NordPass - Declined invitation

Back


Id	283d7506-f3c6-419a-ae9c-d9afe6a15d6d
Rulename	NordPass - Declined invitation
Description	This will alert you when the user declines the invite to the NordPass organization.
Severity	Low
Tactics	DefenseEvasion
Techniques	T1078
Required data connectors	NordPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
Version	1.0.0
Arm template	283d7506-f3c6-419a-ae9c-d9afe6a15d6d.json

KQL

NordPassEventLogs_CL
| where event_type == "invites"
| where action == "user_invite_declined"
| extend TargetEmail = user_email

YAML

requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
incidentConfiguration:
  createIncident: false
severity: Low
kind: Scheduled
name: NordPass - Declined invitation
version: 1.0.0
query: |
  NordPassEventLogs_CL
  | where event_type == "invites"
  | where action == "user_invite_declined"
  | extend TargetEmail = user_email  
queryPeriod: 1h
displayName: Declined invitation
relevantTechniques:
- T1078
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
description: This will alert you when the user declines the invite to the NordPass organization.
id: 283d7506-f3c6-419a-ae9c-d9afe6a15d6d
entityMappings:
- fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
queryFrequency: 1h
triggerOperator: gt
tactics:
- DefenseEvasion
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "properties": {
        "alertRuleTemplateName": "283d7506-f3c6-419a-ae9c-d9afe6a15d6d",
        "customDetails": null,
        "description": "This will alert you when the user declines the invite to the NordPass organization.",
        "displayName": "NordPass - Declined invitation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"invites\"\n| where action == \"user_invite_declined\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}