Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Highly Sensitive Password Accessed

Back
Idb39e6482-ab7e-4817-813d-ec910b64b26e
RulenameHighly Sensitive Password Accessed
DescriptionThis rule will monitor access to highly sensitive passwords.

Within the Watchlist called ‘LastPass’ define passwords which are deemed highly sensitive (such as password to a high privileged application).

When an activity is observed against such password, an incident is created.
SeverityMedium
TacticsCredentialAccess
Discovery
TechniquesT1555
T1087
Required data connectorsLastPass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
Version1.0.0
Arm templateb39e6482-ab7e-4817-813d-ec910b64b26e.json
Deploy To Azure
let watchlist = (_GetWatchlist("LastPass") | project name);
LastPassNativePoller_CL
| where Data_s in (watchlist)
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s
name: Highly Sensitive Password Accessed
version: 1.0.0
severity: Medium
queryFrequency: 1h
triggerOperator: gt
relevantTechniques:
- T1555
- T1087
status: Available
description: |
  'This rule will monitor access to highly sensitive passwords.
  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
  When an activity is observed against such password, an incident is created.'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
requiredDataConnectors:
- connectorId: LastPass
  dataTypes:
  - LastPassNativePoller_CL
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
  entityType: URL
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 1h
tactics:
- CredentialAccess
- Discovery
query: |
  let watchlist = (_GetWatchlist("LastPass") | project name);
  LastPassNativePoller_CL
  | where Data_s in (watchlist)
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s  
kind: Scheduled
triggerThreshold: 0
id: b39e6482-ab7e-4817-813d-ec910b64b26e
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "properties": {
        "alertRuleTemplateName": "b39e6482-ab7e-4817-813d-ec910b64b26e",
        "customDetails": null,
        "description": "'This rule will monitor access to highly sensitive passwords.\nWithin the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).\nWhen an activity is observed against such password, an incident is created.'\n",
        "displayName": "Highly Sensitive Password Accessed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml",
        "query": "let watchlist = (_GetWatchlist(\"LastPass\") | project name);\nLastPassNativePoller_CL\n| where Data_s in (watchlist)\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1087",
          "T1555"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}