NordPass - Deleting items of deleted member

NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email

requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
tactics:
- Impact
incidentConfiguration:
  createIncident: false
description: |
    This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
query: |
  NordPassEventLogs_CL
  | where event_type == "item_delete"
  | where action == "item_reassignment_deleted"
  | extend TargetEmail = user_email  
id: 0068dca4-dea0-46a3-a970-655e067a145f
triggerOperator: gt
relevantTechniques:
- T1485
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
queryFrequency: 5m
severity: High
entityMappings:
- fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
name: NordPass - Deleting items of deleted member
queryPeriod: 5m
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
displayName: Deleting items of deleted member

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0068dca4-dea0-46a3-a970-655e067a145f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0068dca4-dea0-46a3-a970-655e067a145f')]",
      "properties": {
        "alertRuleTemplateName": "0068dca4-dea0-46a3-a970-655e067a145f",
        "customDetails": null,
        "description": "This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.\n",
        "displayName": "NordPass - Deleting items of deleted member",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "TargetEmail",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml",
        "query": "NordPassEventLogs_CL\n| where event_type == \"item_delete\"\n| where action == \"item_reassignment_deleted\"\n| extend TargetEmail = user_email\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}