The Wiz Revoke User Sessions rule is designed to detect when user sessions have been revoked. This can signal potential security incidents where user access is intentionally withdrawn, possibly indicating that previous sessions were compromised or the user account has been put at risk. The rule integrates with Wiz's audit log to trigger alerts when a revocation action is successfully completed or fails. The associated runbook advises verification of whether the revocation was planned and instructs on taking proactive measures, such as revoking all sessions and changing credentials if the action was unplanned. The rule leverages information from the MITRE ATT&CK framework, specifically addressing tactic TA0040 for account misuse. In practice, it tracks activities such as successful and failed revocations, and it provides a structured logging mechanism that allows for detailed analysis of user actions, necessary for incident response and maintaining security integrity.