Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NordPass - Domain data detected in breach

Back
Ide3f2b6c9-df0c-4b36-a376-bb2762e4dbdc
RulenameNordPass - Domain data detected in breach
DescriptionThis will alert you when Data Breach Scanner discovers data related to your organization’s domains on the dark web.



!This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.
SeverityHigh
TacticsExfiltration
TechniquesT1020
Required data connectorsNordPass
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml
Version1.0.0
Arm templatee3f2b6c9-df0c-4b36-a376-bb2762e4dbdc.json
Deploy To Azure
NordPassEventLogs_CL
| where event_type == "breach"
| where action == "domain_breached"
| extend TargetEmail = user_email
tactics:
- Exfiltration
name: NordPass - Domain data detected in breach
id: e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
query: |
  NordPassEventLogs_CL
  | where event_type == "breach"
  | where action == "domain_breached"
  | extend TargetEmail = user_email  
relevantTechniques:
- T1020
incidentConfiguration:
  createIncident: false
description: |
  This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.

  !This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.  
triggerOperator: gt
queryPeriod: 5m
severity: High
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
version: 1.0.0
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
displayName: Domain data detected in breach
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc')]",
      "properties": {
        "alertRuleTemplateName": "e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc",
        "customDetails": null,
        "description": "This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.\n\n!This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.\n",
        "displayName": "NordPass - Domain data detected in breach",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"breach\"\n| where action == \"domain_breached\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1020"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}