Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cognni Incidents for Medium Sensitivity Financial Information

Cognni Incidents for Medium Sensitivity Financial Information

Back
Idd29b1d66-d4d9-4be2-b607-63278fc4fe6b
RulenameCognni Incidents for Medium Sensitivity Financial Information
DescriptionDisplay incidents in which medium sensitive financial information was placed at risk by user sharing.
SeverityMedium
TacticsCollection
TechniquesT1530
Required data connectorsCognniSentinelDataConnector
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskFinancialIncidents.yaml
Version1.0.0
Arm templated29b1d66-d4d9-4be2-b607-63278fc4fe6b.json
Deploy To Azure
let mediumRisk = 2;
let financial = 'Financial Information';
CognniIncidents_CL 
| where Severity == mediumRisk
| where informationType_s == financial
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s

severity: Medium
triggerThreshold: 0
query: |
  let mediumRisk = 2;
  let financial = 'Financial Information';
  CognniIncidents_CL 
  | where Severity == mediumRisk
  | where informationType_s == financial
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
queryFrequency: 5h
requiredDataConnectors:
- connectorId: CognniSentinelDataConnector
  dataTypes:
  - CognniIncidents_CL
id: d29b1d66-d4d9-4be2-b607-63278fc4fe6b
version: 1.0.0
name: Cognni Incidents for Medium Sensitivity Financial Information
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskFinancialIncidents.yaml
queryPeriod: 5h
relevantTechniques:
- T1530
triggerOperator: gt
tactics:
- Collection
description: |
    'Display incidents in which medium sensitive financial information was placed at risk by user sharing.'
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d29b1d66-d4d9-4be2-b607-63278fc4fe6b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d29b1d66-d4d9-4be2-b607-63278fc4fe6b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Cognni Incidents for Medium Sensitivity Financial Information",
        "description": "'Display incidents in which medium sensitive financial information was placed at risk by user sharing.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let mediumRisk = 2;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "alertRuleTemplateName": "d29b1d66-d4d9-4be2-b607-63278fc4fe6b",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniMediumRiskFinancialIncidents.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}