Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Defender Alert Evidence

Defender Alert Evidence

Back
Id8138863e-e55f-4f02-ac94-72796e203d27
RulenameDefender Alert Evidence
DescriptionThis analytic rule is looking for new alert evidence from Microsoft Defender for Endpoint. The intent is to create entries in the SecurityAlert table for every new alert evidence attached to an entity of type Device or User monitored by Defender for Endpoint.
SeverityHigh
TacticsPersistence
TechniquesT1546
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency60m
Query period60m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Defender_Alert_Evidence.yaml
Version1.0.0
Arm template8138863e-e55f-4f02-ac94-72796e203d27.json
Deploy To Azure
AlertEvidence
| where EntityType in ("Device", "User")

id: 8138863e-e55f-4f02-ac94-72796e203d27
type: Microsoft.OperationalInsights/workspaces/providers/alertRules
triggerOperator: GreaterThan
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: LocalIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: DeviceName
  entityType: Host
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- dataTypes:
  - AlertEvidence
  connectorId: MicrosoftThreatProtection
queryFrequency: 60m
suppressionDuration: PT5H
suppressionEnabled: false
queryPeriod: 60m
status: Available
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: false
query: |
  AlertEvidence
  | where EntityType in ("Device", "User")  
name: Defender Alert Evidence
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Defender_Alert_Evidence.yaml
tactics:
- Persistence
severity: High
relevantTechniques:
- T1546
triggerThreshold: 0
version: 1.0.0
description: This analytic rule is looking for new alert evidence from Microsoft Defender for Endpoint. The intent is to create entries in the SecurityAlert table for every new alert evidence attached to an entity of type Device or User monitored by Defender for Endpoint.