Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cognni Incidents for Medium Sensitivity Financial Information

Cognni Incidents for Medium Sensitivity Financial Information

Back
Idd29b1d66-d4d9-4be2-b607-63278fc4fe6b
RulenameCognni Incidents for Medium Sensitivity Financial Information
DescriptionDisplay incidents in which medium sensitive financial information was placed at risk by user sharing.
SeverityMedium
TacticsCollection
TechniquesT1530
Required data connectorsCognniSentinelDataConnector
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskFinancialIncidents.yaml
Version1.0.0
Arm templated29b1d66-d4d9-4be2-b607-63278fc4fe6b.json
Deploy To Azure
let mediumRisk = 2;
let financial = 'Financial Information';
CognniIncidents_CL 
| where Severity == mediumRisk
| where informationType_s == financial
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s

name: Cognni Incidents for Medium Sensitivity Financial Information
status: Available
triggerThreshold: 0
severity: Medium
tactics:
- Collection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskFinancialIncidents.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
queryPeriod: 5h
queryFrequency: 5h
version: 1.0.0
triggerOperator: gt
description: |
    'Display incidents in which medium sensitive financial information was placed at risk by user sharing.'
query: |
  let mediumRisk = 2;
  let financial = 'Financial Information';
  CognniIncidents_CL 
  | where Severity == mediumRisk
  | where informationType_s == financial
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
relevantTechniques:
- T1530
id: d29b1d66-d4d9-4be2-b607-63278fc4fe6b
requiredDataConnectors:
- dataTypes:
  - CognniIncidents_CL
  connectorId: CognniSentinelDataConnector
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d29b1d66-d4d9-4be2-b607-63278fc4fe6b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d29b1d66-d4d9-4be2-b607-63278fc4fe6b')]",
      "properties": {
        "alertRuleTemplateName": "d29b1d66-d4d9-4be2-b607-63278fc4fe6b",
        "customDetails": null,
        "description": "'Display incidents in which medium sensitive financial information was placed at risk by user sharing.'\n",
        "displayName": "Cognni Incidents for Medium Sensitivity Financial Information",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskFinancialIncidents.yaml",
        "query": "let mediumRisk = 2;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}