NordPass - Activity token revocation

Back


Id	800314a6-759a-4575-93e2-1e080b1d33f9
Rulename	NordPass - Activity token revocation
Description	This will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1134
Required data connectors	NordPass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
Version	1.0.0
Arm template	800314a6-759a-4575-93e2-1e080b1d33f9.json

KQL

NordPassEventLogs_CL
| where event_type == "integrations"
| where action == "activities_token_revoked"
| extend TargetEmail = user_email

YAML

description: This will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
queryPeriod: 1h
name: NordPass - Activity token revocation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
id: 800314a6-759a-4575-93e2-1e080b1d33f9
kind: Scheduled
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
displayName: Activity token revocation
tactics:
- DefenseEvasion
severity: Medium
triggerOperator: gt
version: 1.0.0
query: |
  NordPassEventLogs_CL
  | where event_type == "integrations"
  | where action == "activities_token_revoked"
  | extend TargetEmail = user_email  
incidentConfiguration:
  createIncident: false
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1134
entityMappings:
- fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
  entityType: Mailbox

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/800314a6-759a-4575-93e2-1e080b1d33f9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/800314a6-759a-4575-93e2-1e080b1d33f9')]",
      "properties": {
        "alertRuleTemplateName": "800314a6-759a-4575-93e2-1e080b1d33f9",
        "customDetails": null,
        "description": "This will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.",
        "displayName": "NordPass - Activity token revocation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"integrations\"\n| where action == \"activities_token_revoked\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}