High Urgency IONIX Action Items

let timeframe = 14d;
let min_urgency = 9;
CyberpionActionItems_CL
 | where TimeGenerated > ago(timeframe)
 | summarize arg_max(TimeGenerated, *) by id_s
 | where is_open_b == true
 | where urgency_d >= min_urgency
 | extend timestamp = opening_datetime_t
 | extend DNSCustomEntity = host_s

name: High Urgency IONIX Action Items
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
triggerOperator: gt
version: 1.0.2
status: Available
queryFrequency: 1d
id: 8e0403b1-07f8-4865-b2e9-74d1e83200a4
requiredDataConnectors:
- connectorId: CyberpionSecurityLogs
  dataTypes:
  - CyberpionActionItems_CL
relevantTechniques:
- T1190
- T1195
description: |
  'This query creates an alert for active IONIX Action Items with high urgency (9-10).
   Urgency can be altered using the "min_urgency" variable in the query.'  
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: DNSCustomEntity
    identifier: DomainName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/Analytic Rules/HighUrgencyActionItems.yaml
queryPeriod: 14d
severity: High
query: |
  let timeframe = 14d;
  let min_urgency = 9;
  CyberpionActionItems_CL
   | where TimeGenerated > ago(timeframe)
   | summarize arg_max(TimeGenerated, *) by id_s
   | where is_open_b == true
   | where urgency_d >= min_urgency
   | extend timestamp = opening_datetime_t
   | extend DNSCustomEntity = host_s