Unusual Volume of Password Updated or Removed
| Id | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce |
| Rulename | Unusual Volume of Password Updated or Removed |
| Description | This rule will check if there is an unnormal activity of sites that are deleted or changed per user. The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created. |
| Severity | Low |
| Tactics | Impact |
| Techniques | T1485 |
| Required data connectors | LastPass |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml |
| Version | 1.0.0 |
| Arm template | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json |
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites"
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
query: |
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites"
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
description: |
'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'
severity: Low
requiredDataConnectors:
- dataTypes:
- LastPassNativePoller_CL
connectorId: LastPass
eventGroupingSettings:
aggregationKind: AlertPerResult
name: Unusual Volume of Password Updated or Removed
triggerThreshold: 0
tactics:
- Impact
version: 1.0.0
relevantTechniques:
- T1485
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
status: Available
kind: Scheduled
queryFrequency: 1d
queryPeriod: 14d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
"properties": {
"alertRuleTemplateName": "a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce",
"customDetails": null,
"description": "'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.\n The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'\n",
"displayName": "Unusual Volume of Password Updated or Removed",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml",
"query": "let threshold = toscalar (LastPassNativePoller_CL\n| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" \n| summarize count() by Username_s, bin(todatetime(Time_s),1d)\n| summarize avg(count_), stdev(count_)\n| project threshold = avg_count_+stdev_count_*2);\nLastPassNativePoller_CL\n| where Username_s != \"API\"\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" and todatetime(Time_s) >= startofday(ago(1d))\n| summarize count() by Username_s, IP_Address_s\n| where count_ > ['threshold']\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}