high privileged application). When an activity is observed against such password, an incident is created.
Severity	Medium
Tactics	CredentialAccess Discovery
Techniques	T1555 T1087
Required data connectors	LastPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
Version	1.0.0
Arm template	b39e6482-ab7e-4817-813d-ec910b64b26e.json

KQL

let watchlist = (_GetWatchlist("LastPass") | project name);
LastPassNativePoller_CL
| where Data_s in (watchlist)
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s

YAML

id: b39e6482-ab7e-4817-813d-ec910b64b26e
tactics:
- CredentialAccess
- Discovery
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
name: Highly Sensitive Password Accessed
query: |
  let watchlist = (_GetWatchlist("LastPass") | project name);
  LastPassNativePoller_CL
  | where Data_s in (watchlist)
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1555
- T1087
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: LastPass
  dataTypes:
  - LastPassNativePoller_CL
description: |
  'This rule will monitor access to highly sensitive passwords.
  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
  When an activity is observed against such password, an incident is created.'  
status: Available
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "properties": {
        "alertRuleTemplateName": "b39e6482-ab7e-4817-813d-ec910b64b26e",
        "customDetails": null,
        "description": "'This rule will monitor access to highly sensitive passwords.\nWithin the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).\nWhen an activity is observed against such password, an incident is created.'\n",
        "displayName": "Highly Sensitive Password Accessed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml",
        "query": "let watchlist = (_GetWatchlist(\"LastPass\") | project name);\nLastPassNativePoller_CL\n| where Data_s in (watchlist)\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1087",
          "T1555"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}