NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
entityMappings:
- fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
entityType: Mailbox
triggerThreshold: 0
severity: High
incidentConfiguration:
createIncident: false
queryFrequency: 5m
queryPeriod: 5m
relevantTechniques:
- T1485
displayName: Deleting items of deleted member
triggerOperator: gt
description: |
This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
id: 0068dca4-dea0-46a3-a970-655e067a145f
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
name: NordPass - Deleting items of deleted member
version: 1.0.0
query: |
NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0068dca4-dea0-46a3-a970-655e067a145f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0068dca4-dea0-46a3-a970-655e067a145f')]",
"properties": {
"alertRuleTemplateName": "0068dca4-dea0-46a3-a970-655e067a145f",
"customDetails": null,
"description": "This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.\n",
"displayName": "Deleting items of deleted member",
"enabled": true,
"entityMappings": [
{
"entityType": "Mailbox",
"fieldMappings": [
{
"columnName": "TargetEmail",
"identifier": "MailboxPrimaryAddress"
}
]
}
],
"incidentConfiguration": {
"createIncident": false
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml",
"query": "NordPassEventLogs_CL\n| where event_type == \"item_delete\"\n| where action == \"item_reassignment_deleted\"\n| extend TargetEmail = user_email\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}