NordPass - Domain data detected in breach

NordPassEventLogs_CL
| where event_type == "breach"
| where action == "domain_breached"
| extend TargetEmail = user_email

kind: Scheduled
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
description: |
  This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.

  !This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.  
severity: High
queryFrequency: 5m
incidentConfiguration:
  createIncident: false
triggerThreshold: 0
relevantTechniques:
- T1020
displayName: Domain data detected in breach
version: 1.0.0
name: NordPass - Domain data detected in breach
id: e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc
query: |
  NordPassEventLogs_CL
  | where event_type == "breach"
  | where action == "domain_breached"
  | extend TargetEmail = user_email  
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
tactics:
- Exfiltration
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml
queryPeriod: 5m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc')]",
      "properties": {
        "alertRuleTemplateName": "e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc",
        "customDetails": null,
        "description": "This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.\n\n!This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.\n",
        "displayName": "Domain data detected in breach",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"breach\"\n| where action == \"domain_breached\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1020"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}