NordPass - User fails authentication

Back


Id	27b261dc-68f3-489a-944f-bc252e0c1960
Rulename	NordPass - User fails authentication
Description	This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
Severity	High
Tactics	CredentialAccess
Techniques	T1110 T1556.003
Required data connectors	NordPass
Kind	Scheduled
Query frequency	5m
Query period	1d
Trigger threshold	2
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
Version	1.0.0
Arm template	27b261dc-68f3-489a-944f-bc252e0c1960.json

KQL

let threshold = 2;
let filteredData = materialize(
    NordPassEventLogs_CL
    | where event_type == "login" and action == "user_login_failed"
);
let users = filteredData
    | summarize Count = count() by user_email
    | where Count > threshold
    | project user_email;
filteredData  
| where user_email in (users)
| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider

YAML

queryPeriod: 1d
incidentConfiguration:
  createIncident: false
version: 1.0.0
kind: Scheduled
relevantTechniques:
- T1110
- T1556.003
severity: High
description: |
    This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
query: |
  let threshold = 2;
  let filteredData = materialize(
      NordPassEventLogs_CL
      | where event_type == "login" and action == "user_login_failed"
  );
  let users = filteredData
      | summarize Count = count() by user_email
      | where Count > threshold
      | project user_email;
  filteredData  
  | where user_email in (users)
  | extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider  
name: NordPass - User fails authentication
tactics:
- CredentialAccess
displayName: User fails authentication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
- fieldMappings:
  - identifier: Address
    columnName: IPAddress
  entityType: IP
triggerThreshold: 2
id: 27b261dc-68f3-489a-944f-bc252e0c1960
triggerOperator: gt
queryFrequency: 5m
customDetails:
  Provider: Provider

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/27b261dc-68f3-489a-944f-bc252e0c1960')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/27b261dc-68f3-489a-944f-bc252e0c1960')]",
      "properties": {
        "alertRuleTemplateName": "27b261dc-68f3-489a-944f-bc252e0c1960",
        "customDetails": {
          "Provider": "Provider"
        },
        "description": "This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.\n",
        "displayName": "NordPass - User fails authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml",
        "query": "let threshold = 2;\nlet filteredData = materialize(\n    NordPassEventLogs_CL\n    | where event_type == \"login\" and action == \"user_login_failed\"\n);\nlet users = filteredData\n    | summarize Count = count() by user_email\n    | where Count > threshold\n    | project user_email;\nfilteredData  \n| where user_email in (users)\n| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [
          "T1556.003"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110",
          "T1556"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 2
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}