Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Unusual Volume of Password Updated or Removed

Unusual Volume of Password Updated or Removed

Back
Ida3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
RulenameUnusual Volume of Password Updated or Removed
DescriptionThis rule will check if there is an unnormal activity of sites that are deleted or changed per user.

The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.
SeverityLow
TacticsImpact
TechniquesT1485
Required data connectorsLastPass
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
Version1.0.0
Arm templatea3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json
Deploy To Azure
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s

requiredDataConnectors:
- connectorId: LastPass
  dataTypes:
  - LastPassNativePoller_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1485
queryPeriod: 14d
name: Unusual Volume of Password Updated or Removed
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
status: Available
queryFrequency: 1d
triggerOperator: gt
kind: Scheduled
description: |
  'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
   The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'  
tactics:
- Impact
severity: Low
version: 1.0.0
query: |
  let threshold = toscalar (LastPassNativePoller_CL
  | where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
  | summarize count() by Username_s, bin(todatetime(Time_s),1d)
  | summarize avg(count_), stdev(count_)
  | project threshold = avg_count_+stdev_count_*2);
  LastPassNativePoller_CL
  | where Username_s != "API"
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
  | summarize count() by Username_s, IP_Address_s
  | where count_ > ['threshold']
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s  
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce