Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. NordPass - User deletes items in bulk

NordPass - User deletes items in bulk

Back
Idf72f630f-c890-49fe-b747-80f4fb3b6348
RulenameNordPass - User deletes items in bulk
DescriptionThis will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes.

If a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.
SeverityHigh
TacticsImpact
Collection
TechniquesT1485
T1074
Required data connectorsNordPass
KindScheduled
Query frequency5m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml
Version1.0.0
Arm templatef72f630f-c890-49fe-b747-80f4fb3b6348.json
Deploy To Azure
NordPassEventLogs_CL
| where action == "items_deleted" and event_type == "item_delete"
| extend item_count = array_length(todynamic(metadata).items)
| summarize total_items = sum(item_count) by user_email
| where total_items >= 10

queryPeriod: 10m
query: |
  NordPassEventLogs_CL
  | where action == "items_deleted" and event_type == "item_delete"
  | extend item_count = array_length(todynamic(metadata).items)
  | summarize total_items = sum(item_count) by user_email
  | where total_items >= 10  
name: NordPass - User deletes items in bulk
entityMappings:
- fieldMappings:
  - columnName: user_email
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Analytics Rules/nordpass_items_bulk_delete.yaml
description: |
  This will alert you if a user deletes items in bulk, namely, more than 10 items or in the span of 10 minutes. 
  If a mix of bulk and one-off deletions were performed, this will group all actions and report the total number of items deleted.  
kind: Scheduled
version: 1.0.0
displayName: User deletes items in bulk
queryFrequency: 5m
severity: High
requiredDataConnectors:
- connectorId: NordPass
  dataTypes:
  - NordPassEventLogs_CL
triggerOperator: gt
triggerThreshold: 0
incidentConfiguration:
  createIncident: false
customDetails:
  User: user_email
  ItemCount: total_items
tactics:
- Impact
- Collection
id: f72f630f-c890-49fe-b747-80f4fb3b6348
relevantTechniques:
- T1485
- T1074