Cognni Incidents for Low Sensitivity Governance Information

Back


Id	d2e40c79-fe8c-428e-8cb9-0e2282d4558c
Rulename	Cognni Incidents for Low Sensitivity Governance Information
Description	Display incidents in which low sensitivity governance information] was placed at risk by user sharing.
Severity	Low
Tactics	Collection
Techniques	T1530
Required data connectors	CognniSentinelDataConnector
Kind	Scheduled
Query frequency	5h
Query period	5h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
Version	1.0.0
Arm template	d2e40c79-fe8c-428e-8cb9-0e2282d4558c.json

KQL

let lowRisk = 1;
let governance = 'Governance Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == governance
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s

YAML

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
requiredDataConnectors:
- dataTypes:
  - CognniIncidents_CL
  connectorId: CognniSentinelDataConnector
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
name: Cognni Incidents for Low Sensitivity Governance Information
relevantTechniques:
- T1530
status: Available
version: 1.0.0
queryPeriod: 5h
kind: Scheduled
id: d2e40c79-fe8c-428e-8cb9-0e2282d4558c
query: |
  let lowRisk = 1;
  let governance = 'Governance Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == governance
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
description: |
    'Display incidents in which low sensitivity governance information] was placed at risk by user sharing.'
queryFrequency: 5h
severity: Low
triggerOperator: gt
tactics:
- Collection

ARM