Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra Create Incident Based on Tag for Accounts

Back
Id87325835-dd8c-41e7-b686-fd5adbbd0aee
RulenameVectra Create Incident Based on Tag for Accounts
DescriptionCreate an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
SeverityHigh
TacticsPersistence
TechniquesT1546
Required data connectorsVectraXDR
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml
Version1.0.0
Arm template87325835-dd8c-41e7-b686-fd5adbbd0aee.json
Deploy To Azure
Entities_Data_CL
| where type_s == "account"
| extend Tags = todynamic(tags_s)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
kind: Scheduled
relevantTechniques:
- T1546
description: Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
queryPeriod: 10m
suppressionDuration: PT1H
queryFrequency: 10m
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
  alertDescriptionFormat: An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: name_s
tactics:
- Persistence
name: Vectra Create Incident Based on Tag for Accounts
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - Account
    groupByAlertDetails:
    - DisplayName
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
    reopenClosedIncident: false
requiredDataConnectors:
- connectorId: VectraXDR
  dataTypes:
  - Entities_Data_CL
customDetails:
  ip_address: ip_s
  tags: tags_s
  entity_importance: entity_importance_d
  attack_profile: attack_profile_s
  entity_id: id_d
  entity_type: type_s
severity: High
triggerThreshold: 0
version: 1.0.0
id: 87325835-dd8c-41e7-b686-fd5adbbd0aee
query: |
  Entities_Data_CL
  | where type_s == "account"
  | extend Tags = todynamic(tags_s)
  | where set_has_element(Tags, "MDR - Customer Escalation")
  | summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']  
suppressionEnabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/87325835-dd8c-41e7-b686-fd5adbbd0aee')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/87325835-dd8c-41e7-b686-fd5adbbd0aee')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}",
          "alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}"
        },
        "alertRuleTemplateName": "87325835-dd8c-41e7-b686-fd5adbbd0aee",
        "customDetails": {
          "attack_profile": "attack_profile_s",
          "entity_id": "id_d",
          "entity_importance": "entity_importance_d",
          "entity_type": "type_s",
          "ip_address": "ip_s",
          "tags": "tags_s"
        },
        "description": "Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.",
        "displayName": "Vectra Create Incident Based on Tag for Accounts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "name_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [
              "DisplayName"
            ],
            "groupByEntities": [
              "Account"
            ],
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml",
        "query": "Entities_Data_CL\n| where type_s == \"account\"\n| extend Tags = todynamic(tags_s)\n| where set_has_element(Tags, \"MDR - Customer Escalation\")\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}