Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Create Incident for XDR Alerts

Back
Id0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd
RulenameCreate Incident for XDR Alerts
DescriptionThis Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.
SeverityHigh
Required data connectorsTrendMicroXDR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml
Version1.0.4
Arm template0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd.json
Deploy To Azure
TrendMicro_XDR_WORKBENCH_CL
| extend Severity = case(severity_s == "low", "Informational",
                        severity_s == "medium", "Low",
                        severity_s == "high", "Medium",
                        "High"
                        )
| extend 
    UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
    UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
    FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
    FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
    ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
    RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
    RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
    RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))
alertDetailsOverride:
  alertDescriptionFormat: '{{description_s}}'
  alertSeverityColumnName: Severity
  alertDisplayNameFormat: '{{workbenchName_s}}'
query: |
  TrendMicro_XDR_WORKBENCH_CL
  | extend Severity = case(severity_s == "low", "Informational",
                          severity_s == "medium", "Low",
                          severity_s == "high", "Medium",
                          "High"
                          )
  | extend 
      UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
      UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
      FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
      FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
      ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
      RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
      RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
      RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))  
kind: Scheduled
description: |
    'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - TrendMicro_XDR_WORKBENCH_CL
  connectorId: TrendMicroXDR
alertRuleTemplateName: 
name: Create Incident for XDR Alerts
relevantTechniques: 
queryPeriod: 5m
severity: High
customDetails:
  Severity: severity_s
  PriorityScore: priorityScore_d
  ImpactScopeSummary: impactScope_Summary_s
  CreatedAt: createdTime_t
  XDRCustomerID: xdrCustomerID_g
  WorkbenchID: workbenchId_s
  Provider: alertProvider_s
  WorkbenchName: workbenchName_s
  WorkbenchLink: workbenchLink_s
triggerOperator: gt
version: 1.0.4
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 5m
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    groupByCustomDetails:
    - WorkbenchID
  createIncident: true
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: UserAccountName_s
  - identifier: NTDomain
    columnName: UserAccountNTDomain_s
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FileName_s
  - identifier: Directory
    columnName: FileDirectory_s
- entityType: Process
  fieldMappings:
  - identifier: CommandLine
    columnName: ProcessCommandLine_s
- entityType: RegistryKey
  fieldMappings:
  - identifier: Key
    columnName: RegistryKey_s
- entityType: RegistryValue
  fieldMappings:
  - identifier: Name
    columnName: ProcessCommandLine_s
  - identifier: Value
    columnName: RegistryValue_s
suppressionDuration: 5h
status: Available
tactics: 
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
id: 0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description_s}}",
          "alertDisplayNameFormat": "{{workbenchName_s}}",
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": null,
        "customDetails": {
          "CreatedAt": "createdTime_t",
          "ImpactScopeSummary": "impactScope_Summary_s",
          "PriorityScore": "priorityScore_d",
          "Provider": "alertProvider_s",
          "Severity": "severity_s",
          "WorkbenchID": "workbenchId_s",
          "WorkbenchLink": "workbenchLink_s",
          "WorkbenchName": "workbenchName_s",
          "XDRCustomerID": "xdrCustomerID_g"
        },
        "description": "'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'\n",
        "displayName": "Create Incident for XDR Alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserAccountName_s",
                "identifier": "Name"
              },
              {
                "columnName": "UserAccountNTDomain_s",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "FileName_s",
                "identifier": "Name"
              },
              {
                "columnName": "FileDirectory_s",
                "identifier": "Directory"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine_s",
                "identifier": "CommandLine"
              }
            ]
          },
          {
            "entityType": "RegistryKey",
            "fieldMappings": [
              {
                "columnName": "RegistryKey_s",
                "identifier": "Key"
              }
            ]
          },
          {
            "entityType": "RegistryValue",
            "fieldMappings": [
              {
                "columnName": "ProcessCommandLine_s",
                "identifier": "Name"
              },
              {
                "columnName": "RegistryValue_s",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByCustomDetails": [
              "WorkbenchID"
            ],
            "lookbackDuration": "PT5M",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml",
        "query": "TrendMicro_XDR_WORKBENCH_CL\n| extend Severity = case(severity_s == \"low\", \"Informational\",\n                        severity_s == \"medium\", \"Low\",\n                        severity_s == \"high\", \"Medium\",\n                        \"High\"\n                        )\n| extend \n    UserAccountName_s = todynamic(column_ifexists(\"UserAccountName_s\", \"[]\")),\n    UserAccountNTDomain_s = todynamic(column_ifexists(\"UserAccountNTDomain_s\", \"[]\")),\n    FileName_s = todynamic(column_ifexists(\"FileName_s\", \"[]\")),\n    FileDirectory_s = todynamic(column_ifexists(\"FileDirectory_s\", \"[]\")),\n    ProcessCommandLine_s = todynamic(column_ifexists(\"ProcessCommandLine_s\", \"[]\")),\n    RegistryKey_s = todynamic(column_ifexists(\"RegistryKey_s\", \"[]\")),\n    RegistryValue_s = todynamic(column_ifexists(\"RegistryValue_s\", \"[]\")),\n    RegistryValueName_s = todynamic(column_ifexists(\"RegistryValueName_s\", \"[]\"))\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}