Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Unusual Volume of Password Updated or Removed

Back
Ida3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
RulenameUnusual Volume of Password Updated or Removed
DescriptionThis rule will check if there is an unnormal activity of sites that are deleted or changed per user.

The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.
SeverityLow
TacticsImpact
TechniquesT1485
Required data connectorsLastPass
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
Version1.0.0
Arm templatea3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce.json
Deploy To Azure
let threshold = toscalar (LastPassNativePoller_CL
| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
| summarize count() by Username_s, bin(todatetime(Time_s),1d)
| summarize avg(count_), stdev(count_)
| project threshold = avg_count_+stdev_count_*2);
LastPassNativePoller_CL
| where Username_s != "API"
| where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
| summarize count() by Username_s, IP_Address_s
| where count_ > ['threshold']
| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s
triggerThreshold: 0
name: Unusual Volume of Password Updated or Removed
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: Low
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
queryPeriod: 14d
queryFrequency: 1d
version: 1.0.0
triggerOperator: gt
description: |
  'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.
   The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'  
query: |
  let threshold = toscalar (LastPassNativePoller_CL
  | where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" 
  | summarize count() by Username_s, bin(todatetime(Time_s),1d)
  | summarize avg(count_), stdev(count_)
  | project threshold = avg_count_+stdev_count_*2);
  LastPassNativePoller_CL
  | where Username_s != "API"
  | where Action_s == "Site Changed" or Action_s == "Deleted Sites" and todatetime(Time_s) >= startofday(ago(1d))
  | summarize count() by Username_s, IP_Address_s
  | where count_ > ['threshold']
  | extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s  
relevantTechniques:
- T1485
id: a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce
requiredDataConnectors:
- dataTypes:
  - LastPassNativePoller_CL
  connectorId: LastPass
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce')]",
      "properties": {
        "alertRuleTemplateName": "a3bbdf60-0a6d-4cc2-b1d1-dd70aca184ce",
        "customDetails": null,
        "description": "'This rule will check if there is an unnormal activity of sites that are deleted or changed per user.\n The normal amount of actions is calculated based on the previous 14 days of activity. If there is a significant increase, an incident will be created.'\n",
        "displayName": "Unusual Volume of Password Updated or Removed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Analytic Rules/UnusualVolumeOfPasswordsUpdatedOrRemoved.yaml",
        "query": "let threshold = toscalar (LastPassNativePoller_CL\n| where todatetime(Time_s) >= startofday(ago(14d)) and todatetime(Time_s) < startofday(ago(1d))\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" \n| summarize count() by Username_s, bin(todatetime(Time_s),1d)\n| summarize avg(count_), stdev(count_)\n| project threshold = avg_count_+stdev_count_*2);\nLastPassNativePoller_CL\n| where Username_s != \"API\"\n| where Action_s == \"Site Changed\" or Action_s == \"Deleted Sites\" and todatetime(Time_s) >= startofday(ago(1d))\n| summarize count() by Username_s, IP_Address_s\n| where count_ > ['threshold']\n| extend AccountCustomEntity = Username_s, IPCustomEntity = IP_Address_s\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}