Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Unusual Volume of Password Updated or Removed

Unusual Volume of Password Updated or Removed

Back
Ida3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
RulenameUnusual Volume of Password Updated or Removed
DescriptionThis rule will check if there is an unnormal activity of sites that are deleted or changed per user.

The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.
SeverityLow
TacticsImpact
TechniquesT1485
Required data connectorsLastPass
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
Version1.0.0
Arm templatea3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json
Deploy To Azure
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s

tactics:
- Impact
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
status: Available
description: |
  'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
   The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'  
version: 1.0.0
severity: Low
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
kind: Scheduled
name: Unusual Volume of Password Updated or Removed
query: |
  let threshold = toscalar (LastPassNativePoller_CL
  | where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
  | summarize count() by Username_s, bin(todatetime(Time_s),1d)
  | summarize avg(count_), stdev(count_)
  | project threshold = avg_count_+stdev_count_*2);
  LastPassNativePoller_CL
  | where Username_s != "API"
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
  | summarize count() by Username_s, IP_Address_s
  | where count_ > ['threshold']
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s  
queryPeriod: 14d
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1d
triggerOperator: gt
requiredDataConnectors:
- connectorId: LastPass
  dataTypes:
  - LastPassNativePoller_CL
relevantTechniques:
- T1485