NordPass - Vault export
| Id | c7f14b43-7625-4516-b137-30b7fda65bcf |
| Rulename | NordPass - Vault export |
| Description | This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks. NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled. |
| Severity | High |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | NordPass |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml |
| Version | 1.0.0 |
| Arm template | c7f14b43-7625-4516-b137-30b7fda65bcf.json |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
relevantTechniques:
- T1020
incidentConfiguration:
createIncident: false
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
version: 1.0.0
description: |
This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks.
NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled.
tactics:
- Exfiltration
displayName: Vault export
query: |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml
id: c7f14b43-7625-4516-b137-30b7fda65bcf
queryFrequency: 5m
entityMappings:
- fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
entityType: Mailbox
severity: High
queryPeriod: 5m
name: NordPass - Vault export
triggerThreshold: 0
kind: Scheduled