Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Create Incident for XDR Alerts

Create Incident for XDR Alerts

Back
Id0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd
RulenameCreate Incident for XDR Alerts
DescriptionThis Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.
SeverityHigh
Required data connectorsTrendMicroXDR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml
Version1.0.3
Arm template0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd.json
Deploy To Azure
TrendMicro_XDR_WORKBENCH_CL
| extend Severity = case(severity_s == "low", "Informational",
                        severity_s == "medium", "Low",
                        severity_s == "high", "Medium",
                        "High"
                        )
| extend 
    UserAccountName_s = todynamic(UserAccountName_s)[0],
    UserAccountNTDomain_s = todynamic(UserAccountNTDomain_s)[0],
    FileName_s = todynamic(FileName_s)[0],
    FileDirectory_s = todynamic(FileDirectory_s)[0],
    ProcessCommandLine_s = todynamic(ProcessCommandLine_s)[0],
    RegistryKey_s = todynamic(RegistryKey_s)[0],
    RegistryValue_s = todynamic(RegistryValue_s)[0],
    RegistryValueName_s = todynamic(RegistryValueName_s)[0]

eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml
severity: High
name: Create Incident for XDR Alerts
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserAccountName_s
    identifier: Name
  - columnName: UserAccountNTDomain_s
    identifier: NTDomain
- entityType: File
  fieldMappings:
  - columnName: FileName_s
    identifier: Name
  - columnName: FileDirectory_s
    identifier: Directory
- entityType: Process
  fieldMappings:
  - columnName: ProcessCommandLine_s
    identifier: CommandLine
- entityType: RegistryKey
  fieldMappings:
  - columnName: RegistryKey_s
    identifier: Key
- entityType: RegistryValue
  fieldMappings:
  - columnName: ProcessCommandLine_s
    identifier: Name
  - columnName: RegistryValue_s
    identifier: Value
relevantTechniques: 
queryFrequency: 5m
triggerThreshold: 0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: Selected
    groupByAlertDetails: []
    enabled: true
    lookbackDuration: 5m
    groupByCustomDetails:
    - WorkbenchID
    groupByEntities: []
queryPeriod: 5m
description: |
    'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'
id: 0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd
alertDetailsOverride:
  alertTacticsColumnName: 
  alertSeverityColumnName: Severity
  alertDescriptionFormat: '{{description_s}}'
  alertDisplayNameFormat: '{{workbenchName_s}}'
version: 1.0.3
customDetails:
  ImpactScopeSummary: impactScope_Summary_s
  Severity: severity_s
  XDRCustomerID: xdrCustomerID_g
  WorkbenchID: workbenchId_s
  WorkbenchName: workbenchName_s
  Provider: alertProvider_s
  CreatedAt: createdTime_t
  PriorityScore: priorityScore_d
  WorkbenchLink: workbenchLink_s
suppressionEnabled: false
tactics: 
query: |
  TrendMicro_XDR_WORKBENCH_CL
  | extend Severity = case(severity_s == "low", "Informational",
                          severity_s == "medium", "Low",
                          severity_s == "high", "Medium",
                          "High"
                          )
  | extend 
      UserAccountName_s = todynamic(UserAccountName_s)[0],
      UserAccountNTDomain_s = todynamic(UserAccountNTDomain_s)[0],
      FileName_s = todynamic(FileName_s)[0],
      FileDirectory_s = todynamic(FileDirectory_s)[0],
      ProcessCommandLine_s = todynamic(ProcessCommandLine_s)[0],
      RegistryKey_s = todynamic(RegistryKey_s)[0],
      RegistryValue_s = todynamic(RegistryValue_s)[0],
      RegistryValueName_s = todynamic(RegistryValueName_s)[0]  
status: Available
kind: Scheduled
alertRuleTemplateName: 
requiredDataConnectors:
- dataTypes:
  - TrendMicro_XDR_WORKBENCH_CL
  connectorId: TrendMicroXDR
triggerOperator: gt
suppressionDuration: 5h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Create Incident for XDR Alerts",
        "description": "'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'\n",
        "severity": "High",
        "enabled": true,
        "query": "TrendMicro_XDR_WORKBENCH_CL\n| extend Severity = case(severity_s == \"low\", \"Informational\",\n                        severity_s == \"medium\", \"Low\",\n                        severity_s == \"high\", \"Medium\",\n                        \"High\"\n                        )\n| extend \n    UserAccountName_s = todynamic(UserAccountName_s)[0],\n    UserAccountNTDomain_s = todynamic(UserAccountNTDomain_s)[0],\n    FileName_s = todynamic(FileName_s)[0],\n    FileDirectory_s = todynamic(FileDirectory_s)[0],\n    ProcessCommandLine_s = todynamic(ProcessCommandLine_s)[0],\n    RegistryKey_s = todynamic(RegistryKey_s)[0],\n    RegistryValue_s = todynamic(RegistryValue_s)[0],\n    RegistryValueName_s = todynamic(RegistryValueName_s)[0]\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "alertRuleTemplateName": "0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd",
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "reopenClosedIncident": false,
            "matchingMethod": "Selected",
            "groupByAlertDetails": [],
            "enabled": true,
            "lookbackDuration": "PT5M",
            "groupByCustomDetails": [
              "WorkbenchID"
            ],
            "groupByEntities": []
          }
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertTacticsColumnName": null,
          "alertSeverityColumnName": "Severity",
          "alertDescriptionFormat": "{{description_s}}",
          "alertDisplayNameFormat": "{{workbenchName_s}}"
        },
        "customDetails": {
          "ImpactScopeSummary": "impactScope_Summary_s",
          "Severity": "severity_s",
          "XDRCustomerID": "xdrCustomerID_g",
          "WorkbenchID": "workbenchId_s",
          "WorkbenchName": "workbenchName_s",
          "Provider": "alertProvider_s",
          "CreatedAt": "createdTime_t",
          "WorkbenchLink": "workbenchLink_s",
          "PriorityScore": "priorityScore_d"
        },
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "UserAccountName_s"
              },
              {
                "identifier": "NTDomain",
                "columnName": "UserAccountNTDomain_s"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "FileName_s"
              },
              {
                "identifier": "Directory",
                "columnName": "FileDirectory_s"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "identifier": "CommandLine",
                "columnName": "ProcessCommandLine_s"
              }
            ]
          },
          {
            "entityType": "RegistryKey",
            "fieldMappings": [
              {
                "identifier": "Key",
                "columnName": "RegistryKey_s"
              }
            ]
          },
          {
            "entityType": "RegistryValue",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "ProcessCommandLine_s"
              },
              {
                "identifier": "Value",
                "columnName": "RegistryValue_s"
              }
            ]
          }
        ],
        "templateVersion": "1.0.3",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml",
        "status": "Available"
      }
    }
  ]
}