Keeper Security - Password Changed

Back


Id	f031fbbc-37d8-4667-b795-d386bf2b5ab2
Rulename	Keeper Security - Password Changed
Description	Creates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel
Severity	Informational
Tactics	Persistence
Techniques	T1556
Required data connectors	KeeperSecurityPush2
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Keeper Security/Analytic Rules/Keeper Security - Alternate Master Password.yaml
Version	1.0.3
Arm template	f031fbbc-37d8-4667-b795-d386bf2b5ab2.json

KQL

KeeperSecurityEventNewLogs_CL
| where AuditEvent == "change_master_password"

YAML

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Username
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: RemoteAddress
tactics:
- Persistence
suppressionEnabled: false
suppressionDuration: PT5H
requiredDataConnectors:
- dataTypes:
  - KeeperSecurityEventNewLogs_CL
  connectorId: KeeperSecurityPush2
alertDetailsOverride:
  alertDisplayNameFormat: '{{AuditEvent}} on {{RemoteAddress}}'
  alertDescriptionFormat: '{{AuditEvent}} has been captured in the Keeper Security Event Logs'
id: f031fbbc-37d8-4667-b795-d386bf2b5ab2
severity: Informational
status: Available
query: |
  KeeperSecurityEventNewLogs_CL
  | where AuditEvent == "change_master_password"  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Keeper Security/Analytic Rules/Keeper Security - Alternate Master Password.yaml
kind: NRT
version: 1.0.3
name: Keeper Security - Password Changed
description: |
    'Creates an informational incident based on Keeper Security Password Changed data in Microsoft Sentinel'
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1556
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true

ARM