let lowRisk = 1;
let business = 'Business Information';
CognniIncidents_CL
| where Severity == lowRisk
| where informationType_s == business
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
id: a0647a60-16f9-4175-b344-5cdd2934413f
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskBusinessIncidents.yaml
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
entityType: Account
requiredDataConnectors:
- dataTypes:
- CognniIncidents_CL
connectorId: CognniSentinelDataConnector
queryFrequency: 5h
queryPeriod: 5h
status: Available
query: |
let lowRisk = 1;
let business = 'Business Information';
CognniIncidents_CL
| where Severity == lowRisk
| where informationType_s == business
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
name: Cognni Incidents for Low Sensitivity Business Information
kind: Scheduled
tactics:
- Collection
severity: Low
relevantTechniques:
- T1530
triggerThreshold: 0
version: 1.0.0
description: |
'Display incidents in which low sensitivity business information] was placed at risk by user sharing.'
