Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NordPass - Activity token revocation

Back
Id800314a6-759a-4575-93e2-1e080b1d33f9
RulenameNordPass - Activity token revocation
DescriptionThis will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1134
Required data connectorsNordPass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
Version1.0.0
Arm template800314a6-759a-4575-93e2-1e080b1d33f9.json
Deploy To Azure
NordPassEventLogs_CL
| where event_type == "integrations"
| where action == "activities_token_revoked"
| extend TargetEmail = user_email
queryPeriod: 1h
name: NordPass - Activity token revocation
description: This will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
displayName: Activity token revocation
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
kind: Scheduled
id: 800314a6-759a-4575-93e2-1e080b1d33f9
version: 1.0.0
triggerOperator: gt
triggerThreshold: 0
query: |
  NordPassEventLogs_CL
  | where event_type == "integrations"
  | where action == "activities_token_revoked"
  | extend TargetEmail = user_email  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
incidentConfiguration:
  createIncident: false
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
tactics:
- DefenseEvasion
relevantTechniques:
- T1134
queryFrequency: 1h
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/800314a6-759a-4575-93e2-1e080b1d33f9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/800314a6-759a-4575-93e2-1e080b1d33f9')]",
      "properties": {
        "alertRuleTemplateName": "800314a6-759a-4575-93e2-1e080b1d33f9",
        "customDetails": null,
        "description": "This will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.",
        "displayName": "Activity token revocation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"integrations\"\n| where action == \"activities_token_revoked\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}