Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Highly Sensitive Password Accessed

Highly Sensitive Password Accessed

Back
Idb39e6482-ab7e-4817-813d-ec910b64b26e
RulenameHighly Sensitive Password Accessed
DescriptionThis rule will monitor access to highly sensitive passwords.

Within the Watchlist called ‘LastPass’ define passwords which are deemed highly sensitive (such as password to a high privileged application).

When an activity is observed against such password, an incident is created.
SeverityMedium
TacticsCredentialAccess
Discovery
TechniquesT1555
T1087
Required data connectorsLastPass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml
Version1.0.0
Arm templateb39e6482-ab7e-4817-813d-ec910b64b26e.json
Deploy To Azure
let watchlist = (_GetWatchlist("LastPass") | project name);
LastPassNativePoller_CL
| where Data_s in (watchlist)
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s

kind: Scheduled
triggerThreshold: 0
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
query: |
  let watchlist = (_GetWatchlist("LastPass") | project name);
  LastPassNativePoller_CL
  | where Data_s in (watchlist)
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s  
status: Available
tactics:
- CredentialAccess
- Discovery
queryFrequency: 1h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: URLCustomEntity
    identifier: Url
id: b39e6482-ab7e-4817-813d-ec910b64b26e
requiredDataConnectors:
- connectorId: LastPass
  dataTypes:
  - LastPassNativePoller_CL
name: Highly Sensitive Password Accessed
severity: Medium
relevantTechniques:
- T1555
- T1087
description: |
  'This rule will monitor access to highly sensitive passwords.
  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
  When an activity is observed against such password, an incident is created.'  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml