NordPass - Vault export
| Id | c7f14b43-7625-4516-b137-30b7fda65bcf |
| Rulename | NordPass - Vault export |
| Description | This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks. NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled. |
| Severity | High |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | NordPass |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml |
| Version | 1.0.0 |
| Arm template | c7f14b43-7625-4516-b137-30b7fda65bcf.json |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
kind: Scheduled
entityMappings:
- entityType: Mailbox
fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
description: |
This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks.
NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled.
severity: High
queryFrequency: 5m
incidentConfiguration:
createIncident: false
triggerThreshold: 0
relevantTechniques:
- T1020
displayName: Vault export
version: 1.0.0
name: NordPass - Vault export
id: c7f14b43-7625-4516-b137-30b7fda65bcf
query: |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
requiredDataConnectors:
- dataTypes:
- NordPassEventLogs_CL
connectorId: NordPass
tactics:
- Exfiltration
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c7f14b43-7625-4516-b137-30b7fda65bcf')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c7f14b43-7625-4516-b137-30b7fda65bcf')]",
"properties": {
"alertRuleTemplateName": "c7f14b43-7625-4516-b137-30b7fda65bcf",
"customDetails": null,
"description": "This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks.\nNOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled.\n",
"displayName": "Vault export",
"enabled": true,
"entityMappings": [
{
"entityType": "Mailbox",
"fieldMappings": [
{
"columnName": "TargetEmail",
"identifier": "MailboxPrimaryAddress"
}
]
}
],
"incidentConfiguration": {
"createIncident": false
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml",
"query": "NordPassEventLogs_CL\n| where event_type == \"item_access\"\n| where action == \"vault_exported\"\n| extend TargetEmail = user_email\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration"
],
"techniques": [
"T1020"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}