Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. NordPass - Activity token revocation

NordPass - Activity token revocation

Back
Id800314a6-759a-4575-93e2-1e080b1d33f9
RulenameNordPass - Activity token revocation
DescriptionThis will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1134
Required data connectorsNordPass
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
Version1.0.0
Arm template800314a6-759a-4575-93e2-1e080b1d33f9.json
Deploy To Azure
NordPassEventLogs_CL
| where event_type == "integrations"
| where action == "activities_token_revoked"
| extend TargetEmail = user_email

id: 800314a6-759a-4575-93e2-1e080b1d33f9
relevantTechniques:
- T1134
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_token_revoked.yaml
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
queryFrequency: 1h
queryPeriod: 1h
triggerThreshold: 0
incidentConfiguration:
  createIncident: false
query: |
  NordPassEventLogs_CL
  | where event_type == "integrations"
  | where action == "activities_token_revoked"
  | extend TargetEmail = user_email  
name: NordPass - Activity token revocation
kind: Scheduled
description: This will alert you when the event reporting token is revoked, posing the risk of active integration being blocked.
severity: Medium
tactics:
- DefenseEvasion
version: 1.0.0
displayName: Activity token revocation