AlertEvidence
| where EntityType in ("Device", "User")
queryFrequency: 60m
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- entityType: IP
fieldMappings:
- columnName: LocalIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: HostName
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0
suppressionEnabled: false
id: 8138863e-e55f-4f02-ac94-72796e203d27
suppressionDuration: PT5H
severity: High
kind: Scheduled
type: Microsoft.OperationalInsights/workspaces/providers/alertRules
description: This analytic rule is looking for new alert evidence from Microsoft Defender for Endpoint. The intent is to create entries in the SecurityAlert table for every new alert evidence attached to an entity of type Device or User monitored by Defender for Endpoint.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertEvidence
triggerOperator: GreaterThan
name: Defender Alert Evidence
tactics:
- Persistence
relevantTechniques:
- T1546
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Defender_Alert_Evidence.yaml
triggerThreshold: 0
queryPeriod: 60m
query: |
AlertEvidence
| where EntityType in ("Device", "User")
status: Available
incidentConfiguration:
createIncident: false
groupingConfiguration:
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
