NordPass - Manual invitation suspension or deletion

Back


Id	693c5217-e840-427f-9661-3fa0ef266040
Rulename	NordPass - Manual invitation, suspension, or deletion
Description	This will alert you when the user is manually invited, suspended, or deleted. !This rule should be enabled only by organizations that have User and Group Provisioning enabled.
Severity	Medium
Tactics	Persistence
Techniques	T1098
Required data connectors	NordPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_manual_user_manipulation.yaml
Version	1.0.0
Arm template	693c5217-e840-427f-9661-3fa0ef266040.json

KQL

NordPassEventLogs_CL  
| extend metadataParsed = parse_json(metadata)  
| where (event_type == "invites" and action == "user_invited") or (event_type == "access" and action == "user_status_updated" and (metadataParsed.status == "suspended" or metadataParsed.status == "deleted"))  
| extend TargetEmail = user_email

YAML

name: NordPass - Manual invitation, suspension, or deletion
id: 693c5217-e840-427f-9661-3fa0ef266040
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
severity: Medium
triggerThreshold: 0
version: 1.0.0
description: |
  This will alert you when the user is manually invited, suspended, or deleted.

  !This rule should be enabled only by organizations that have User and Group Provisioning enabled.  
displayName: Manual invitation, suspension, or deletion
relevantTechniques:
- T1098
kind: Scheduled
queryPeriod: 1h
incidentConfiguration:
  createIncident: false
tactics:
- Persistence
queryFrequency: 1h
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
triggerOperator: gt
query: |
  NordPassEventLogs_CL  
  | extend metadataParsed = parse_json(metadata)  
  | where (event_type == "invites" and action == "user_invited") or (event_type == "access" and action == "user_status_updated" and (metadataParsed.status == "suspended" or metadataParsed.status == "deleted"))  
  | extend TargetEmail = user_email  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_manual_user_manipulation.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/693c5217-e840-427f-9661-3fa0ef266040')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/693c5217-e840-427f-9661-3fa0ef266040')]",
      "properties": {
        "alertRuleTemplateName": "693c5217-e840-427f-9661-3fa0ef266040",
        "customDetails": null,
        "description": "This will alert you when the user is manually invited, suspended, or deleted.\n\n!This rule should be enabled only by organizations that have User and Group Provisioning enabled.\n",
        "displayName": "NordPass - Manual invitation, suspension, or deletion",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_manual_user_manipulation.yaml",
        "query": "NordPassEventLogs_CL  \n| extend metadataParsed = parse_json(metadata)  \n| where (event_type == \"invites\" and action == \"user_invited\") or (event_type == \"access\" and action == \"user_status_updated\" and (metadataParsed.status == \"suspended\" or metadataParsed.status == \"deleted\"))  \n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}