SailPointIdentityNowEventTypeTechnicalName

declare query_parameters(lbperiod:timespan = 14d, technicalName:string = "ENTITLEMENT_ADD_FAILED", type:string = 'ACCESS_ITEM');
  SailPointIDN_Events
  | where TimeGenerated > ago(lbperiod)
  | where EventType == type
  | where TechnicalName == technicalName
  | where Status == "FAILED"
  | sort by Created

entityMappings:
- fieldMappings:
  - columnName: TechnicalName
    identifier: Name
  entityType: Account
triggerOperator: gt
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Analytic Rules/SailPointIdentityNowEventTypeTechnicalName.yaml
version: 1.1.0
query: |
  declare query_parameters(lbperiod:timespan = 14d, technicalName:string = "ENTITLEMENT_ADD_FAILED", type:string = 'ACCESS_ITEM');
    SailPointIDN_Events
    | where TimeGenerated > ago(lbperiod)
    | where EventType == type
    | where TechnicalName == technicalName
    | where Status == "FAILED"
    | sort by Created  
triggerThreshold: 0
relevantTechniques:
- T1133
queryPeriod: 14d
status: Available
severity: High
kind: Scheduled
name: SailPointIdentityNowEventTypeTechnicalName
queryFrequency: 1d
id: 2151e8ea-4838-4c74-be12-4d6a950dde7a
description: |
    'Created to detect new threat events from the data in SailPointIDN_Events.'
requiredDataConnectors:
- dataTypes:
  - SailPointIDN_Events
  connectorId: SailPointIdentityNow
- dataTypes:
  - SailPointIDN_Events
  connectorId: SailPointIdentityNowConnector