Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cognni Incidents for Low Sensitivity Financial Information

Back
Id77171efa-4502-4ab7-9d23-d12305ff5a5e
RulenameCognni Incidents for Low Sensitivity Financial Information
DescriptionDisplay incidents in which low sensitivity financial information was placed at risk by user sharing.
SeverityLow
TacticsCollection
TechniquesT1530
Required data connectorsCognniSentinelDataConnector
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml
Version1.0.0
Arm template77171efa-4502-4ab7-9d23-d12305ff5a5e.json
Deploy To Azure
let lowRisk = 1;
let financial = 'Financial Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == financial
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml
description: |
    'Display incidents in which low sensitivity financial information was placed at risk by user sharing.'
triggerOperator: gt
queryPeriod: 5h
requiredDataConnectors:
- dataTypes:
  - CognniIncidents_CL
  connectorId: CognniSentinelDataConnector
queryFrequency: 5h
triggerThreshold: 0
tactics:
- Collection
query: |
  let lowRisk = 1;
  let financial = 'Financial Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == financial
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
status: Available
kind: Scheduled
relevantTechniques:
- T1530
version: 1.0.0
id: 77171efa-4502-4ab7-9d23-d12305ff5a5e
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
name: Cognni Incidents for Low Sensitivity Financial Information
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/77171efa-4502-4ab7-9d23-d12305ff5a5e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/77171efa-4502-4ab7-9d23-d12305ff5a5e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cognni Incidents for Low Sensitivity Financial Information",
        "description": "'Display incidents in which low sensitivity financial information was placed at risk by user sharing.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let lowRisk = 1;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "alertRuleTemplateName": "77171efa-4502-4ab7-9d23-d12305ff5a5e",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml"
      }
    }
  ]
}