Entities_Data_CL
| where entity_type == "account"
| extend Tags = todynamic(tags)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
suppressionDuration: PT1H
version: 1.1.0
kind: Scheduled
relevantTechniques:
- T1546
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: name
eventGroupingSettings:
aggregationKind: AlertPerResult
tactics:
- Persistence
id: 87325835-dd8c-41e7-b686-fd5adbbd0aee
triggerOperator: GreaterThan
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Entities_Data_CL
alertDetailsOverride:
alertDescriptionFormat: An incident has been escalated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}
alertDisplayNameFormat: Vectra AI Incident- {{name}}
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml
queryFrequency: 10m
query: |
Entities_Data_CL
| where entity_type == "account"
| extend Tags = todynamic(tags)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
groupByAlertDetails:
- DisplayName
enabled: true
groupByEntities:
- Account
lookbackDuration: P7D
createIncident: true
triggerThreshold: 0
suppressionEnabled: false
queryPeriod: 10m
customDetails:
attack_profile: attack_profile
ip_address: ip
entity_id: id
entity_type: entity_type
tags: tags
severity: High
name: Vectra Create Incident Based on Tag for Accounts
description: Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
