Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Highly Sensitive Password Accessed

Highly Sensitive Password Accessed

Back
Idb39e6482-ab7e-4817-813d-ec910b64b26e
RulenameHighly Sensitive Password Accessed
DescriptionThis rule will monitor access to highly sensitive passwords.

Within the Watchlist called ‘LastPass’ define passwords which are deemed highly sensitive (such as password to a high privileged application).

When an activity is observed against such password, an incident is created.
SeverityMedium
TacticsCredentialAccess
Discovery
TechniquesT1555
T1087
Required data connectorsLastPass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
Version1.0.0
Arm templateb39e6482-ab7e-4817-813d-ec910b64b26e.json
Deploy To Azure
let watchlist = (_GetWatchlist("LastPass") | project name);
LastPassNativePoller_CL
| where Data_s in (watchlist)
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s

description: |
  'This rule will monitor access to highly sensitive passwords.
  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
  When an activity is observed against such password, an incident is created.'  
kind: Scheduled
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: Medium
triggerOperator: gt
triggerThreshold: 0
name: Highly Sensitive Password Accessed
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
  entityType: URL
requiredDataConnectors:
- connectorId: LastPass
  dataTypes:
  - LastPassNativePoller_CL
id: b39e6482-ab7e-4817-813d-ec910b64b26e
queryPeriod: 1h
relevantTechniques:
- T1555
- T1087
tactics:
- CredentialAccess
- Discovery
version: 1.0.0
query: |
  let watchlist = (_GetWatchlist("LastPass") | project name);
  LastPassNativePoller_CL
  | where Data_s in (watchlist)
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s