NordPass - Deleting items of deleted member

NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email

kind: Scheduled
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
description: |
    This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
severity: High
queryFrequency: 5m
incidentConfiguration:
  createIncident: false
triggerThreshold: 0
relevantTechniques:
- T1485
displayName: Deleting items of deleted member
version: 1.0.0
name: NordPass - Deleting items of deleted member
id: 0068dca4-dea0-46a3-a970-655e067a145f
query: |
  NordPassEventLogs_CL
  | where event_type == "item_delete"
  | where action == "item_reassignment_deleted"
  | extend TargetEmail = user_email  
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
tactics:
- Impact
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
queryPeriod: 5m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0068dca4-dea0-46a3-a970-655e067a145f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0068dca4-dea0-46a3-a970-655e067a145f')]",
      "properties": {
        "alertRuleTemplateName": "0068dca4-dea0-46a3-a970-655e067a145f",
        "customDetails": null,
        "description": "This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.\n",
        "displayName": "Deleting items of deleted member",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"item_delete\"\n| where action == \"item_reassignment_deleted\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}