NordPass - User deletes items in bulk

NordPassEventLogs_CL
| where action == "items_deleted" and event_type == "item_delete"
| extend item_count = array_length(todynamic(metadata).items)
| summarize total_items = sum(item_count) by user_email
| where total_items >= 10

triggerThreshold: 0
entityMappings:
- entityType: Mailbox
  fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: user_email
requiredDataConnectors:
- dataTypes:
  - NordPassEventLogs_CL
  connectorId: NordPass
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml
customDetails:
  User: user_email
  ItemCount: total_items
incidentConfiguration:
  createIncident: false
relevantTechniques:
- T1485
- T1074
queryPeriod: 10m
version: 1.0.0
severity: High
kind: Scheduled
displayName: User deletes items in bulk
id: f72f630f-c890-49fe-b747-80f4fb3b6348
query: |
  NordPassEventLogs_CL
  | where action == "items_deleted" and event_type == "item_delete"
  | extend item_count = array_length(todynamic(metadata).items)
  | summarize total_items = sum(item_count) by user_email
  | where total_items >= 10  
description: |
  This will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes. 
  If a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.  
queryFrequency: 5m
name: NordPass - User deletes items in bulk
triggerOperator: gt
tactics:
- Impact
- Collection