Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cognni Incidents for Low Sensitivity HR Information

Back
Idef8654b1-b2cf-4f6c-ae5c-eca635a764e8
RulenameCognni Incidents for Low Sensitivity HR Information
DescriptionDisplay incidents in which low sensitive HR information was placed at risk by user sharing.
SeverityLow
TacticsCollection
TechniquesT1530
Required data connectorsCognniSentinelDataConnector
KindScheduled
Query frequency5h
Query period5h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskHRIncidents.yaml
Version1.0.0
Arm templateef8654b1-b2cf-4f6c-ae5c-eca635a764e8.json
Deploy To Azure
let lowRisk = 1;
let hr = 'HR Information';
CognniIncidents_CL 
| where Severity == lowRisk
| where informationType_s == hr
| where TimeGenerated >= ago(5h)
| extend AccountCustomEntity = userId_s
name: Cognni Incidents for Low Sensitivity HR Information
status: Available
triggerThreshold: 0
severity: Low
tactics:
- Collection
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskHRIncidents.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
queryPeriod: 5h
queryFrequency: 5h
version: 1.0.0
triggerOperator: gt
description: |
    'Display incidents in which low sensitive HR information was placed at risk by user sharing.'
query: |
  let lowRisk = 1;
  let hr = 'HR Information';
  CognniIncidents_CL 
  | where Severity == lowRisk
  | where informationType_s == hr
  | where TimeGenerated >= ago(5h)
  | extend AccountCustomEntity = userId_s  
relevantTechniques:
- T1530
id: ef8654b1-b2cf-4f6c-ae5c-eca635a764e8
requiredDataConnectors:
- dataTypes:
  - CognniIncidents_CL
  connectorId: CognniSentinelDataConnector
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ef8654b1-b2cf-4f6c-ae5c-eca635a764e8')]",
      "properties": {
        "alertRuleTemplateName": "ef8654b1-b2cf-4f6c-ae5c-eca635a764e8",
        "customDetails": null,
        "description": "'Display incidents in which low sensitive HR information was placed at risk by user sharing.'\n",
        "displayName": "Cognni Incidents for Low Sensitivity HR Information",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cognni/Analytic Rules/CognniLowRiskHRIncidents.yaml",
        "query": "let lowRisk = 1;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
        "queryFrequency": "PT5H",
        "queryPeriod": "PT5H",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}