NordPass - Vault export
| Id | c7f14b43-7625-4516-b137-30b7fda65bcf |
| Rulename | NordPass - Vault export |
| Description | This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks. NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled. |
| Severity | High |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | NordPass |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml |
| Version | 1.0.0 |
| Arm template | c7f14b43-7625-4516-b137-30b7fda65bcf.json |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
description: |
This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks.
NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled.
displayName: Vault export
tactics:
- Exfiltration
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
incidentConfiguration:
createIncident: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml
severity: High
name: NordPass - Vault export
triggerThreshold: 0
queryPeriod: 5m
query: |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
relevantTechniques:
- T1020
id: c7f14b43-7625-4516-b137-30b7fda65bcf
queryFrequency: 5m
entityMappings:
- entityType: Mailbox
fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
triggerOperator: gt
version: 1.0.0
kind: Scheduled