Highly Sensitive Password Accessed

Back


Id	b39e6482-ab7e-4817-813d-ec910b64b26e
Rulename	Highly Sensitive Password Accessed
Description	This rule will monitor access to highly sensitive passwords. Within the Watchlist called ‘LastPass’ define passwords which are deemed highly sensitive (such as password to a high privileged application). When an activity is observed against such password, an incident is created.
Severity	Medium
Tactics	CredentialAccess Discovery
Techniques	T1555 T1087
Required data connectors	LastPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
Version	1.0.0
Arm template	b39e6482-ab7e-4817-813d-ec910b64b26e.json

KQL

let watchlist = (_GetWatchlist("LastPass") | project name);
LastPassNativePoller_CL
| where Data_s in (watchlist)
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s

YAML

entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
tactics:
- CredentialAccess
- Discovery
triggerOperator: gt
description: |
  'This rule will monitor access to highly sensitive passwords.
  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
  When an activity is observed against such password, an incident is created.'  
requiredDataConnectors:
- connectorId: LastPass
  dataTypes:
  - LastPassNativePoller_CL
relevantTechniques:
- T1555
- T1087
version: 1.0.0
id: b39e6482-ab7e-4817-813d-ec910b64b26e
kind: Scheduled
query: |
  let watchlist = (_GetWatchlist("LastPass") | project name);
  LastPassNativePoller_CL
  | where Data_s in (watchlist)
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
severity: Medium
name: Highly Sensitive Password Accessed
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b39e6482-ab7e-4817-813d-ec910b64b26e')]",
      "properties": {
        "alertRuleTemplateName": "b39e6482-ab7e-4817-813d-ec910b64b26e",
        "customDetails": null,
        "description": "'This rule will monitor access to highly sensitive passwords.\nWithin the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).\nWhen an activity is observed against such password, an incident is created.'\n",
        "displayName": "Highly Sensitive Password Accessed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml",
        "query": "let watchlist = (_GetWatchlist(\"LastPass\") | project name);\nLastPassNativePoller_CL\n| where Data_s in (watchlist)\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1087",
          "T1555"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}