NordPass - User fails authentication

Back


Id	27b261dc-68f3-489a-944f-bc252e0c1960
Rulename	NordPass - User fails authentication
Description	This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
Severity	High
Tactics	CredentialAccess
Techniques	T1110 T1556.003
Required data connectors	NordPass
Kind	Scheduled
Query frequency	5m
Query period	1d
Trigger threshold	2
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
Version	1.0.0
Arm template	27b261dc-68f3-489a-944f-bc252e0c1960.json

KQL

let threshold = 2;
let filteredData = materialize(
    NordPassEventLogs_CL
    | where event_type == "login" and action == "user_login_failed"
);
let users = filteredData
    | summarize Count = count() by user_email
    | where Count > threshold
    | project user_email;
filteredData  
| where user_email in (users)
| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider

YAML

requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
tactics:
- CredentialAccess
incidentConfiguration:
  createIncident: false
description: |
    This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
query: |
  let threshold = 2;
  let filteredData = materialize(
      NordPassEventLogs_CL
      | where event_type == "login" and action == "user_login_failed"
  );
  let users = filteredData
      | summarize Count = count() by user_email
      | where Count > threshold
      | project user_email;
  filteredData  
  | where user_email in (users)
  | extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
id: 27b261dc-68f3-489a-944f-bc252e0c1960
triggerOperator: gt
relevantTechniques:
- T1110
- T1556.003
customDetails:
  Provider: Provider
queryFrequency: 5m
severity: High
entityMappings:
- fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
name: NordPass - User fails authentication
queryPeriod: 1d
kind: Scheduled
triggerThreshold: 2
version: 1.0.0
displayName: User fails authentication

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/27b261dc-68f3-489a-944f-bc252e0c1960')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/27b261dc-68f3-489a-944f-bc252e0c1960')]",
      "properties": {
        "alertRuleTemplateName": "27b261dc-68f3-489a-944f-bc252e0c1960",
        "customDetails": {
          "Provider": "Provider"
        },
        "description": "This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.\n",
        "displayName": "NordPass - User fails authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml",
        "query": "let threshold = 2;\nlet filteredData = materialize(\n    NordPassEventLogs_CL\n    | where event_type == \"login\" and action == \"user_login_failed\"\n);\nlet users = filteredData\n    | summarize Count = count() by user_email\n    | where Count > threshold\n    | project user_email;\nfilteredData  \n| where user_email in (users)\n| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [
          "T1556.003"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110",
          "T1556"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 2
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}