NordPass - Declined invitation

Back


Id	283d7506-f3c6-419a-ae9c-d9afe6a15d6d
Rulename	NordPass - Declined invitation
Description	This will alert you when the user declines the invite to the NordPass organization.
Severity	Low
Tactics	DefenseEvasion
Techniques	T1078
Required data connectors	NordPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
Version	1.0.0
Arm template	283d7506-f3c6-419a-ae9c-d9afe6a15d6d.json

KQL

NordPassEventLogs_CL
| where event_type == "invites"
| where action == "user_invite_declined"
| extend TargetEmail = user_email

YAML

queryPeriod: 1h
incidentConfiguration:
  createIncident: false
version: 1.0.0
kind: Scheduled
relevantTechniques:
- T1078
severity: Low
description: This will alert you when the user declines the invite to the NordPass organization.
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
query: |
  NordPassEventLogs_CL
  | where event_type == "invites"
  | where action == "user_invite_declined"
  | extend TargetEmail = user_email  
name: NordPass - Declined invitation
tactics:
- DefenseEvasion
displayName: Declined invitation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
triggerThreshold: 0
id: 283d7506-f3c6-419a-ae9c-d9afe6a15d6d
triggerOperator: gt
queryFrequency: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "properties": {
        "alertRuleTemplateName": "283d7506-f3c6-419a-ae9c-d9afe6a15d6d",
        "customDetails": null,
        "description": "This will alert you when the user declines the invite to the NordPass organization.",
        "displayName": "NordPass - Declined invitation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"invites\"\n| where action == \"user_invite_declined\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}