Vectra Create Incident Based on Tag for Accounts

Back


Id	87325835-dd8c-41e7-b686-fd5adbbd0aee
Rulename	Vectra Create Incident Based on Tag for Accounts
Description	Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
Severity	High
Tactics	Persistence
Techniques	T1546
Required data connectors	VectraXDR
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml
Version	1.0.0
Arm template	87325835-dd8c-41e7-b686-fd5adbbd0aee.json

KQL

Entities_Data_CL
| where type_s == "account"
| extend Tags = todynamic(tags_s)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']

YAML

status: Available
id: 87325835-dd8c-41e7-b686-fd5adbbd0aee
tactics:
- Persistence
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
  alertDescriptionFormat: An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
name: Vectra Create Incident Based on Tag for Accounts
query: |
  Entities_Data_CL
  | where type_s == "account"
  | extend Tags = todynamic(tags_s)
  | where set_has_element(Tags, "MDR - Customer Escalation")
  | summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']  
severity: High
customDetails:
  attack_profile: attack_profile_s
  tags: tags_s
  ip_address: ip_s
  entity_importance: entity_importance_d
  entity_id: id_d
  entity_type: type_s
triggerOperator: GreaterThan
kind: Scheduled
suppressionDuration: PT1H
relevantTechniques:
- T1546
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: P7D
    enabled: true
    groupByEntities:
    - Account
    groupByAlertDetails:
    - DisplayName
    matchingMethod: AllEntities
    reopenClosedIncident: false
queryFrequency: 10m
requiredDataConnectors:
- connectorId: VectraXDR
  dataTypes:
  - Entities_Data_CL
description: Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
suppressionEnabled: false
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: name_s
    identifier: Name
  entityType: Account

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/87325835-dd8c-41e7-b686-fd5adbbd0aee')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/87325835-dd8c-41e7-b686-fd5adbbd0aee')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}",
          "alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}"
        },
        "alertRuleTemplateName": "87325835-dd8c-41e7-b686-fd5adbbd0aee",
        "customDetails": {
          "attack_profile": "attack_profile_s",
          "entity_id": "id_d",
          "entity_importance": "entity_importance_d",
          "entity_type": "type_s",
          "ip_address": "ip_s",
          "tags": "tags_s"
        },
        "description": "Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.",
        "displayName": "Vectra Create Incident Based on Tag for Accounts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "name_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [
              "DisplayName"
            ],
            "groupByEntities": [
              "Account"
            ],
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml",
        "query": "Entities_Data_CL\n| where type_s == \"account\"\n| extend Tags = todynamic(tags_s)\n| where set_has_element(Tags, \"MDR - Customer Escalation\")\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}