NordPass - Deleting items of deleted member

Back


Id	0068dca4-dea0-46a3-a970-655e067a145f
Rulename	NordPass - Deleting items of deleted member
Description	This will alert you if the deleted user’s items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
Severity	High
Tactics	Impact
Techniques	T1485
Required data connectors	NordPass
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
Version	1.0.0
Arm template	0068dca4-dea0-46a3-a970-655e067a145f.json

KQL

NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email

YAML

name: NordPass - Deleting items of deleted member
incidentConfiguration:
  createIncident: false
query: |
  NordPassEventLogs_CL
  | where event_type == "item_delete"
  | where action == "item_reassignment_deleted"
  | extend TargetEmail = user_email  
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - columnName: TargetEmail
    identifier: MailboxPrimaryAddress
queryPeriod: 5m
tactics:
- Impact
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
relevantTechniques:
- T1485
id: 0068dca4-dea0-46a3-a970-655e067a145f
severity: High
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
version: 1.0.0
description: |
    This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
displayName: Deleting items of deleted member
queryFrequency: 5m

ARM