NordPass - Vault export
| Id | c7f14b43-7625-4516-b137-30b7fda65bcf |
| Rulename | NordPass - Vault export |
| Description | This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks. NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled. |
| Severity | High |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | NordPass |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml |
| Version | 1.0.0 |
| Arm template | c7f14b43-7625-4516-b137-30b7fda65bcf.json |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
queryFrequency: 5m
id: c7f14b43-7625-4516-b137-30b7fda65bcf
triggerOperator: gt
incidentConfiguration:
createIncident: false
query: |
NordPassEventLogs_CL
| where event_type == "item_access"
| where action == "vault_exported"
| extend TargetEmail = user_email
entityMappings:
- fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: TargetEmail
entityType: Mailbox
queryPeriod: 5m
name: NordPass - Vault export
displayName: Vault export
triggerThreshold: 0
relevantTechniques:
- T1020
kind: Scheduled
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_vault_exported.yaml
version: 1.0.0
severity: High
description: |
This will alert you if the vault has been exported, allowing you to review and evaluate the incident to mitigate potential risks.
NOTE: The organization can control whether it allows its members to export the vault, although we recommend that it always be disabled.
tactics:
- Exfiltration