Unusual Volume of Password Updated or Removed
| Id | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce |
| Rulename | Unusual Volume of Password Updated or Removed |
| Description | This rule will check if there is an unnormal activity of sites that are deleted or changed per user. The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created. |
| Severity | Low |
| Tactics | Impact |
| Techniques | T1485 |
| Required data connectors | LastPass |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml |
| Version | 1.0.0 |
| Arm template | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json |
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites"
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
relevantTechniques:
- T1485
name: Unusual Volume of Password Updated or Removed
requiredDataConnectors:
- dataTypes:
- LastPassNativePoller_CL
connectorId: LastPass
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
triggerThreshold: 0
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
tactics:
- Impact
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
queryPeriod: 14d
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 1d
severity: Low
status: Available
description: |
'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'
query: |
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites"
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
"properties": {
"alertRuleTemplateName": "a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce",
"customDetails": null,
"description": "'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.\n The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'\n",
"displayName": "Unusual Volume of Password Updated or Removed",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml",
"query": "let threshold = toscalar (LastPassNativePoller_CL\n| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" \n| summarize count() by Username_s, bin(todatetime(Time_s),1d)\n| summarize avg(count_), stdev(count_)\n| project threshold = avg_count_+stdev_count_*2);\nLastPassNativePoller_CL\n| where Username_s != \"API\"\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" and todatetime(Time_s) >= startofday(ago(1d))\n| summarize count() by Username_s, IP_Address_s\n| where count_ > ['threshold']\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}