NordPass - Domain data detected in breach

NordPassEventLogs_CL
| where event_type == "breach"
| where action == "domain_breached"
| extend TargetEmail = user_email

entityMappings:
- fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
triggerThreshold: 0
severity: High
incidentConfiguration:
  createIncident: false
queryFrequency: 5m
queryPeriod: 5m
relevantTechniques:
- T1020
displayName: Domain data detected in breach
triggerOperator: gt
description: |
  This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.

  !This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.  
id: e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
name: NordPass - Domain data detected in breach
version: 1.0.0
query: |
  NordPassEventLogs_CL
  | where event_type == "breach"
  | where action == "domain_breached"
  | extend TargetEmail = user_email  
tactics:
- Exfiltration
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc')]",
      "properties": {
        "alertRuleTemplateName": "e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc",
        "customDetails": null,
        "description": "This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.\n\n!This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.\n",
        "displayName": "Domain data detected in breach",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"breach\"\n| where action == \"domain_breached\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1020"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}