Cognni Incidents for Low Sensitivity Governance Information

Back


Id	d2e40c79-fe8c-428e-8cb9-0e2282d4558c
Rulename	Cognni Incidents for Low Sensitivity Governance Information
Description	Display incidents in which low sensitivity governance information] was placed at risk by user sharing.
Severity	Low
Tactics	Collection
Techniques	T1530
Required data connectors	CognniSentinelDataConnector
Kind	Scheduled
Query frequency	5h
Query period	5h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
Version	1.0.0
Arm template	d2e40c79-fe8c-428e-8cb9-0e2282d4558c.json

KQL

let lowRisk = 1;
let governance = 'Governance Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == governance
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s

YAML

version: 1.0.0
tactics:
- Collection
relevantTechniques:
- T1530
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
triggerThreshold: 0
name: Cognni Incidents for Low Sensitivity Governance Information
queryFrequency: 5h
triggerOperator: gt
kind: Scheduled
description: |
    'Display incidents in which low sensitivity governance information] was placed at risk by user sharing.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
requiredDataConnectors:
- dataTypes:
  - CognniIncidents_CL
  connectorId: CognniSentinelDataConnector
severity: Low
query: |
  let lowRisk = 1;
  let governance = 'Governance Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == governance
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
queryPeriod: 5h
id: d2e40c79-fe8c-428e-8cb9-0e2282d4558c
status: Available

ARM