NordPass - Declined invitation

Back


Id	283d7506-f3c6-419a-ae9c-d9afe6a15d6d
Rulename	NordPass - Declined invitation
Description	This will alert you when the user declines the invite to the NordPass organization.
Severity	Low
Tactics	DefenseEvasion
Techniques	T1078
Required data connectors	NordPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
Version	1.0.0
Arm template	283d7506-f3c6-419a-ae9c-d9afe6a15d6d.json

KQL

NordPassEventLogs_CL
| where event_type == "invites"
| where action == "user_invite_declined"
| extend TargetEmail = user_email

YAML

queryPeriod: 1h
name: NordPass - Declined invitation
description: This will alert you when the user declines the invite to the NordPass organization.
displayName: Declined invitation
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
kind: Scheduled
id: 283d7506-f3c6-419a-ae9c-d9afe6a15d6d
version: 1.0.0
triggerOperator: gt
triggerThreshold: 0
query: |
  NordPassEventLogs_CL
  | where event_type == "invites"
  | where action == "user_invite_declined"
  | extend TargetEmail = user_email  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
incidentConfiguration:
  createIncident: false
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
tactics:
- DefenseEvasion
relevantTechniques:
- T1078
queryFrequency: 1h
severity: Low

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "properties": {
        "alertRuleTemplateName": "283d7506-f3c6-419a-ae9c-d9afe6a15d6d",
        "customDetails": null,
        "description": "This will alert you when the user declines the invite to the NordPass organization.",
        "displayName": "Declined invitation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"invites\"\n| where action == \"user_invite_declined\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}