TrendMicro_XDR_WORKBENCH_CL
| extend Severity = case(severity_s == "low", "Informational",
severity_s == "medium", "Low",
severity_s == "high", "Medium",
"High"
)
| extend
UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))
queryFrequency: 5m
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml
query: |
TrendMicro_XDR_WORKBENCH_CL
| extend Severity = case(severity_s == "low", "Informational",
severity_s == "medium", "Low",
severity_s == "high", "Medium",
"High"
)
| extend
UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))
entityMappings:
- fieldMappings:
- identifier: Name
columnName: UserAccountName_s
- identifier: NTDomain
columnName: UserAccountNTDomain_s
entityType: Account
- fieldMappings:
- identifier: Name
columnName: FileName_s
- identifier: Directory
columnName: FileDirectory_s
entityType: File
- fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine_s
entityType: Process
- fieldMappings:
- identifier: Key
columnName: RegistryKey_s
entityType: RegistryKey
- fieldMappings:
- identifier: Name
columnName: ProcessCommandLine_s
- identifier: Value
columnName: RegistryValue_s
entityType: RegistryValue
queryPeriod: 5m
kind: Scheduled
suppressionEnabled: false
status: Available
customDetails:
PriorityScore: priorityScore_d
ImpactScopeSummary: impactScope_Summary_s
WorkbenchID: workbenchId_s
CreatedAt: createdTime_t
WorkbenchName: workbenchName_s
XDRCustomerID: xdrCustomerID_g
Severity: severity_s
WorkbenchLink: workbenchLink_s
Provider: alertProvider_s
name: Create Incident for XDR Alerts
triggerThreshold: 0
relevantTechniques:
incidentConfiguration:
groupingConfiguration:
groupByCustomDetails:
- WorkbenchID
enabled: true
lookbackDuration: 5m
matchingMethod: Selected
reopenClosedIncident: false
createIncident: true
requiredDataConnectors:
- connectorId: TrendMicroXDR
dataTypes:
- TrendMicro_XDR_WORKBENCH_CL
version: 1.0.4
severity: High
alertDetailsOverride:
alertDescriptionFormat: '{{description_s}}'
alertSeverityColumnName: Severity
alertDisplayNameFormat: '{{workbenchName_s}}'
alertRuleTemplateName:
description: |
'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'
tactics:
suppressionDuration: 5h
