Cognni Incidents for Low Sensitivity Governance Information

Back


Id	d2e40c79-fe8c-428e-8cb9-0e2282d4558c
Rulename	Cognni Incidents for Low Sensitivity Governance Information
Description	Display incidents in which low sensitivity governance information] was placed at risk by user sharing.
Severity	Low
Tactics	Collection
Techniques	T1530
Required data connectors	CognniSentinelDataConnector
Kind	Scheduled
Query frequency	5h
Query period	5h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
Version	1.0.0
Arm template	d2e40c79-fe8c-428e-8cb9-0e2282d4558c.json

KQL

let lowRisk = 1;
let governance = 'Governance Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == governance
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s

YAML

queryPeriod: 5h
query: |
  let lowRisk = 1;
  let governance = 'Governance Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == governance
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
name: Cognni Incidents for Low Sensitivity Governance Information
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
queryFrequency: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
requiredDataConnectors:
- connectorId: CognniSentinelDataConnector
  dataTypes:
  - CognniIncidents_CL
description: |
    'Display incidents in which low sensitivity governance information] was placed at risk by user sharing.'
kind: Scheduled
version: 1.0.0
status: Available
severity: Low
relevantTechniques:
- T1530
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
id: d2e40c79-fe8c-428e-8cb9-0e2282d4558c

ARM