Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cognni Incidents for Low Sensitivity Financial Information

Back
Id77171efa-4502-4ab7-9d23-d12305ff5a5e
RulenameCognni Incidents for Low Sensitivity Financial Information
DescriptionDisplay incidents in which low sensitivity financial information was placed at risk by user sharing.
SeverityLow
TacticsCollection
TechniquesT1530
Required data connectorsCognniSentinelDataConnector
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml
Version1.0.0
Arm template77171efa-4502-4ab7-9d23-d12305ff5a5e.json
Deploy To Azure
let lowRisk = 1;
let financial = 'Financial Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == financial
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
relevantTechniques:
- T1530
name: Cognni Incidents for Low Sensitivity Financial Information
requiredDataConnectors:
- dataTypes:
  - CognniIncidents_CL
  connectorId: CognniSentinelDataConnector
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
triggerThreshold: 0
id: 77171efa-4502-4ab7-9d23-d12305ff5a5e
tactics:
- Collection
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml
queryPeriod: 5h
kind: Scheduled
queryFrequency: 5h
severity: Low
status: Available
description: |
    'Display incidents in which low sensitivity financial information was placed at risk by user sharing.'
query: |
  let lowRisk = 1;
  let financial = 'Financial Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == financial
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/77171efa-4502-4ab7-9d23-d12305ff5a5e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/77171efa-4502-4ab7-9d23-d12305ff5a5e')]",
      "properties": {
        "alertRuleTemplateName": "77171efa-4502-4ab7-9d23-d12305ff5a5e",
        "customDetails": null,
        "description": "'Display incidents in which low sensitivity financial information was placed at risk by user sharing.'\n",
        "displayName": "Cognni Incidents for Low Sensitivity Financial Information",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml",
        "query": "let lowRisk = 1;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}