NordPass Solution: Data Breach Scanner Detection Rules and Enhanced Connector Logic

What Changed

Added two new analytic rules and enhanced connector functionality:

Domain data breach detection rule (MITRE T1020 - Exfiltration)
User data breach detection rule (MITRE T1020 - Exfiltration)
Enhanced Function App ingestion logic for improved data processing
Updated workbook with additional event type support
Version bump to 3.0.1

Detection Logic

Primary data source table: NordPassEventLogs_CL Core logic: Monitors breach event types (domain_breached and email_breached actions) to detect when organization data appears on the dark web, triggering on any occurrence with 5-minute query frequency Entity types mapped: Mailbox (using user_email field for breach notifications)

MITRE Mapping

T1020 - Automated Exfiltration: Detects when organizational data has been exfiltrated and discovered in breach databases

Security Impact (Visibility & Fidelity)

These rules provide critical early warning when organizational credentials or domain-related data appears in breach databases on the dark web. SOC teams can now proactively identify compromised accounts before they are used in attacks, enabling rapid password resets and account security measures.

The enhanced ingestion logic improves data fidelity for NordPass Data Breach Scanner events, ensuring complete visibility into organizational exposure from data breaches.

Affected Files

Analytic rules added (2 files): nordpass_domain_data_detected_in_breach.yaml, nordpass_user_data_detected_in_breach.yaml
Data connector updated: Function App template and deployment configuration
Workbook updated: NordPass.json with additional event type support
(packaging artefacts updated: mainTemplate.json, createUiDefinition.json, 3.0.1.zip, function.zip)

What Changed#

Detection Logic#

MITRE Mapping#

Security Impact (Visibility & Fidelity)#

Affected Files#

What Changed

Detection Logic

MITRE Mapping

Security Impact (Visibility & Fidelity)

Affected Files