NordPass - Manual invitation suspension or deletion

Back


Id	693c5217-e840-427f-9661-3fa0ef266040
Rulename	NordPass - Manual invitation, suspension, or deletion
Description	This will alert you when the user is manually invited, suspended, or deleted. !This rule should be enabled only by organizations that have User and Group Provisioning enabled.
Severity	Medium
Tactics	Persistence
Techniques	T1098
Required data connectors	NordPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_manual_user_manipulation.yaml
Version	1.0.0
Arm template	693c5217-e840-427f-9661-3fa0ef266040.json

KQL

NordPassEventLogs_CL  
| extend metadataParsed = parse_json(metadata)  
| where (event_type == "invites" and action == "user_invited") or (event_type == "access" and action == "user_status_updated" and (metadataParsed.status == "suspended" or metadataParsed.status == "deleted"))  
| extend TargetEmail = user_email

YAML

queryPeriod: 1h
incidentConfiguration:
  createIncident: false
version: 1.0.0
kind: Scheduled
relevantTechniques:
- T1098
severity: Medium
description: |
  This will alert you when the user is manually invited, suspended, or deleted.

  !This rule should be enabled only by organizations that have User and Group Provisioning enabled.  
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
query: |
  NordPassEventLogs_CL  
  | extend metadataParsed = parse_json(metadata)  
  | where (event_type == "invites" and action == "user_invited") or (event_type == "access" and action == "user_status_updated" and (metadataParsed.status == "suspended" or metadataParsed.status == "deleted"))  
  | extend TargetEmail = user_email  
name: NordPass - Manual invitation, suspension, or deletion
tactics:
- Persistence
displayName: Manual invitation, suspension, or deletion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_manual_user_manipulation.yaml
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
triggerThreshold: 0
id: 693c5217-e840-427f-9661-3fa0ef266040
triggerOperator: gt
queryFrequency: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/693c5217-e840-427f-9661-3fa0ef266040')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/693c5217-e840-427f-9661-3fa0ef266040')]",
      "properties": {
        "alertRuleTemplateName": "693c5217-e840-427f-9661-3fa0ef266040",
        "customDetails": null,
        "description": "This will alert you when the user is manually invited, suspended, or deleted.\n\n!This rule should be enabled only by organizations that have User and Group Provisioning enabled.\n",
        "displayName": "NordPass - Manual invitation, suspension, or deletion",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_manual_user_manipulation.yaml",
        "query": "NordPassEventLogs_CL  \n| extend metadataParsed = parse_json(metadata)  \n| where (event_type == \"invites\" and action == \"user_invited\") or (event_type == \"access\" and action == \"user_status_updated\" and (metadataParsed.status == \"suspended\" or metadataParsed.status == \"deleted\"))  \n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}