NordPass - User fails authentication

Back


Id	27b261dc-68f3-489a-944f-bc252e0c1960
Rulename	NordPass - User fails authentication
Description	This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
Severity	High
Tactics	CredentialAccess
Techniques	T1110 T1556.003
Required data connectors	NordPass
Kind	Scheduled
Query frequency	5m
Query period	1d
Trigger threshold	2
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
Version	1.0.0
Arm template	27b261dc-68f3-489a-944f-bc252e0c1960.json

KQL

let threshold = 2;
let filteredData = materialize(
    NordPassEventLogs_CL
    | where event_type == "login" and action == "user_login_failed"
);
let users = filteredData
    | summarize Count = count() by user_email
    | where Count > threshold
    | project user_email;
filteredData  
| where user_email in (users)
| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider

YAML

displayName: User fails authentication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
triggerThreshold: 2
relevantTechniques:
- T1110
- T1556.003
queryFrequency: 5m
customDetails:
  Provider: Provider
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address
kind: Scheduled
query: |
  let threshold = 2;
  let filteredData = materialize(
      NordPassEventLogs_CL
      | where event_type == "login" and action == "user_login_failed"
  );
  let users = filteredData
      | summarize Count = count() by user_email
      | where Count > threshold
      | project user_email;
  filteredData  
  | where user_email in (users)
  | extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider  
id: 27b261dc-68f3-489a-944f-bc252e0c1960
description: |
    This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.
name: NordPass - User fails authentication
incidentConfiguration:
  createIncident: false
tactics:
- CredentialAccess
version: 1.0.0
severity: High
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/27b261dc-68f3-489a-944f-bc252e0c1960')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/27b261dc-68f3-489a-944f-bc252e0c1960')]",
      "properties": {
        "alertRuleTemplateName": "27b261dc-68f3-489a-944f-bc252e0c1960",
        "customDetails": {
          "Provider": "Provider"
        },
        "description": "This will alert you if a user fails to log in to their NordPass account or SSO authentication three or more times in the last 24 hours.\n",
        "displayName": "NordPass - User fails authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_user_login_failed.yaml",
        "query": "let threshold = 2;\nlet filteredData = materialize(\n    NordPassEventLogs_CL\n    | where event_type == \"login\" and action == \"user_login_failed\"\n);\nlet users = filteredData\n    | summarize Count = count() by user_email\n    | where Count > threshold\n    | project user_email;\nfilteredData  \n| where user_email in (users)\n| extend TargetEmail = user_email, IPAddress = metadata.ip_address, Provider = metadata.provider\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [
          "T1556.003"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110",
          "T1556"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 2
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}