NordPass for Microsoft Sentinel
Solution: NordPass
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | NordPass |
| Support Tier | Partner |
| Support Link | https://support.nordpass.com/ |
| Categories | domains |
| Version | 3.0.1 |
| Author | Nord Security Inc. |
| First Published | 2025-04-22 |
| Last Updated | 2026-02-23 |
| Solution Folder | NordPass |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (64%) |
NordPass for Microsoft Sentinel enables you to automatically transfer Activity Log data from NordPass to Microsoft Sentinel and get real-time insights such as item activity, all login attempts, and security notifications. This allows you to stay informed by setting any needed alerts by your organization to monitor these security events.
Contents
Data Connectors
This solution provides 1 data connector(s):
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
NordPassEventLogs_CL |
NordPass | Analytics, Workbooks |
Content Items
This solution includes 10 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 9 |
| Workbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| NordPass - Activity token revocation | Medium | DefenseEvasion | NordPassEventLogs_CL |
| NordPass - Declined invitation | Low | DefenseEvasion | NordPassEventLogs_CL |
| NordPass - Deleting items of deleted member | High | Impact | NordPassEventLogs_CL |
| NordPass - Domain data detected in breach | High | Exfiltration | NordPassEventLogs_CL |
| NordPass - Manual invitation, suspension, or deletion | Medium | Persistence | NordPassEventLogs_CL |
| NordPass - User data detected in breach | High | Exfiltration | NordPassEventLogs_CL |
| NordPass - User deletes items in bulk | High | Impact, Collection | NordPassEventLogs_CL |
| NordPass - User fails authentication | High | CredentialAccess | NordPassEventLogs_CL |
| NordPass - Vault export | High | Exfiltration | NordPassEventLogs_CL |
Workbooks
| Name | Tables Used |
|---|---|
| NordPass | NordPassEventLogs_CL |
Additional Documentation
📄 Source: NordPass/README.md
NordPass Integration with Microsoft Sentinel
Overview
This solution lets you monitor your organization’s user activities and track security incidents from NordPass’ Activity Log.
The benefits of this integration: - Enhanced Security Monitoring: Detect unauthorized access and security risks. - Automated Threat Detection: Receive real-time alerts on suspicious activities. - Centralized Activity Logging: Maintain a comprehensive audit trail of user activities.
Resources Created
Once you deploy the solution, the following Azure resources will be created:
Azure Function
An Azure Function is a serverless solution that synchronizes activity between NordPass and Microsoft Sentinel.Storage Account
A Storage Account contains Azure Function settings and configurations.Custom Table
A Log Analytics Table namedNordPassEventLogs_CL will be created to store synchronized activity events from NordPass. This table serves as the central repository for all collected log data.
Workbook
A Workbook will be created to aggregate NordPass activity data for enhanced visualization and analysis. Dashboards in this workbook give insights into your user’s activity trends, security alerts, and compliance statuses.Analytic Rules
Multiple Analytic Rules will be created to facilitate incident escalation, allowing security teams to respond to threats proactively. These rules include: - Users declining invites - Bulk deletion of items - Deleted users items were reassigned - Invites, suspensions, and deletions by Owners or Admins - Revoking tokens - Failed login attempts by users - Users exporting their vault These rules help automate security monitoring, creating actionable insights for your organization.Requirements
To deploy this integration, ensure you have the following: - NordPass Enterprise plan. - Token for Microsoft Sentinel integration - Microsoft Azure. - Microsoft Sentinel
You must also be a Contributor with User Access Administrator role or Owner of the Microsoft Sentinel Resource Group. This is needed to assign the correct RBAC role to Function App’s managed identity
Installation
You can easily install the NordPass Solution for Microsoft Sentinel in a few minutes. Click the button below to start the deployment wizard:
Post-Deployment Configuration
[Content truncated...]
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.1 | 25-08-2025 | Added new Activity Logs |
| 3.0.0 | 22-04-2025 | Initial Solution Release. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊