Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. NordPass - Activity token revocation

NordPass - Activity token revocation

Back
Id800314a6-759a-4575-93e2-1e080b1d33f9
RulenameNordPass - Activity token revocation
DescriptionThis will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1134
Required data connectorsNordPass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
Version1.0.0
Arm template800314a6-759a-4575-93e2-1e080b1d33f9.json
Deploy To Azure
NordPassEventLogs_CL
| where event_type == "integrations"
| where action == "activities_token_revoked"
| extend TargetEmail = user_email

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
kind: Scheduled
incidentConfiguration:
  createIncident: false
tactics:
- DefenseEvasion
triggerThreshold: 0
relevantTechniques:
- T1134
version: 1.0.0
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
queryFrequency: 1h
name: NordPass - Activity token revocation
description: This will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
query: |
  NordPassEventLogs_CL
  | where event_type == "integrations"
  | where action == "activities_token_revoked"
  | extend TargetEmail = user_email  
queryPeriod: 1h
triggerOperator: gt
id: 800314a6-759a-4575-93e2-1e080b1d33f9
displayName: Activity token revocation
severity: Medium
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass