NordPass - Domain data detected in breach
| Id | e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc |
| Rulename | NordPass - Domain data detected in breach |
| Description | This will alert you when Data Breach Scanner discovers data related to your organization’s domains on the dark web. !This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass. |
| Severity | High |
| Tactics | Exfiltration |
| Techniques | T1020 |
| Required data connectors | NordPass |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml |
| Version | 1.0.0 |
| Arm template | e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc.json |
NordPassEventLogs_CL
| where event_type == "breach"
| where action == "domain_breached"
| extend TargetEmail = user_email
tactics:
- Exfiltration
triggerOperator: gt
version: 1.0.0
incidentConfiguration:
createIncident: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_domain_data_detected_in_breach.yaml
displayName: Domain data detected in breach
triggerThreshold: 0
relevantTechniques:
- T1020
queryPeriod: 5m
query: |
NordPassEventLogs_CL
| where event_type == "breach"
| where action == "domain_breached"
| extend TargetEmail = user_email
severity: High
kind: Scheduled
name: NordPass - Domain data detected in breach
queryFrequency: 5m
id: e3f2b6c9-df0c-4b36-a376-bb2762e4dbdc
description: |
This will alert you when Data Breach Scanner discovers data related to your organization's domains on the dark web.
!This rule should be enabled only by the organizations that have set up Data Breach Scanner in NordPass.
requiredDataConnectors:
- dataTypes:
- NordPassEventLogs_CL
connectorId: NordPass
entityMappings:
- fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
entityType: Mailbox