Unusual Volume of Password Updated or Removed
Id | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce |
Rulename | Unusual Volume of Password Updated or Removed |
Description | This rule will check if there is an unnormal activity of sites that are deleted or changed per user. The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created. |
Severity | Low |
Tactics | Impact |
Techniques | T1485 |
Required data connectors | LastPass |
Kind | Scheduled |
Query frequency | 1d |
Query period | 14d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml |
Version | 1.0.0 |
Arm template | a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json |
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites"
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
queryPeriod: 14d
version: 1.0.0
tactics:
- Impact
queryFrequency: 1d
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- LastPassNativePoller_CL
connectorId: LastPass
severity: Low
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
triggerThreshold: 0
relevantTechniques:
- T1485
query: |
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites"
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
kind: Scheduled
name: Unusual Volume of Password Updated or Removed
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
description: |
'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
"properties": {
"alertRuleTemplateName": "a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce",
"customDetails": null,
"description": "'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.\n The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'\n",
"displayName": "Unusual Volume of Password Updated or Removed",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPCustomEntity",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml",
"query": "let threshold = toscalar (LastPassNativePoller_CL\n| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" \n| summarize count() by Username_s, bin(todatetime(Time_s),1d)\n| summarize avg(count_), stdev(count_)\n| project threshold = avg_count_+stdev_count_*2);\nLastPassNativePoller_CL\n| where Username_s != \"API\"\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" and todatetime(Time_s) >= startofday(ago(1d))\n| summarize count() by Username_s, IP_Address_s\n| where count_ > ['threshold']\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}