NordPass - Vault export
| Id | c7f14b43-7625-4516-b137-30b7fda65bcf |
| Rulename | NordPass - Vault export |
| Description | This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks. NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled. |
| Severity | High |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | NordPass |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml |
| Version | 1.0.0 |
| Arm template | c7f14b43-7625-4516-b137-30b7fda65bcf.json |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
query: |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
severity: High
version: 1.0.0
entityMappings:
- entityType: Mailbox
fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: TargetEmail
triggerThreshold: 0
tactics:
- Exfiltration
id: c7f14b43-7625-4516-b137-30b7fda65bcf
displayName: Vault export
description: |
This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks.
NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled.
relevantTechniques:
- T1020
queryPeriod: 5m
name: NordPass - Vault export
incidentConfiguration:
createIncident: false
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
triggerOperator: gt
queryFrequency: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml