Cognni Incidents for Low Sensitivity Governance Information

Back


Id	d2e40c79-fe8c-428e-8cb9-0e2282d4558c
Rulename	Cognni Incidents for Low Sensitivity Governance Information
Description	Display incidents in which low sensitivity governance information] was placed at risk by user sharing.
Severity	Low
Tactics	Collection
Techniques	T1530
Required data connectors	CognniSentinelDataConnector
Kind	Scheduled
Query frequency	5h
Query period	5h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
Version	1.0.0
Arm template	d2e40c79-fe8c-428e-8cb9-0e2282d4558c.json

KQL

let lowRisk = 1;
let governance = 'Governance Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == governance
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s

YAML

tactics:
- Collection
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
description: |
    'Display incidents in which low sensitivity governance information] was placed at risk by user sharing.'
id: d2e40c79-fe8c-428e-8cb9-0e2282d4558c
severity: Low
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
status: Available
requiredDataConnectors:
- connectorId: CognniSentinelDataConnector
  dataTypes:
  - CognniIncidents_CL
kind: Scheduled
queryFrequency: 5h
name: Cognni Incidents for Low Sensitivity Governance Information
triggerOperator: gt
queryPeriod: 5h
version: 1.0.0
query: |
  let lowRisk = 1;
  let governance = 'Governance Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == governance
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
relevantTechniques:
- T1530

ARM