Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Unusual Volume of Password Updated or Removed

Unusual Volume of Password Updated or Removed

Back
Ida3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
RulenameUnusual Volume of Password Updated or Removed
DescriptionThis rule will check if there is an unnormal activity of sites that are deleted or changed per user.

The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.
SeverityLow
TacticsImpact
TechniquesT1485
Required data connectorsLastPass
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
Version1.0.0
Arm templatea3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json
Deploy To Azure
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s

tactics:
- Impact
severity: Low
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
description: |
  'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
   The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'  
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
requiredDataConnectors:
- dataTypes:
  - LastPassNativePoller_CL
  connectorId: LastPass
name: Unusual Volume of Password Updated or Removed
query: |
  let threshold = toscalar (LastPassNativePoller_CL
  | where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
  | summarize count() by Username_s, bin(todatetime(Time_s),1d)
  | summarize avg(count_), stdev(count_)
  | project threshold = avg_count_+stdev_count_*2);
  LastPassNativePoller_CL
  | where Username_s != "API"
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
  | summarize count() by Username_s, IP_Address_s
  | where count_ > ['threshold']
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s  
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
relevantTechniques:
- T1485
queryFrequency: 1d
queryPeriod: 14d
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
status: Available
kind: Scheduled
triggerOperator: gt