Cognni Incidents for Low Sensitivity Governance Information

Back


Id	d2e40c79-fe8c-428e-8cb9-0e2282d4558c
Rulename	Cognni Incidents for Low Sensitivity Governance Information
Description	Display incidents in which low sensitivity governance information] was placed at risk by user sharing.
Severity	Low
Tactics	Collection
Techniques	T1530
Required data connectors	CognniSentinelDataConnector
Kind	Scheduled
Query frequency	5h
Query period	5h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
Version	1.0.0
Arm template	d2e40c79-fe8c-428e-8cb9-0e2282d4558c.json

KQL

let lowRisk = 1;
let governance = 'Governance Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == governance
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s

YAML

relevantTechniques:
- T1530
version: 1.0.0
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskGovernanceIncidents.yaml
name: Cognni Incidents for Low Sensitivity Governance Information
description: |
    'Display incidents in which low sensitivity governance information] was placed at risk by user sharing.'
queryFrequency: 5h
tactics:
- Collection
triggerThreshold: 0
queryPeriod: 5h
id: d2e40c79-fe8c-428e-8cb9-0e2282d4558c
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
requiredDataConnectors:
- connectorId: CognniSentinelDataConnector
  dataTypes:
  - CognniIncidents_CL
triggerOperator: gt
status: Available
query: |
  let lowRisk = 1;
  let governance = 'Governance Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == governance
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
kind: Scheduled

ARM