TrendMicro_XDR_WORKBENCH_CL
| extend Severity = case(severity_s == "low", "Informational",
severity_s == "medium", "Low",
severity_s == "high", "Medium",
"High"
)
| extend
UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))
id: 0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Vision One/Analytic Rules/Create Incident for XDR Alerts.yaml
entityMappings:
- fieldMappings:
- identifier: Name
columnName: UserAccountName_s
- identifier: NTDomain
columnName: UserAccountNTDomain_s
entityType: Account
- fieldMappings:
- identifier: Name
columnName: FileName_s
- identifier: Directory
columnName: FileDirectory_s
entityType: File
- fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine_s
entityType: Process
- fieldMappings:
- identifier: Key
columnName: RegistryKey_s
entityType: RegistryKey
- fieldMappings:
- identifier: Name
columnName: ProcessCommandLine_s
- identifier: Value
columnName: RegistryValue_s
entityType: RegistryValue
requiredDataConnectors:
- dataTypes:
- TrendMicro_XDR_WORKBENCH_CL
connectorId: TrendMicroXDR
queryFrequency: 5m
alertDetailsOverride:
alertDisplayNameFormat: '{{workbenchName_s}}'
alertSeverityColumnName: Severity
alertDescriptionFormat: '{{description_s}}'
suppressionDuration: 5h
queryPeriod: 5m
status: Available
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: 5m
groupByCustomDetails:
- WorkbenchID
matchingMethod: Selected
enabled: true
createIncident: true
query: |
TrendMicro_XDR_WORKBENCH_CL
| extend Severity = case(severity_s == "low", "Informational",
severity_s == "medium", "Low",
severity_s == "high", "Medium",
"High"
)
| extend
UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))
name: Create Incident for XDR Alerts
kind: Scheduled
alertRuleTemplateName:
tactics:
severity: High
relevantTechniques:
triggerThreshold: 0
version: 1.0.4
description: |
'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'
customDetails:
WorkbenchLink: workbenchLink_s
Provider: alertProvider_s
CreatedAt: createdTime_t
WorkbenchID: workbenchId_s
Severity: severity_s
ImpactScopeSummary: impactScope_Summary_s
WorkbenchName: workbenchName_s
XDRCustomerID: xdrCustomerID_g
PriorityScore: priorityScore_d
