Keeper Security - Password Changed

Back


Id	f031fbbc-37d8-4667-b795-d386bf2b5ab2
Rulename	Keeper Security - Password Changed
Description	Creates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel
Severity	Informational
Tactics	Persistence
Techniques	T1556
Required data connectors	KeeperSecurityPush2
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Keeper Security/Analytic Rules/Keeper Security - Alternate Master Password.yaml
Version	1.0.3
Arm template	f031fbbc-37d8-4667-b795-d386bf2b5ab2.json

KQL

KeeperSecurityEventNewLogs_CL
| where AuditEvent == "change_master_password"

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Keeper Security/Analytic Rules/Keeper Security - Alternate Master Password.yaml
suppressionEnabled: false
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
  createIncident: true
tactics:
- Persistence
kind: NRT
name: Keeper Security - Password Changed
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - columnName: Username
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: RemoteAddress
    identifier: Address
  entityType: IP
alertDetailsOverride:
  alertDescriptionFormat: '{{AuditEvent}} has been captured in the Keeper Security Event Logs'
  alertDisplayNameFormat: '{{AuditEvent}} on {{RemoteAddress}}'
version: 1.0.3
description: |
    'Creates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel'
severity: Informational
requiredDataConnectors:
- connectorId: KeeperSecurityPush2
  dataTypes:
  - KeeperSecurityEventNewLogs_CL
suppressionDuration: PT5H
query: |
  KeeperSecurityEventNewLogs_CL
  | where AuditEvent == "change_master_password"  
relevantTechniques:
- T1556
id: f031fbbc-37d8-4667-b795-d386bf2b5ab2
status: Available

ARM