Unusual Volume of Password Updated or Removed
| Id | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce |
| Rulename | Unusual Volume of Password Updated or Removed |
| Description | This rule will check if there is an unnormal activity of sites that are deleted or changed per user. The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created. |
| Severity | Low |
| Tactics | Impact |
| Techniques | T1485 |
| Required data connectors | LastPass |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml |
| Version | 1.0.0 |
| Arm template | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json |
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites"
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
status: Available
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
query: |
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites"
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
description: |
'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'
name: Unusual Volume of Password Updated or Removed
relevantTechniques:
- T1485
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
triggerThreshold: 0
severity: Low
requiredDataConnectors:
- dataTypes:
- LastPassNativePoller_CL
connectorId: LastPass
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 1d
queryPeriod: 14d
version: 1.0.0
kind: Scheduled
tactics:
- Impact
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
"properties": {
"alertRuleTemplateName": "a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce",
"customDetails": null,
"description": "'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.\n The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'\n",
"displayName": "Unusual Volume of Password Updated or Removed",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml",
"query": "let threshold = toscalar (LastPassNativePoller_CL\n| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" \n| summarize count() by Username_s, bin(todatetime(Time_s),1d)\n| summarize avg(count_), stdev(count_)\n| project threshold = avg_count_+stdev_count_*2);\nLastPassNativePoller_CL\n| where Username_s != \"API\"\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" and todatetime(Time_s) >= startofday(ago(1d))\n| summarize count() by Username_s, IP_Address_s\n| where count_ > ['threshold']\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}