Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Unusual Volume of Password Updated or Removed

Unusual Volume of Password Updated or Removed

Back
Ida3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
RulenameUnusual Volume of Password Updated or Removed
DescriptionThis rule will check if there is an unnormal activity of sites that are deleted or changed per user.

The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.
SeverityLow
TacticsImpact
TechniquesT1485
Required data connectorsLastPass
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
Version1.0.0
Arm templatea3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json
Deploy To Azure
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s

severity: Low
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
query: |
  let threshold = toscalar (LastPassNativePoller_CL
  | where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
  | summarize count() by Username_s, bin(todatetime(Time_s),1d)
  | summarize avg(count_), stdev(count_)
  | project threshold = avg_count_+stdev_count_*2);
  LastPassNativePoller_CL
  | where Username_s != "API"
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
  | summarize count() by Username_s, IP_Address_s
  | where count_ > ['threshold']
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s  
requiredDataConnectors:
- dataTypes:
  - LastPassNativePoller_CL
  connectorId: LastPass
relevantTechniques:
- T1485
kind: Scheduled
name: Unusual Volume of Password Updated or Removed
tactics:
- Impact
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
queryFrequency: 1d
description: |
  'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
   The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'  
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
queryPeriod: 14d
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce