AlertEvidence
| where EntityType in ("Device", "User")
queryPeriod: 60m
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- AlertEvidence
severity: High
triggerOperator: GreaterThan
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
entityType: Account
- fieldMappings:
- identifier: Address
columnName: LocalIP
entityType: IP
- fieldMappings:
- identifier: HostName
columnName: DeviceName
entityType: Host
suppressionDuration: PT5H
version: 1.0.0
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1546
description: This analytic rule is looking for new alert evidence from Microsoft Defender for Endpoint. The intent is to create entries in the SecurityAlert table for every new alert evidence attached to an entity of type Device or User monitored by Defender for Endpoint.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Defender_Alert_Evidence.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
query: |
AlertEvidence
| where EntityType in ("Device", "User")
id: 8138863e-e55f-4f02-ac94-72796e203d27
name: Defender Alert Evidence
status: Available
suppressionEnabled: false
incidentConfiguration:
createIncident: false
groupingConfiguration:
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: false
type: Microsoft.OperationalInsights/workspaces/providers/alertRules
kind: Scheduled
queryFrequency: 60m
