NordPass - Deleting items of deleted member

NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email

name: NordPass - Deleting items of deleted member
id: 0068dca4-dea0-46a3-a970-655e067a145f
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
severity: High
triggerThreshold: 0
version: 1.0.0
description: |
    This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
displayName: Deleting items of deleted member
relevantTechniques:
- T1485
kind: Scheduled
queryPeriod: 5m
incidentConfiguration:
  createIncident: false
tactics:
- Impact
queryFrequency: 5m
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: TargetEmail
  entityType: Mailbox
triggerOperator: gt
query: |
  NordPassEventLogs_CL
  | where event_type == "item_delete"
  | where action == "item_reassignment_deleted"
  | extend TargetEmail = user_email  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0068dca4-dea0-46a3-a970-655e067a145f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0068dca4-dea0-46a3-a970-655e067a145f')]",
      "properties": {
        "alertRuleTemplateName": "0068dca4-dea0-46a3-a970-655e067a145f",
        "customDetails": null,
        "description": "This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.\n",
        "displayName": "NordPass - Deleting items of deleted member",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"item_delete\"\n| where action == \"item_reassignment_deleted\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}