Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cognni Incidents for Medium Sensitivity Governance Information

Back
Idc1d4a005-e220-4d06-9e53-7326a22b8fe4
RulenameCognni Incidents for Medium Sensitivity Governance Information
DescriptionDisplay incidents in which medium sensitivity governance information was placed at risk by user sharing.
SeverityMedium
TacticsCollection
TechniquesT1530
Required data connectorsCognniSentinelDataConnector
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskGovernanceIncidents.yaml
Version1.0.0
Arm templatec1d4a005-e220-4d06-9e53-7326a22b8fe4.json
Deploy To Azure
let mediumRisk = 2;
let goverence = 'Goverence Information';
CognniIncidents_CL 
| where Severity == mediumRisk
| where informationType_s == goverence
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
requiredDataConnectors:
- connectorId: CognniSentinelDataConnector
  dataTypes:
  - CognniIncidents_CL
triggerOperator: gt
queryFrequency: 5h
name: Cognni Incidents for Medium Sensitivity Governance Information
queryPeriod: 5h
id: c1d4a005-e220-4d06-9e53-7326a22b8fe4
description: |
    'Display incidents in which medium sensitivity governance information was placed at risk by user sharing.'
severity: Medium
query: |
  let mediumRisk = 2;
  let goverence = 'Goverence Information';
  CognniIncidents_CL 
  | where Severity == mediumRisk
  | where informationType_s == goverence
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
triggerThreshold: 0
version: 1.0.0
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskGovernanceIncidents.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
relevantTechniques:
- T1530
tactics:
- Collection
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c1d4a005-e220-4d06-9e53-7326a22b8fe4')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c1d4a005-e220-4d06-9e53-7326a22b8fe4')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cognni Incidents for Medium Sensitivity Governance Information",
        "description": "'Display incidents in which medium sensitivity governance information was placed at risk by user sharing.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let mediumRisk = 2;\nlet goverence = 'Goverence Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == goverence\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "alertRuleTemplateName": "c1d4a005-e220-4d06-9e53-7326a22b8fe4",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskGovernanceIncidents.yaml"
      }
    }
  ]
}