NordPass - Declined invitation

Back


Id	283d7506-f3c6-419a-ae9c-d9afe6a15d6d
Rulename	NordPass - Declined invitation
Description	This will alert you when the user declines the invite to the NordPass organization.
Severity	Low
Tactics	DefenseEvasion
Techniques	T1078
Required data connectors	NordPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml
Version	1.0.0
Arm template	283d7506-f3c6-419a-ae9c-d9afe6a15d6d.json

KQL

NordPassEventLogs_CL
| where event_type == "invites"
| where action == "user_invite_declined"
| extend TargetEmail = user_email

YAML

version: 1.0.0
relevantTechniques:
- T1078
triggerThreshold: 0
name: NordPass - Declined invitation
id: 283d7506-f3c6-419a-ae9c-d9afe6a15d6d
displayName: Declined invitation
incidentConfiguration:
  createIncident: false
kind: Scheduled
severity: Low
description: This will alert you when the user declines the invite to the NordPass organization.
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
queryPeriod: 1h
query: |
  NordPassEventLogs_CL
  | where event_type == "invites"
  | where action == "user_invite_declined"
  | extend TargetEmail = user_email  
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
triggerOperator: gt
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/283d7506-f3c6-419a-ae9c-d9afe6a15d6d')]",
      "properties": {
        "alertRuleTemplateName": "283d7506-f3c6-419a-ae9c-d9afe6a15d6d",
        "customDetails": null,
        "description": "This will alert you when the user declines the invite to the NordPass organization.",
        "displayName": "NordPass - Declined invitation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_Invite_declined.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"invites\"\n| where action == \"user_invite_declined\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}