NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
requiredDataConnectors:
- connectorId: NordPass
dataTypes:
- NordPassEventLogs_CL
displayName: Deleting items of deleted member
query: |
NordPassEventLogs_CL
| where event_type == "item_delete"
| where action == "item_reassignment_deleted"
| extend TargetEmail = user_email
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_reassignment_deletion.yaml
id: 0068dca4-dea0-46a3-a970-655e067a145f
name: NordPass - Deleting items of deleted member
triggerOperator: gt
incidentConfiguration:
createIncident: false
tactics:
- Impact
queryFrequency: 5m
kind: Scheduled
description: |
This will alert you if the deleted user's items have been removed without being transferred to another active user, as this could result in the loss of access to critical tools or information.
version: 1.0.0
entityMappings:
- entityType: Mailbox
fieldMappings:
- columnName: TargetEmail
identifier: MailboxPrimaryAddress
relevantTechniques:
- T1485
queryPeriod: 5m
severity: High
triggerThreshold: 0
