NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
description: |
This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
severity: High
triggerOperator: gt
displayName: Deleting items of deleted member
name: NordPass - Deleting items of deleted member
entityMappings:
- fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
entityType: Mailbox
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
id: 0068dca4-dea0-46a3-a970-655e067a145f
triggerThreshold: 0
queryPeriod: 5m
incidentConfiguration:
createIncident: false
relevantTechniques:
- T1485
tactics:
- Impact
version: 1.0.0
query: |
NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
