Highly Sensitive Password Accessed

Back


Id	b39e6482-ab7e-4817-813d-ec910b64b26e
Rulename	Highly Sensitive Password Accessed
Description	This rule will monitor access to highly sensitive passwords. Within the Watchlist called ‘LastPass’ define passwords which are deemed highly sensitive (such as password to a high privileged application). When an activity is observed against such password, an incident is created.
Severity	Medium
Tactics	CredentialAccess Discovery
Techniques	T1555 T1087
Required data connectors	LastPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
Version	1.0.0
Arm template	b39e6482-ab7e-4817-813d-ec910b64b26e.json

KQL

let watchlist = (_GetWatchlist("LastPass") | project name);
LastPassNativePoller_CL
| where Data_s in (watchlist)
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s

YAML

relevantTechniques:
- T1555
- T1087
requiredDataConnectors:
- dataTypes:
  - LastPassNativePoller_CL
  connectorId: LastPass
triggerThreshold: 0
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: b39e6482-ab7e-4817-813d-ec910b64b26e
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
query: |
  let watchlist = (_GetWatchlist("LastPass") | project name);
  LastPassNativePoller_CL
  | where Data_s in (watchlist)
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s  
status: Available
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
  entityType: URL
tactics:
- CredentialAccess
- Discovery
severity: Medium
name: Highly Sensitive Password Accessed
triggerOperator: gt
kind: Scheduled
description: |
  'This rule will monitor access to highly sensitive passwords.
  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
  When an activity is observed against such password, an incident is created.'

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "properties": {
        "alertRuleTemplateName": "b39e6482-ab7e-4817-813d-ec910b64b26e",
        "customDetails": null,
        "description": "'This rule will monitor access to highly sensitive passwords.\nWithin the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).\nWhen an activity is observed against such password, an incident is created.'\n",
        "displayName": "Highly Sensitive Password Accessed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml",
        "query": "let watchlist = (_GetWatchlist(\"LastPass\") | project name);\nLastPassNativePoller_CL\n| where Data_s in (watchlist)\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1087",
          "T1555"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}