NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
tactics:
- Impact
severity: High
entityMappings:
- fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
entityType: Mailbox
description: |
This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
version: 1.0.0
displayName: Deleting items of deleted member
requiredDataConnectors:
- dataTypes:
- NordPassEventLogs_CL
connectorId: NordPass
incidentConfiguration:
createIncident: false
name: NordPass - Deleting items of deleted member
id: 0068dca4-dea0-46a3-a970-655e067a145f
relevantTechniques:
- T1485
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
queryFrequency: 5m
queryPeriod: 5m
query: |
NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
kind: Scheduled
triggerOperator: gt
