TrendMicro_XDR_WORKBENCH_CL
| extend Severity = case(severity_s == "low", "Informational",
severity_s == "medium", "Low",
severity_s == "high", "Medium",
"High"
)
| extend
UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UserAccountName_s
- identifier: NTDomain
columnName: UserAccountNTDomain_s
- entityType: File
fieldMappings:
- identifier: Name
columnName: FileName_s
- identifier: Directory
columnName: FileDirectory_s
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine_s
- entityType: RegistryKey
fieldMappings:
- identifier: Key
columnName: RegistryKey_s
- entityType: RegistryValue
fieldMappings:
- identifier: Name
columnName: ProcessCommandLine_s
- identifier: Value
columnName: RegistryValue_s
tactics:
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- TrendMicro_XDR_WORKBENCH_CL
connectorId: TrendMicroXDR
alertDetailsOverride:
alertDisplayNameFormat: '{{workbenchName_s}}'
alertDescriptionFormat: '{{description_s}}'
alertSeverityColumnName: Severity
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: 5m
groupByCustomDetails:
- WorkbenchID
enabled: true
matchingMethod: Selected
createIncident: true
id: 0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd
severity: High
alertRuleTemplateName:
status: Available
customDetails:
XDRCustomerID: xdrCustomerID_g
WorkbenchName: workbenchName_s
Provider: alertProvider_s
CreatedAt: createdTime_t
WorkbenchID: workbenchId_s
ImpactScopeSummary: impactScope_Summary_s
Severity: severity_s
PriorityScore: priorityScore_d
WorkbenchLink: workbenchLink_s
query: |
TrendMicro_XDR_WORKBENCH_CL
| extend Severity = case(severity_s == "low", "Informational",
severity_s == "medium", "Low",
severity_s == "high", "Medium",
"High"
)
| extend
UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml
kind: Scheduled
queryPeriod: 5m
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.4
name: Create Incident for XDR Alerts
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
description: |
'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'
triggerOperator: gt
