Vectra Create Incident Based on Tag for Hosts
| Id | 8b7a1a64-8ef2-4000-b8c9-9bca3b93aace |
| Rulename | Vectra Create Incident Based on Tag for Hosts |
| Description | Create an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority. |
| Severity | High |
| Tactics | Persistence |
| Techniques | T1546 |
| Required data connectors | VectraXDR |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml |
| Version | 1.0.0 |
| Arm template | 8b7a1a64-8ef2-4000-b8c9-9bca3b93aace.json |
Entities_Data_CL
| where type_s == "host"
| extend Tags = todynamic(tags_s)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
kind: Scheduled
customDetails:
attack_profile: attack_profile_s
entity_id: id_d
entity_type: type_s
ip_address: ip_s
entity_importance: entity_importance_d
tags: tags_s
suppressionDuration: PT1H
entityMappings:
- entityType: Host
fieldMappings:
- columnName: name_s
identifier: HostName
description: Create an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
severity: High
queryFrequency: 10m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: P7D
matchingMethod: AllEntities
enabled: true
groupByEntities:
- Host
groupByAlertDetails:
- DisplayName
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1546
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionEnabled: false
status: Available
version: 1.0.0
name: Vectra Create Incident Based on Tag for Hosts
id: 8b7a1a64-8ef2-4000-b8c9-9bca3b93aace
query: |
Entities_Data_CL
| where type_s == "host"
| extend Tags = todynamic(tags_s)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
tactics:
- Persistence
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
alertDescriptionFormat: An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}
alertDynamicProperties:
- value: url_s
alertProperty: AlertLink
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml
queryPeriod: 10m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8b7a1a64-8ef2-4000-b8c9-9bca3b93aace')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8b7a1a64-8ef2-4000-b8c9-9bca3b93aace')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}",
"alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "url_s"
}
]
},
"alertRuleTemplateName": "8b7a1a64-8ef2-4000-b8c9-9bca3b93aace",
"customDetails": {
"attack_profile": "attack_profile_s",
"entity_id": "id_d",
"entity_importance": "entity_importance_d",
"entity_type": "type_s",
"ip_address": "ip_s",
"tags": "tags_s"
},
"description": "Create an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.",
"displayName": "Vectra Create Incident Based on Tag for Hosts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "name_s",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [
"DisplayName"
],
"groupByEntities": [
"Host"
],
"lookbackDuration": "P7D",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml",
"query": "Entities_Data_CL\n| where type_s == \"host\"\n| extend Tags = todynamic(tags_s)\n| where set_has_element(Tags, \"MDR - Customer Escalation\")\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}