NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
version: 1.0.0
queryPeriod: 5m
entityMappings:
- entityType: Mailbox
fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
severity: High
relevantTechniques:
- T1485
description: |
This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
kind: Scheduled
triggerOperator: gt
name: NordPass - Deleting items of deleted member
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
id: 0068dca4-dea0-46a3-a970-655e067a145f
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
tactics:
- Impact
triggerThreshold: 0
query: |
NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
incidentConfiguration:
createIncident: false
displayName: Deleting items of deleted member
