Entities_Data_CL
| where entity_type == "host"
| extend Tags = todynamic(tags)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
tactics:
- Persistence
relevantTechniques:
- T1546
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml
name: Vectra Create Incident Based on Tag for Hosts
id: 8b7a1a64-8ef2-4000-b8c9-9bca3b93aace
description: Create an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
incidentConfiguration:
groupingConfiguration:
lookbackDuration: P7D
groupByAlertDetails:
- DisplayName
enabled: true
reopenClosedIncident: false
groupByEntities:
- Host
matchingMethod: AllEntities
createIncident: true
suppressionDuration: PT1H
suppressionEnabled: false
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDynamicProperties:
- alertProperty: AlertLink
value: url
alertDescriptionFormat: An incident has been escalated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: name
entityType: Host
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
query: |
Entities_Data_CL
| where entity_type == "host"
| extend Tags = todynamic(tags)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
queryFrequency: 10m
queryPeriod: 10m
triggerThreshold: 0
customDetails:
tags: tags
entity_type: entity_type
ip_address: ip
entity_id: id
attack_profile: attack_profile
kind: Scheduled
version: 1.1.0
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
