Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NordPass - User deletes items in bulk

Back
Idf72f630f-c890-49fe-b747-80f4fb3b6348
RulenameNordPass - User deletes items in bulk
DescriptionThis will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes.

If a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.
SeverityHigh
TacticsImpact
Collection
TechniquesT1485
T1074
Required data connectorsNordPass
KindScheduled
Query frequency5m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml
Version1.0.0
Arm templatef72f630f-c890-49fe-b747-80f4fb3b6348.json
Deploy To Azure
NordPassEventLogs_CL
| where action == "items_deleted" and event_type == "item_delete"
| extend item_count = array_length(todynamic(metadata).items)
| summarize total_items = sum(item_count) by user_email
| where total_items >= 10
entityMappings:
- fieldMappings:
  - columnName: user_email
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
triggerThreshold: 0
severity: High
incidentConfiguration:
  createIncident: false
queryFrequency: 5m
queryPeriod: 10m
customDetails:
  User: user_email
  ItemCount: total_items
relevantTechniques:
- T1485
- T1074
displayName: User deletes items in bulk
triggerOperator: gt
description: |
  This will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes. 
  If a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.  
id: f72f630f-c890-49fe-b747-80f4fb3b6348
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
name: NordPass - User deletes items in bulk
version: 1.0.0
query: |
  NordPassEventLogs_CL
  | where action == "items_deleted" and event_type == "item_delete"
  | extend item_count = array_length(todynamic(metadata).items)
  | summarize total_items = sum(item_count) by user_email
  | where total_items >= 10  
tactics:
- Impact
- Collection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f72f630f-c890-49fe-b747-80f4fb3b6348')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f72f630f-c890-49fe-b747-80f4fb3b6348')]",
      "properties": {
        "alertRuleTemplateName": "f72f630f-c890-49fe-b747-80f4fb3b6348",
        "customDetails": {
          "ItemCount": "total_items",
          "User": "user_email"
        },
        "description": "This will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes. \nIf a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.\n",
        "displayName": "User deletes items in bulk",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "user_email",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": false
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml",
        "query": "NordPassEventLogs_CL\n| where action == \"items_deleted\" and event_type == \"item_delete\"\n| extend item_count = array_length(todynamic(metadata).items)\n| summarize total_items = sum(item_count) by user_email\n| where total_items >= 10\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Impact"
        ],
        "techniques": [
          "T1074",
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}