High Urgency IONIX Action Items

let timeframe = 14d;
let time_generated_bucket = 1h;
let min_urgency = 9;
let maxTimeGeneratedBucket = toscalar(
   CyberpionActionItems_CL
   | where TimeGenerated > ago(timeframe)
   | summarize max(bin(TimeGenerated, time_generated_bucket))
   );
CyberpionActionItems_CL
 | where TimeGenerated > ago(timeframe) and is_open_b == true
 | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket
 | where urgency_d >= min_urgency
 | extend timestamp = opening_datetime_t
 | extend DNSCustomEntity = host_s

description: |
  'This query creates an alert for active IONIX Action Items with high urgency (9-10).
   Urgency can be altered using the "min_urgency" variable in the query.'  
kind: Scheduled
tactics:
- InitialAccess
requiredDataConnectors:
- connectorId: CyberpionSecurityLogs
  dataTypes:
  - CyberpionActionItems_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml
severity: High
name: High Urgency IONIX Action Items
triggerThreshold: 0
queryPeriod: 14d
query: |
  let timeframe = 14d;
  let time_generated_bucket = 1h;
  let min_urgency = 9;
  let maxTimeGeneratedBucket = toscalar(
     CyberpionActionItems_CL
     | where TimeGenerated > ago(timeframe)
     | summarize max(bin(TimeGenerated, time_generated_bucket))
     );
  CyberpionActionItems_CL
   | where TimeGenerated > ago(timeframe) and is_open_b == true
   | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket
   | where urgency_d >= min_urgency
   | extend timestamp = opening_datetime_t
   | extend DNSCustomEntity = host_s  
relevantTechniques:
- T1190
- T1195
id: 8e0403b1-07f8-4865-b2e9-74d1e83200a4
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: DNSCustomEntity
    identifier: DomainName