D3 Smart SOAR - High or critical severity incident detected

D3SOARIncidents_CL
| where TimeGenerated > ago(1h)
| where IncidentSeverity in ("High", "Critical")
| project
    TimeGenerated,
    IncidentNumber,
    IncidentTitle,
    IncidentSeverity,
    IncidentStatus,
    IncidentType,
    IncidentPriority,
    IncidentOwner,
    IncidentCreator,
    IncidentDescription,
    IncidentStage

name: D3 Smart SOAR - High or critical severity incident detected
query: |
  D3SOARIncidents_CL
  | where TimeGenerated > ago(1h)
  | where IncidentSeverity in ("High", "Critical")
  | project
      TimeGenerated,
      IncidentNumber,
      IncidentTitle,
      IncidentSeverity,
      IncidentStatus,
      IncidentType,
      IncidentPriority,
      IncidentOwner,
      IncidentCreator,
      IncidentDescription,
      IncidentStage  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: IncidentOwner
    identifier: Name
queryPeriod: 1h
version: 1.0.0
tactics:
- Impact
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/D3SmartSOAR/Analytic Rules/D3SmartSOAR-HighOrCriticalSeverityIncident.yaml
relevantTechniques:
- T1499
id: 48ef0be4-8240-4a03-bbb9-320b562d6ce4
severity: High
requiredDataConnectors:
- connectorId: D3SOARConnectorDefinition
  dataTypes:
  - D3SOARIncidents_CL
status: Available
description: |
    Identifies when a D3 Smart SOAR incident with High or Critical severity is ingested. This helps security teams prioritize response to the most impactful incidents reported by D3 Smart SOAR.
queryFrequency: 1h