let lowRisk = 1;
let business = 'Business Information';
CognniIncidents_CL
| where Severity == lowRisk
| where informationType_s == business
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
requiredDataConnectors:
- connectorId: CognniSentinelDataConnector
dataTypes:
- CognniIncidents_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskBusinessIncidents.yaml
triggerThreshold: 0
status: Available
relevantTechniques:
- T1530
queryPeriod: 5h
name: Cognni Incidents for Low Sensitivity Business Information
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
queryFrequency: 5h
triggerOperator: gt
kind: Scheduled
description: |
'Display incidents in which low sensitivity business information] was placed at risk by user sharing.'
tactics:
- Collection
severity: Low
version: 1.0.0
query: |
let lowRisk = 1;
let business = 'Business Information';
CognniIncidents_CL
| where Severity == lowRisk
| where informationType_s == business
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
id: a0647a60-16f9-4175-b344-5cdd2934413f
