Vectra Create Incident Based on Tag for Accounts
Id | 87325835-dd8c-41e7-b686-fd5adbbd0aee |
Rulename | Vectra Create Incident Based on Tag for Accounts |
Description | Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority. |
Severity | High |
Tactics | Persistence |
Techniques | T1546 |
Required data connectors | VectraXDR |
Kind | Scheduled |
Query frequency | 10m |
Query period | 10m |
Trigger threshold | 0 |
Trigger operator | GreaterThan |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml |
Version | 1.0.0 |
Arm template | 87325835-dd8c-41e7-b686-fd5adbbd0aee.json |
Entities_Data_CL
| where type_s == "account"
| extend Tags = todynamic(tags_s)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
kind: Scheduled
relevantTechniques:
- T1546
description: Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
queryPeriod: 10m
suppressionDuration: PT1H
queryFrequency: 10m
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
alertDescriptionFormat: An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: name_s
tactics:
- Persistence
name: Vectra Create Incident Based on Tag for Accounts
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByEntities:
- Account
groupByAlertDetails:
- DisplayName
matchingMethod: AllEntities
lookbackDuration: P7D
enabled: true
reopenClosedIncident: false
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Entities_Data_CL
customDetails:
ip_address: ip_s
tags: tags_s
entity_importance: entity_importance_d
attack_profile: attack_profile_s
entity_id: id_d
entity_type: type_s
severity: High
triggerThreshold: 0
version: 1.0.0
id: 87325835-dd8c-41e7-b686-fd5adbbd0aee
query: |
Entities_Data_CL
| where type_s == "account"
| extend Tags = todynamic(tags_s)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/87325835-dd8c-41e7-b686-fd5adbbd0aee')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/87325835-dd8c-41e7-b686-fd5adbbd0aee')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}",
"alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}"
},
"alertRuleTemplateName": "87325835-dd8c-41e7-b686-fd5adbbd0aee",
"customDetails": {
"attack_profile": "attack_profile_s",
"entity_id": "id_d",
"entity_importance": "entity_importance_d",
"entity_type": "type_s",
"ip_address": "ip_s",
"tags": "tags_s"
},
"description": "Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.",
"displayName": "Vectra Create Incident Based on Tag for Accounts",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "name_s",
"identifier": "Name"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [
"DisplayName"
],
"groupByEntities": [
"Account"
],
"lookbackDuration": "P7D",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml",
"query": "Entities_Data_CL\n| where type_s == \"account\"\n| extend Tags = todynamic(tags_s)\n| where set_has_element(Tags, \"MDR - Customer Escalation\")\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}