Back
Id8b7a1a64-8ef2-4000-b8c9-9bca3b93aace
RulenameVectra Create Incident Based on Tag for Hosts
DescriptionCreate an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
SeverityHigh
TacticsPersistence
TechniquesT1546
Required data connectorsVectraXDR
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra%20XDR/Analytic%20Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml
Version1.1.0
Arm template8b7a1a64-8ef2-4000-b8c9-9bca3b93aace.json
Deploy To Azure
Entities_Data_CL
| where entity_type == "host"
| extend Tags = todynamic(tags)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
suppressionEnabled: false
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  ip_address: ip
  attack_profile: attack_profile
  tags: tags
  entity_id: id
  entity_type: entity_type
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: P7D
    enabled: true
    groupByAlertDetails:
    - DisplayName
    groupByEntities:
    - Host
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra%20XDR/Analytic%20Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml
queryPeriod: 10m
relevantTechniques:
- T1546
suppressionDuration: PT1H
name: Vectra Create Incident Based on Tag for Hosts
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: name
    identifier: HostName
status: Available
version: 1.1.0
id: 8b7a1a64-8ef2-4000-b8c9-9bca3b93aace
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Incident- {{name}}
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: url
  alertDescriptionFormat: An incident has been escalated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}
tactics:
- Persistence
triggerThreshold: 0
description: Create an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
triggerOperator: GreaterThan
queryFrequency: 10m
query: |
  Entities_Data_CL
  | where entity_type == "host"
  | extend Tags = todynamic(tags)
  | where set_has_element(Tags, "MDR - Customer Escalation")
  | summarize arg_max(['last_modified_timestamp'], *) by ['name']
requiredDataConnectors:
- connectorId: VectraXDR
  dataTypes:
  - Entities_Data_CL
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8b7a1a64-8ef2-4000-b8c9-9bca3b93aace')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8b7a1a64-8ef2-4000-b8c9-9bca3b93aace')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An incident has been escalated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}",
          "alertDisplayNameFormat": "Vectra AI Incident- {{name}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "url"
            }
          ]
        },
        "alertRuleTemplateName": "8b7a1a64-8ef2-4000-b8c9-9bca3b93aace",
        "customDetails": {
          "attack_profile": "attack_profile",
          "entity_id": "id",
          "entity_type": "entity_type",
          "ip_address": "ip",
          "tags": "tags"
        },
        "description": "Create an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.",
        "displayName": "Vectra Create Incident Based on Tag for Hosts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "name",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [
              "DisplayName"
            ],
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra%20XDR/Analytic%20Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml",
        "query": "Entities_Data_CL\n| where entity_type == \"host\"\n| extend Tags = todynamic(tags)\n| where set_has_element(Tags, \"MDR - Customer Escalation\")\n| summarize arg_max(['last_modified_timestamp'], *) by ['name']\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}