NordPass - Declined invitation

Back


Id	283d7506-f3c6-419a-ae9c-d9afe6a15d6d
Rulename	NordPass - Declined invitation
Description	This will alert you when the user declines the invite to the NordPass organization.
Severity	Low
Tactics	DefenseEvasion
Techniques	T1078
Required data connectors	NordPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
Version	1.0.0
Arm template	283d7506-f3c6-419a-ae9c-d9afe6a15d6d.json

KQL

NordPassEventLogs_CL
| where event_type == "invites"
| where action == "user_invite_declined"
| extend TargetEmail = user_email

YAML

triggerOperator: gt
description: This will alert you when the user declines the invite to the NordPass organization.
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
id: 283d7506-f3c6-419a-ae9c-d9afe6a15d6d
tactics:
- DefenseEvasion
relevantTechniques:
- T1078
query: |
  NordPassEventLogs_CL
  | where event_type == "invites"
  | where action == "user_invite_declined"
  | extend TargetEmail = user_email  
displayName: Declined invitation
severity: Low
name: NordPass - Declined invitation
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
queryFrequency: 1h
incidentConfiguration:
  createIncident: false
queryPeriod: 1h
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "properties": {
        "alertRuleTemplateName": "283d7506-f3c6-419a-ae9c-d9afe6a15d6d",
        "customDetails": null,
        "description": "This will alert you when the user declines the invite to the NordPass organization.",
        "displayName": "Declined invitation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"invites\"\n| where action == \"user_invite_declined\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}