Merge pull request #3673 from ThijsLecomte/master

create LastPass Solution

.script/tests/KqlvalidationsTests/CustomTables/LastPass_BYOC_CL.json

@@ -0,0 +1,53 @@
+{
+   "Name":"LastPass_BYOC_CL",
+   "Properties":[
+      {
+         "Name":"MG",
+         "Type":"String"
+      },
+      {
+         "Name":"ManagementGroupName",
+         "Type":"String"
+      },
+      {
+         "Name":"TimeGenerated",
+         "Type":"DateTime"
+      },
+      {
+         "Name":"Computer",
+         "Type":"String"
+      },
+      {
+         "Name":"RawData",
+         "Type":"String"
+      },
+      {
+         "Name":"Time_s",
+         "Type":"String"
+      },
+      {
+         "Name":"Username_s",
+         "Type":"String"
+      },
+      {
+         "Name":"IP_Address_s",
+         "Type":"String"
+      },
+      {
+         "Name":"Action_s",
+         "Type":"String"
+      },
+      {
+         "Name":"Data_s",
+         "Type":"String"
+      },
+      {
+         "Name":"Type",
+         "Type":"String"
+      },
+      {
+         "Name":"_ResourceId",
+         "Type":"String"
+      }
+   ]
+}

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -70,6 +70,7 @@
   "InfobloxNIOS",
   "IoT",
   "JuniperSRX",
+  "LastPass",
   "LookoutAPI",
   "McAfeeePO",
   "MicrosoftAzurePurview",

Logos/LastPass.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="120" height="60"><path d="m20.1 36.9.4-.1h2.2l.2.5v11.1c0 .6.1 1 .4 1.3s.8.4 1.3.4h4.2l.5.1.2.4.2 1.6v.3l-.5.2h-5c-.9 0-1.5-.1-2-.3-.6-.3-1-.6-1.4-1s-.5-.8-.6-1.4c-.2-.5-.2-1-.2-1.6V37.3l.1-.4z"/><path d="M80 51.4c0 .4-.1.6-.4.7a5 5 0 0 1-1 .4l-1.2.3h-1.2l-1 .1c-1 0-1.9 0-2.5-.3-.6-.2-1.1-.5-1.5-.8a2.8 2.8 0 0 1-.8-1.2c-.2-.4-.2-.9-.2-1.4l.2-1.5.8-1.3c.4-.4 1-.6 1.5-.9s1.4-.3 2.3-.3h2.4V44a1.3 1.3 0 0 0-.4-.6l-.7-.4-1.1-.2a5.7 5.7 0 0 0-1.6.3h-.3L73 43l-.3-1.3c0-.2 0-.4.2-.5a9 9 0 0 1 2.6-.4c1.5 0 2.6.3 3.4 1s1 1.7 1 3zm-2.6-4.2h-3c-.2 0-.5.1-.7.3l-.7.5c-.2.2-.2.6-.2 1 0 .7.2 1.1.6 1.4.5.2 1 .4 1.7.4h1.1l.6-.2a2 2 0 0 0 .6-.2v-3.2z" fill="#d32d27"/><path d="M50.1 49.2c0 .6 0 1-.3 1.5s-.5.8-.9 1.1l-1.4.7c-.6.2-1 .2-1.7.2h-1.1c-.4 0-.8 0-1.2-.2a7 7 0 0 1-1.2-.2l-1-.5c-.3-.1-.3-.3-.2-.5l.5-1.2a.6.6 0 0 1 .2-.3h.4c.5.3 1.1.5 1.7.6l1.8.2c.6 0 1-.1 1.4-.4s.4-.5.4-1c0-.3-.2-.7-.6-1s-1-.4-1.8-.7l-1.6-.7a5 5 0 0 1-1.2-.7 2.6 2.6 0 0 1-.7-.9l-.2-1.1c0-.5 0-1 .2-1.3.2-.4.5-.8.8-1l1.3-.8c.5-.2 1.1-.3 1.8-.3a12.3 12.3 0 0 1 1.9.1l1.8.5.2.2a.6.6 0 0 1 0 .3l-.5 1.3-.1.2h-.3a7.9 7.9 0 0 0-2.9-.5c-.5 0-1 .1-1.2.3s-.4.5-.4.8c0 .2 0 .4.2.5a1.3 1.3 0 0 0 .4.4 4.6 4.6 0 0 0 .7.4 16.2 16.2 0 0 0 1 .4l1.4.6c.5.2.9.4 1.2.7a3.6 3.6 0 0 1 .9 1c.2.3.4.8.4 1.3m8.2 3.2a6.4 6.4 0 0 1-1.5.3h-1.2c-1.2 0-2-.2-2.5-.7-.5-.6-.8-1.4-.8-2.4v-6.4h-1.8l-.1-.3.4-1.2.2-.3h1.3v-2.2c0-.3.2-.4.3-.4l.3-.2 1.6-.5h.3a.4.4 0 0 1 .1.4v2.8h2.2l.3.1V43a.6.6 0 0 1 0 .3H55v6c0 .5.1.8.4 1s.5.3 1 .3h.8l.4-.1c.1-.1.3 0 .4 0h.3v.1l.3 1.5v.2c0 .1 0 .2-.2.2z"/><path d="m63.5 52.4-.1.4-.6.1H61l-.1-.5v-14a3.6 3.6 0 0 1 0-.6c0-.2 0-.3.2-.4.1-.2.3-.3.5-.3h4.9a5.9 5.9 0 0 1 2 .4c.7.2 1.3.6 1.8 1s.8 1 1 1.6.4 1.3.4 2c0 .5 0 1-.2 1.6a4.5 4.5 0 0 1-2.4 3c-.8.5-1.7.7-2.9.7h-2.7v5zm5.7-11-.5-.8a2.8 2.8 0 0 0-.9-.7l-1.4-.2h-2.7v5.2h2.8c1 0 1.7-.2 2.1-.7s.7-1.1.7-1.9l-.1-.8zM89.8 51c-.2.4-.5.8-.9 1-.4.4-.8.6-1.4.7l-1.7.3h-1.1l-1.2-.2a7 7 0 0 1-1.2-.3l-1-.4c-.3-.2-.3-.3-.2-.6l.5-1.2a.6.6 0 0 1 .2-.2h.4c.5.3 1.1.4 1.7.6l1.8.2c.6 0 1-.2 1.3-.4s.5-.6.5-1-.2-.7-.6-1-1-.5-1.8-.8l-1.6-.6a5 5 0 0 1-1.2-.7 2.6 2.6 0 0 1-.7-1l-.2-1c0-.5 0-1 .2-1.4s.5-.7.8-1 .8-.6 1.3-.8 1.1-.2 1.8-.2a12.3 12.3 0 0 1 1.9 0l1.8.6s.2 0 .2.2a.6.6 0 0 1 0 .3l-.5 1.3-.1.2h-.3L87 43a10 10 0 0 0-1.5 0c-.5 0-.9 0-1.2.3s-.3.5-.3.8v.5a1.3 1.3 0 0 0 .5.4 4.6 4.6 0 0 0 .7.4 16.2 16.2 0 0 0 1 .4l1.5.5 1.2.7a3.6 3.6 0 0 1 .8 1c.2.4.3.8.3 1.4.1.5 0 1-.2 1.5zm10.2-1.6c0 .6 0 1.1-.3 1.6s-.5.8-1 1c-.3.4-.8.6-1.3.7l-1.7.3h-1.2l-1.2-.2a7 7 0 0 1-1.1-.3l-1-.4c-.3-.2-.3-.3-.2-.6l.5-1.2a.6.6 0 0 1 .2-.2h.4c.5.3 1 .4 1.7.6l1.7.2c.7 0 1.1-.2 1.4-.4s.5-.6.5-1-.2-.7-.7-1l-1.7-.8-1.7-.6a5 5 0 0 1-1-.7 2.6 2.6 0 0 1-.8-.9l-.2-1.2c0-.4 0-.9.2-1.3l.8-1c.3-.3.8-.6 1.3-.7s1.1-.3 1.8-.3a12.3 12.3 0 0 1 1.9 0l1.8.6s.2 0 .2.2a.6.6 0 0 1 0 .3l-.5 1.3s0 .2-.2.2h-.2c-.6-.3-1.1-.4-1.6-.4a10 10 0 0 0-1.4-.1c-.5 0-1 0-1.2.3s-.3.5-.3.8v.5a1.3 1.3 0 0 0 .5.4 4.6 4.6 0 0 0 .7.4 16.2 16.2 0 0 0 1 .4l1.4.5c.5.2.9.4 1.2.7a3.6 3.6 0 0 1 .9 1c.3.3.4.8.4 1.3" fill="#d32d27"/><path d="M40 51.2c0 .4 0 .6-.3.8a5 5 0 0 1-1 .3l-1.2.3-1.2.1h-1.1c-1 0-1.8 0-2.5-.3-.6-.1-1.1-.4-1.5-.7-.4-.4-.6-.8-.8-1.2l-.2-1.5.3-1.5c.1-.5.4-1 .8-1.3.4-.3.9-.6 1.5-.8S34 45 35 45h2.5v-.4l-.1-.8-.4-.6-.6-.4-1.2-.2a10.1 10.1 0 0 0-3 .5h-.4l-.2-.2-.3-1.3c0-.2 0-.4.2-.5a16.3 16.3 0 0 1 4.1-.7c1.6 0 2.7.4 3.4 1.1s1 1.7 1 3zm-2.5-4.1h-3l-.8.2c-.3.1-.5.4-.6.6s-.3.6-.3 1c0 .7.3 1.1.7 1.4.4.2 1 .3 1.7.3h1l.7-.1a2 2 0 0 0 .6-.2V47z"/><g fill="#d32d27"><path d="M82.3 8.4a1.3 1.3 0 1 1 2.7 0V30a1.3 1.3 0 1 1-2.7 0z"/><g transform="matrix(.58642 0 0 .58642 35 15.2)"><circle r="7.8" cy="7.8" cx="7.8"/><circle r="7.8" cy="7.8" cx="33.8"/><circle r="7.8" cy="7.8" cx="59.8"/></g></g></svg>

Sample Data/Custom/LastPass_BYOC_CL.csv

@@ -0,0 +1,11 @@
+TenantId;SourceSystem;MG;ManagementGroupName;TimeGenerated [UTC];Computer;RawData;Time_s;Username_s;IP_Address_s;Action_s;Data_s;Type;_ResourceId
+72f988bf-86f1-41af-91ab-2d7cd011db47;RestAPI;;;9/28/2021, 5:20:00.412 PM;;;28/09/2021 17:14;user1@thecollective.eu;127.0.0.1;Log in;site1.com;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db48;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 11:48;user2@thecollective.eu;127.0.0.2;Log in;microsoftonline.com;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db49;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 11:31;user2@thecollective.eu;127.0.0.3;Log in;microsoftonline.com;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db50;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 11:05;user2@thecollective.eu;127.0.0.4;Log in;;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db51;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 10:44;user3@thecollective.eu;127.0.0.5;Log in;microsoftonline.com;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db52;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 10:33;user4@thecollective.eu;127.0.0.6;Log in;;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db53;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 10:17;user5@thecollective.eu;127.0.0.7;Log in;LastPass via Chrome v4.81.0;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db54;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 10:14;user1@thecollective.eu;127.0.0.8;Log in;site1.com;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db55;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 10:08;user4@thecollective.eu;127.0.0.9;Log in;techsmith.com;LastPass_Data_CL;
+72f988bf-86f1-41af-91ab-2d7cd011db56;RestAPI;;;9/28/2021, 12:20:55.037 PM;;;28/09/2021 9:43;user2@thecollective.eu;127.0.0.10;Log in;microsoftonline.com;LastPass_Data_CL;

Solutions/LastPass/Analytic Rules/EmployeeAccountDeleted.yaml

@@ -0,0 +1,35 @@
+id: 8a2cc466-342d-4ebb-8871-f9e1d83a24a5
+name: Employee account deleted
+description: |
+  'This rule will monitor for any employee accounts being deleted.
+  Deleting an employee account can have a big potential impact as all of the data for that user will be removed.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: LastPass
+    dataTypes:
+      - LastPass_BYOC_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+tactics:
+  - Impact
+relevantTechniques:
+ - T1485
+query: |
+  LastPass_BYOC_CL
+  | where Action_s == "Employee Account Deleted" or Action_s == "Remove User From Company"
+  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/LastPass/Analytic Rules/FailedSigninDueToMFA.yaml

@@ -0,0 +1,42 @@
+id: 760b8467-e6cc-4006-9149-5696845c1a54
+name: Failed sign-ins into LastPass due to MFA
+description: |
+  'This rule will check if a sign-in failed into LastPass due to MFA.
+  An incident can indicate the potential brute forcing of a LastPass account. 
+  The use of MFA is identified by combining the sign-in logs, this rule assumes LastPass is federated to AAD.'
+severity: Low
+requiredDataConnectors:
+  - connectorId: LastPass
+    dataTypes:
+      - LastPass_BYOC_CL
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - SigninLogs
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+tactics:
+  - InitialAccess
+relevantTechniques:
+ - T1078
+ - T1190
+query: |
+  LastPass_BYOC_CL
+  | where Action_s == "Log in"
+  | join (SigninLogs | where AppDisplayName == "LastPass Enterprise") on $left.IP_Address_s == $right.IPAddress and $left.Username_s == $right.UserPrincipalName
+  | where ResultType in (50074, 50076)
+  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/LastPass/Analytic Rules/HighlySensitivePasswordAccessed.yaml

@@ -0,0 +1,45 @@
+id: b39e6482-ab7e-4817-813d-ec910b64b26e
+name: Highly Sensitive Password Accessed
+description: |
+  'This rule will monitor access to highly sensitive passwords.
+  Within the Watchlist called 'LastPass' define passwords which are deemed highly sensitive (such as password to a high privileged application).
+  When an activity is observed against such password, an incident is created.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: LastPass
+    dataTypes:
+      - LastPass_BYOC_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+tactics:
+  - CredentialAccess
+  - Discovery
+relevantTechniques:
+ - T1078
+ - T1134
+ - T1555
+ - T1087
+query: |
+  let watchlist = (_GetWatchlist("LastPass") | project name);
+  LastPass_BYOC_CL
+  | where Data_s in (watchlist)
+  | extend timestamp = , AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/LastPass/Analytic Rules/TIMapIPEntityToLastPass.yaml

@@ -0,0 +1,61 @@
+id: 2a723664-22c2-4d3e-bbec-5843b90166f3
+name: TI map IP entity to LastPass data
+description: |
+  'Identifies a match in LastPass table from any IP IOC from TI'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: LastPass
+    dataTypes:
+      - LastPass_BYOC_CL
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+tactics:
+  - Impact
+relevantTechniques:
+ - T1485
+query: |
+    let dt_lookBack = 1h;
+    let ioc_lookBack = 14d;
+    ThreatIntelligenceIndicator
+    | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
+    | where Active == true
+    // Picking up only IOC's that contain the entities we want
+    | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+    // As there is potentially more than 1 indicator type for matching IP, taking Network IP first, then others if that is empty.
+    // Taking the first non-empty value based on potential IOC match availability
+    | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
+    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
+    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
+    | join (
+        LastPass_BYOC_CL | where todatetime(Time_s) >= ago(dt_lookBack)
+        | where Action_s != "Reporting"
+        // renaming time column so it is clear the log this came from
+        | extend LastPass_TimeGenerated = todatetime(Time_s)
+    )
+    on $left.TI_ipEntity == $right.IP_Address_s
+    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+    | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, LastPass_TimeGenerated, 
+    TI_ipEntity, IP_Address_s, Username_s, Action_s, Data_s, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
+    | extend timestamp = LastPass_TimeGenerated, AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Url
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+  - entityType: URL
+    fieldMappings:
+      - identifier: Url
+        columnName: URLCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml

@@ -0,0 +1,44 @@
+id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
+name: Unusual Volume of Password Updated or Removed
+description: |
+  'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
+   The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'
+severity: Low
+requiredDataConnectors:
+  - connectorId: LastPass
+    dataTypes:
+      - LastPass_BYOC_CL
+queryFrequency: 1d
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+tactics:
+  - Impact
+relevantTechniques:
+ - T1485
+query: |
+    let threshold = toscalar (LastPass_BYOC_CL
+    | where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
+    | where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
+    | summarize count() by Username_s, bin(todatetime(Time_s),1d)
+    | summarize avg(count_), stdev(count_)
+    | project threshold = avg_count_+stdev_count_*2);
+    LastPass_BYOC_CL
+    | where Username_s != "API"
+    | where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
+    | summarize count() by Username_s, IP_Address_s
+    | where count_ > ['threshold']
+    | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/LastPass/Data Connectors/LastPassAPIConnector.json

@@ -0,0 +1,123 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "workspace": {
+            "type": "string",
+            "defaultValue": ""
+        }
+    },
+    "resources": [
+        {
+            "id": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspace'),'/providers/Microsoft.SecurityInsights/dataConnectors/',guid(subscription().subscriptionId))]",
+            "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',guid(subscription().subscriptionId))]",
+            "apiVersion": "2021-03-01-preview",
+            "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+            "kind": "APIPolling",
+            "properties": {
+                "connectorUiConfig": {
+                    "title": "LastPass Enterprise - Reporting",
+                    "publisher": "The Collective Consulting BV",
+                    "descriptionMarkdown": "The [LastPass Enterprise](https://www.lastpass.com/products/enterprise-password-management-and-sso) connector provides the capability to LastPass reporting (audit) logs into Azure Sentinel. The connector provides visibility into logins and activity within LastPass (such as reading and removing passwords).",
+                    "graphQueriesTableName": "LastPass_BYOC_CL",
+                    "graphQueries": [{
+                            "metricName": "Total data received",
+                            "legend": "LastPass Audit Events",
+                            "baseQuery": "{{graphQueriesTableName}}"
+                        }
+                    ],
+                    "sampleQueries": [{
+                            "description": "Password moved to shared folders",
+                            "query": "{{graphQueriesTableName}}\n | where Action_s == \"Move to Shared Folder\"\n | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s, TimestampCustomEntity = todatetime(Time_s) "
+                        }
+                    ],
+                    "dataTypes": [{
+                            "name": "{{graphQueriesTableName}}",
+                            "lastDataReceivedQuery": "{{graphQueriesTableName}}\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                        }
+                    ],
+                    "connectivityCriterias": [{
+                            "type": "SentinelKindsV2",
+                            "value": [
+                                "APIPolling"
+                            ]
+                        }
+                    ],
+                    "availability": {
+                        "status": 1,
+                        "isPreview": true
+                    },
+                    "permissions": {
+                        "resourceProvider": [{
+                                "provider": "Microsoft.OperationalInsights/workspaces",
+                                "permissionsDisplayText": "read and write permissions are required.",
+                                "providerDisplayName": "Workspace",
+                                "scope": "Workspace",
+                                "requiredPermissions": {
+                                    "action": true,
+                                    "write": true,
+                                    "read": true,
+                                    "delete": true
+                                }
+                            }
+                        ],
+                        "customs": [ {
+                                "name": "LastPass API Key",
+                                "description": "A LastPass API key is required. [See the documentation to learn more about LastPass API](https://support.logmeininc.com/lastpass/help/use-the-lastpass-provisioning-api-lp010068)."
+                            }
+                        ]
+                    },
+                    "instructionSteps": [
+                        {
+                            "title": "Connect LastPass Enterprise to Azure Sentinel",
+                            "description": "Provide the LastPass Provisioning API Key.",
+                            "instructions": [
+                                {
+                                    "parameters": {
+                                        "enable": "true"
+                                    },
+                                    "type": "APIKey"
+                                }
+                            ]
+                        }
+                    ]
+                },
+                "pollingConfig": 
+                    {
+                        "owner": "ASI",
+                        "version": "2.0",
+                        "source": "PaaS",
+                        "auth": {
+                            "authType": "APIKey",
+                            "APIKeyName": "provhash",
+                            "IsAPIKeyInPostPayload": true
+                        },
+                        "request": {
+                            "apiEndpoint": "https://lastpass.com/enterpriseapi.php",
+                            "rateLimitQPS": 2,
+                            "httpMethod": "Post",
+                            "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+                            "retryCount": 3,
+                            "queryWindowInMin": 10,
+                            "timeoutInSeconds": 120,
+                            "queryParametersTemplate": "{'cid': '12537091', 'cmd': 'reporting', 'data': { 'from': '{_QueryWindowStartTime}', 'to': '{_QueryWindowEndTime}' }, '{_APIKeyName}': '{_APIKey}'}",
+                            "isPostPayloadJson": true
+                        },
+                        "response": {
+                            "eventsJsonPaths": [
+                                "$.data"
+                            ],
+                            "successStatusJsonPath": "$.status",
+                            "successStatusValue": "OK",
+                            "convertChildPropertiesToArray": true
+                        },
+                        "paging": {
+                            "pagingType": "NextPageToken",
+                            "nextPageParaName": "next",
+                            "nextPageTokenJsonPath": "$.next"
+                        }
+                    }
+            }
+            }
+    ]
+}

Solutions/LastPass/Hunting Queries/FailedSigninsDueToMFA.yaml

@@ -0,0 +1,22 @@
+id: b43fc364-69fc-4d3e-8834-6743ab5725e9
+name: Failed sign-ins into LastPass due to MFA.
+description: |
+  'This will check for sign-ins into LastPass which are not confirmed using MFA based on the Sign-in Logs'
+requiredDataConnectors:
+  - connectorId: LastPass
+    dataTypes:
+      - LastPass_BYOC_CL
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - SigninLogs
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  LastPass_BYOC_CL
+  | where Action_s == "Log in"
+  | join (SigninLogs | where AppDisplayName == "LastPass Enterprise") on $left.IP_Address_s == $right.IPAddress and $left.Username_s == $right.UserPrincipalName
+  | where ResultType in (50074, 50076)
+  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, TimestampCustomEntity = todatetime(Time_s)
+ 

Solutions/LastPass/Hunting Queries/LoginIntoLastPassFromUnknownIP.yaml

@@ -0,0 +1,25 @@
+id: d292d770-69a4-4399-9272-6e86c4e53e58
+name: Login into LastPass from a previously unknown IP.
+description: |
+  'This query will check how many activity there is in LastPass from IPs that are not seen before in the Sign-in Logs'
+requiredDataConnectors:
+  - connectorId: LastPass
+    dataTypes:
+      - LastPass_BYOC_CL
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - SigninLogs
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+  - T1190
+query: |
+  let IPs = SigninLogs
+    | project IPAddress;
+  LastPass_BYOC_CL
+  | where Action_s != "Reporting"
+  | where IP_Address_s !in (IPs)
+  | summarize by IP_Address_s, Username_s, bin(todatetime(Time_s), 1d)
+  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, TimestampCustomEntity = Time_s
+ 

Solutions/LastPass/Hunting Queries/PasswordMoveToSharedFolder.yaml

@@ -0,0 +1,17 @@
+id: e70f1b22-acd1-493f-bba5-b28bea988940
+name: Password moved to shared folders
+description: |
+  'This query will check for data that is shared in the LastPass environment.'
+requiredDataConnectors:
+  - connectorId: LastPass
+    dataTypes:
+      - LastPass_BYOC_CL
+tactics:
+  - Collection
+relevantTechniques:
+  - T1039
+query: |
+  LastPass_BYOC_CL
+  | where Action_s == "Move to Shared Folder"
+  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s, URLCustomEntity = Data_s, TimestampCustomEntity = todatetime(Time_s)
+ 

Solutions/LastPass/README.md

@@ -0,0 +1,43 @@
+# LastPass Solution for Azure Sentinel
+This repository contains all resources for the LastPass Azure Sentinel Solution.
+The LastPass Solution is built in order to easily integrate LastPass with Azure Sentinel.
+
+By deploying this solution, you'll be able to monitor activity within LastPass and be alerted when potential security events arise.
+The solution consists out of the following resources:
+- A data connector using an Azure App Service to go out to the LastPass API.
+- One workbook to visualize some of the activity within LastPass
+- Hunting Queries to look into potential security events
+- Analytic Rules to generate alerts and incidents when potential malicious events happen
+
+## Data Connector Deployment
+The data connector will retrieve the LastPass Activity data through the LastPass Enterprise API.
+
+Authentication is done through a LastPass Provisioning Hash API key which can be generated by a LastPass administrator by following the steps in the following [How To Article](https://support.logmeininc.com/lastpass/help/use-the-lastpass-provisioning-api-lp010068).
+
+An ARM template is provided to easily deploy all of the components for the data connector, this includes:
+- The Key Vault used to store the credentials for both the Log Analytics workspace and the LastPass API key
+- An App Configuration which contains the configuration variables.
+- An App Services which contains one C# Azure Functions which pulls data from the LastPass API.
+
+
+
+## Workbook
+The workbook contains visualizations about the activity within LastPass and provides an overview of the user activity.
+This allows you to identify user with a high amount of activity.
+
+Besides user activity, the sign-ins logs are correlated to point out sign-ins which were done from previously unknown IPs and admin activity is surfaced.
+
+The workbook can be deployed by creating an empty workbook and adding the data from the Gallery template.
+
+## Hunting
+- Login into LastPass from a previously unknown IP.
+- Failed sign-ins into LastPass due to MFA.
+- Password moved to shared folders
+
+## Analytic Rules
+The solution currently includes five analytic rules:
+- TI map IP entity to LastPass data
+- Highly Sensitive Password Accessed
+- Failed sign-ins into LastPass due to MFA
+- Employee account deleted
+- Unusual Volume of Password Updated or Removed

Solutions/LastPass/Watchlists/HighlySensitivePasswords.json

@@ -0,0 +1,40 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+      "workspaceName": {
+          "type": "string",
+          "metadata": {
+              "description": "Workspace name for Log Analytics where Sentinel is setup"
+          }
+      },
+        "watchlistdescription": {
+            "type": "string",
+            "metadata": {
+                "description": "Used to maintain list of high sensitive accounts in LastPass."
+            }
+        }
+  },
+    "resources": [
+        {
+        "name": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/ReferenceTemplate')]",
+        "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists",
+        "kind": "",
+        "properties": {
+            "displayName": "Last Pass High Sensitive Passwords",
+            "source": "LastPass.csv",
+            "description": "[parameters('watchlistdescription')]",
+            "provider": "Custom",
+            "isDeleted": false,
+            "labels": [
+            ],
+            "defaultDuration": "P1000Y",
+            "contentType": "Text/Csv",
+            "numberOfLinesToSkip": 0,
+            "itemsSearchKey": "name",
+            "rawContent": "name\r\nSamplevalue1\r\nsamplevalue4\r\n"
+        },
+        "apiVersion": "2021-03-01-preview"
+        }       
+    ]
+}

Solutions/LastPass/Workbooks/LastPassWorkbook.json

@@ -0,0 +1,135 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "## Additional diagrams about generic LastPass usage\r\n---"
+      },
+      "name": "text - 6"
+    },
+    {
+      "type": 12,
+      "content": {
+        "version": "NotebookGroup/1.0",
+        "groupType": "editable",
+        "items": [
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "LastPass_BYOC_CL\r\n| where isnotempty(Data_s)\r\n| summarize count() by Data_s\r\n| order by count_\r\n| render piechart",
+              "size": 3,
+              "title": "Overview of the sites used",
+              "timeContext": {
+                "durationMs": 2592000000
+              },
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces"
+            },
+            "customWidth": "30",
+            "name": "query - 7"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "LastPass_BYOC_CL\r\n| where Username_s != \"API\"\r\n| summarize count() by Username_s\r\n| order by count_\r\n| render piechart",
+              "size": 3,
+              "title": "Overview of the active users",
+              "timeContext": {
+                "durationMs": 2592000000
+              },
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces"
+            },
+            "customWidth": "30",
+            "name": "query - 8"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "LastPass_BYOC_CL\r\n| where Action_s != \"Reporting\"\r\n| summarize count() by Action_s\r\n| order by count_\r\n| render piechart",
+              "size": 3,
+              "title": "Overview of the activity types",
+              "timeContext": {
+                "durationMs": 2592000000
+              },
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces"
+            },
+            "customWidth": "30",
+            "name": "query - 2"
+          }
+        ]
+      },
+      "name": "Additional diagrams about generic LastPass usage"
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "## Insights into sign-in methods\r\n---"
+      },
+      "name": "text - 3"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "let IPs = SigninLogs | project IPAddress;\r\nLastPass_BYOC_CL\r\n| where Action_s != \"Reporting\"\r\n| where IP_Address_s !in (IPs)\r\n| summarize Count = count() by bin(todatetime(Time_s), 1d)\r\n| render timechart",
+        "size": 3,
+        "title": "Sign-ins using an IP which has not been observed before",
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "timechart",
+        "chartSettings": {
+          "showMetrics": false,
+          "ySettings": {
+            "min": 0
+          }
+        }
+      },
+      "name": "query - 4"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "LastPass_BYOC_CL\r\n| where Action_s == \"Log in\"\r\n| join (SigninLogs | where AppDisplayName == \"LastPass Enterprise\") on $left.IP_Address_s == $right.IPAddress\r\n| extend isCompliant = iff(DeviceDetail.isCompliant == \"true\", \"Compliant\", \"Non-Compliant\")\r\n| summarize count() by isCompliant",
+        "size": 3,
+        "title": "Overview of compliancy state of device used to login",
+        "timeContext": {
+          "durationMs": 2592000000
+        },
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart"
+      },
+      "name": "query - 5"
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "## Logins in to admin console"
+      },
+      "name": "text - 2"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "LastPass_BYOC_CL\n| where Action_s == \"Login to Admin Console\"\n| summarize Count = count() by Username_s",
+        "size": 3,
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "query - 2"
+    }
+  ],
+  "fromTemplateId": "sentinel-LastPass",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}