NordPass - Domain data detected in breach
Id | e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc |
Rulename | NordPass - Domain data detected in breach |
Description | This will alert you when Data Breach Scanner discovers data related to your organization’s domains on the dark web. !This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass. |
Severity | High |
Tactics | Exfiltration |
Techniques | T1020 |
Required data connectors | NordPass |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml |
Version | 1.0.0 |
Arm template | e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc.json |
NordPassEventLogs_CL
| where event_type == "breach"
| where action == "domain_breached"
| extend TargetEmail = user_email
tactics:
- Exfiltration
name: NordPass - Domain data detected in breach
id: e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
query: |
NordPassEventLogs_CL
| where event_type == "breach"
| where action == "domain_breached"
| extend TargetEmail = user_email
relevantTechniques:
- T1020
incidentConfiguration:
createIncident: false
description: |
This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.
!This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.
triggerOperator: gt
queryPeriod: 5m
severity: High
entityMappings:
- fieldMappings:
- identifier: MailboxPrimaryAddress
columnName: TargetEmail
entityType: Mailbox
version: 1.0.0
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
displayName: Domain data detected in breach
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc')]",
"properties": {
"alertRuleTemplateName": "e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc",
"customDetails": null,
"description": "This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.\n\n!This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.\n",
"displayName": "NordPass - Domain data detected in breach",
"enabled": true,
"entityMappings": [
{
"entityType": "Mailbox",
"fieldMappings": [
{
"columnName": "TargetEmail",
"identifier": "MailboxPrimaryAddress"
}
]
}
],
"incidentConfiguration": {
"createIncident": false
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml",
"query": "NordPassEventLogs_CL\n| where event_type == \"breach\"\n| where action == \"domain_breached\"\n| extend TargetEmail = user_email\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration"
],
"techniques": [
"T1020"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}