Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NordPass - User deletes items in bulk

Back
Idf72f630f-c890-49fe-b747-80f4fb3b6348
RulenameNordPass - User deletes items in bulk
DescriptionThis will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes.

If a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.
SeverityHigh
TacticsImpact
Collection
TechniquesT1485
T1074
Required data connectorsNordPass
KindScheduled
Query frequency5m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml
Version1.0.0
Arm templatef72f630f-c890-49fe-b747-80f4fb3b6348.json
Deploy To Azure
NordPassEventLogs_CL
| where action == "items_deleted" and event_type == "item_delete"
| extend item_count = array_length(todynamic(metadata).items)
| summarize total_items = sum(item_count) by user_email
| where total_items >= 10
tactics:
- Impact
- Collection
name: NordPass - User deletes items in bulk
id: f72f630f-c890-49fe-b747-80f4fb3b6348
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
query: |
  NordPassEventLogs_CL
  | where action == "items_deleted" and event_type == "item_delete"
  | extend item_count = array_length(todynamic(metadata).items)
  | summarize total_items = sum(item_count) by user_email
  | where total_items >= 10  
relevantTechniques:
- T1485
- T1074
incidentConfiguration:
  createIncident: false
description: |
  This will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes. 
  If a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.  
triggerOperator: gt
queryPeriod: 10m
severity: High
entityMappings:
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: user_email
  entityType: Mailbox
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml
version: 1.0.0
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
displayName: User deletes items in bulk
customDetails:
  ItemCount: total_items
  User: user_email
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f72f630f-c890-49fe-b747-80f4fb3b6348')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f72f630f-c890-49fe-b747-80f4fb3b6348')]",
      "properties": {
        "alertRuleTemplateName": "f72f630f-c890-49fe-b747-80f4fb3b6348",
        "customDetails": {
          "ItemCount": "total_items",
          "User": "user_email"
        },
        "description": "This will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes. \nIf a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.\n",
        "displayName": "NordPass - User deletes items in bulk",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "user_email",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml",
        "query": "NordPassEventLogs_CL\n| where action == \"items_deleted\" and event_type == \"item_delete\"\n| extend item_count = array_length(todynamic(metadata).items)\n| summarize total_items = sum(item_count) by user_email\n| where total_items >= 10\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Impact"
        ],
        "techniques": [
          "T1074",
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}