How to integrate NordPass with Microsoft Sentinel

Introduction

By connecting NordPass to Microsoft Sentinel, organizations can improve security visibility, detect risks faster, and streamline incident response workflows. This guide explains how to integrate NordPass Enterprise with Microsoft Sentinel to send Activity Logs data for centralized monitoring, analytics, and automated security response.

 

Before you start

With NordPass integration, Business clients can seamlessly send Activity Logs data to Microsoft Sentinel, allowing them to:

  • Monitor real-time user actions.
  • Detect potential security risks.
  • Leverage Sentinel's advanced analytics and automation capabilities.
  • Strengthen digital security management within the organization.
  • Enhance security visibility and streamline incident response.

 

Here's what to do

Prepare Microsoft Sentinel

  1. Ensure the resource group and Log Analytics Workspace are created in the same region.
  2. Add "Microsoft Sentinel" to the created Log Analytics Workspace.
  3. Verify that the required permissions for reading and writing data are enabled.
  4. Generate a Microsoft Sentinel API URL and token in the NordPass Admin Panel using our guide.
  5. Once the setup is complete, activity log data will be fetched into Microsoft Sentinel every 60 seconds. NordPass activity logs for the last 7 days will be fetched with the first connection. After that, only records generated in the set interval for the script will be fetched. 

 

Deploy the NordPass integration

  1. Open the Microsoft Marketplace and search for "NordPass for Microsoft Sentinel".
  2. Select the integration and click "Create".
  3. During deployment:
    • Select the Resource Group created for the NordPass integration.
    • Select the dedicated Workspace and click on the "Review + create" button.
       
  4. Go to the "Microsoft Sentinel" workspace and find the "NordPass for Microsoft Sentinel" option under the "Content Hub" section, and start setting up the integration.

 

Set up the data connector

  1. In the Microsoft Sentinel Content Hub, search for "NordPass".
  2. Select the integration and click on the "Manage" button.
  3. Choose "NordPass" with "Data connector" as the content type and click on the "Open the connection page" button.
  4. Review the prerequisites and select the "Deploy to Azure" button.
  5. Provide:
    • Resource Group
    • Workspace name
    • NordPass API URL
    • NordPass API token
       
  6. Select the "Review + create", then click on the "Create" button to deploy the Azure Function.
  7. Confirm the first successful data sync under the "Data Connectors" section in Microsoft Sentinel.

    Note: This connector uses Azure Functions to retrieve Activity Logs from NordPass to Microsoft Sentinel. This may result in additional data ingestion costs. For more information, refer to the Azure Functions pricing page.

 

Enable analytic rules

  1. Go to the Content Hub of the installed NordPass integration.
  2. Select an analytics rule and click on the "Create rule" button.
  3. Update rule parameters as needed, and complete the setup by clicking on the "Save" button.
  4. Confirm the rule is enabled in the "Analytics" section of Microsoft Sentinel.
  5. Repeat these steps for each relevant analytic rule.

 

Activate the NordPass workbook

  1. In the Content Hub, select the "NordPass Workbook" option.
  2. Click on the "Configuration" button.
  3. Select the "Save" button, choose a location, and confirm by clicking on the "Yes" button.
  4. After saving, find the workbook under the "Workbooks" section of the Microsoft Sentinel workspace.
  5. Select the "View saved workbook" to review activity data.

 

Update the token if needed

  1. Log in to Microsoft Sentinel, redeploy the NordPass Data Connector.
  2. Alternatively, open the Resource group that was used for NordPass integration deployment, and locate the "NordPass Function app".
  3. Under the settings, in the environment variables section, search for "NordPass".
  4. For any of the variables you want to update, select the name field "(NORDPASS_ENDPOINT_URL, NORDPASS_TOKEN)", which will open it in edit mode.
  5. Update the values details and select the "Apply" button.
  6. Next, confirm the Environment variable settings in the "App settings" section by selecting the "Apply" button.
  7. Afterward, confirm the changes by pressing the "Confirm" button.

 

Aditional Tips

  • The administrative actions dashboard displays information on the actions of Organization Owners and Administrators in the Business Admin Panel. Here, you will also be able to see the following dashboards:
    1. Actions: this visualization showcases the actions performed in the NordPass Business Admin Panel by users with MSP Admin, Owner, and Admin rights.
    2. Actions count by user: this visualization lists all users who took action in the NordPass Business Admin Panel and indicates the number of actions performed.
       
  • The NordPass Vault activity dashboard provides information about the Organization user's actions in the NordPass application.
    1. Item actions: this visualization lists all actions and the number of actions performed by the employees in the NordPass application.
    2. Item actions by platform: this visualization shows the number of actions performed in the NordPass application on a defined platform.
       
  • The login actions dashboard provides information about the Organization employees' login to NordPass and Vault unlock actions by the users. Here, you will be able to see the following dashboards:
    1. Login access: this visualization showcases when your NordPass users log in to the NordPass Business account, validate the Master Password to unlock NordPass, or use SSO authentication.
    2. By platform: this visualization lists platforms where Organization employees validate their master passwords and where they are accessing the NordPass application.

Was this article helpful?