NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
queryPeriod: 5m
query: |
NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
name: NordPass - Deleting items of deleted member
entityMappings:
- fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
entityType: Mailbox
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
description: |
This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
kind: Scheduled
version: 1.0.0
displayName: Deleting items of deleted member
queryFrequency: 5m
severity: High
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
triggerOperator: gt
triggerThreshold: 0
incidentConfiguration:
createIncident: false
tactics:
- Impact
id: 0068dca4-dea0-46a3-a970-655e067a145f
relevantTechniques:
- T1485
