Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. NordPass - Activity token revocation

NordPass - Activity token revocation

Back
Id800314a6-759a-4575-93e2-1e080b1d33f9
RulenameNordPass - Activity token revocation
DescriptionThis will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1134
Required data connectorsNordPass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
Version1.0.0
Arm template800314a6-759a-4575-93e2-1e080b1d33f9.json
Deploy To Azure
NordPassEventLogs_CL
| where event_type == "integrations"
| where action == "activities_token_revoked"
| extend TargetEmail = user_email

version: 1.0.0
incidentConfiguration:
  createIncident: false
queryPeriod: 1h
severity: Medium
triggerOperator: gt
displayName: Activity token revocation
tactics:
- DefenseEvasion
id: 800314a6-759a-4575-93e2-1e080b1d33f9
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
relevantTechniques:
- T1134
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
kind: Scheduled
name: NordPass - Activity token revocation
triggerThreshold: 0
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
description: This will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
query: |
  NordPassEventLogs_CL
  | where event_type == "integrations"
  | where action == "activities_token_revoked"
  | extend TargetEmail = user_email