Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cognni Incidents for Low Sensitivity Financial Information

Back
Id77171efa-4502-4ab7-9d23-d12305ff5a5e
RulenameCognni Incidents for Low Sensitivity Financial Information
DescriptionDisplay incidents in which low sensitivity financial information was placed at risk by user sharing.
SeverityLow
TacticsCollection
TechniquesT1530
Required data connectorsCognniSentinelDataConnector
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml
Version1.0.0
Arm template77171efa-4502-4ab7-9d23-d12305ff5a5e.json
Deploy To Azure
let lowRisk = 1;
let financial = 'Financial Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == financial
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
id: 77171efa-4502-4ab7-9d23-d12305ff5a5e
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml
requiredDataConnectors:
- dataTypes:
  - CognniIncidents_CL
  connectorId: CognniSentinelDataConnector
description: |
    'Display incidents in which low sensitivity financial information was placed at risk by user sharing.'
severity: Low
queryPeriod: 5h
kind: Scheduled
tactics:
- Collection
queryFrequency: 5h
query: |
  let lowRisk = 1;
  let financial = 'Financial Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == financial
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
version: 1.0.0
triggerThreshold: 0
name: Cognni Incidents for Low Sensitivity Financial Information
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
status: Available
relevantTechniques:
- T1530
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/77171efa-4502-4ab7-9d23-d12305ff5a5e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/77171efa-4502-4ab7-9d23-d12305ff5a5e')]",
      "properties": {
        "alertRuleTemplateName": "77171efa-4502-4ab7-9d23-d12305ff5a5e",
        "customDetails": null,
        "description": "'Display incidents in which low sensitivity financial information was placed at risk by user sharing.'\n",
        "displayName": "Cognni Incidents for Low Sensitivity Financial Information",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskFinancialIncidents.yaml",
        "query": "let lowRisk = 1;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}