Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra Create Incident Based on Tag for Hosts

Back
Id8b7a1a64-8ef2-4000-b8c9-9bca3b93aace
RulenameVectra Create Incident Based on Tag for Hosts
DescriptionCreate an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
SeverityHigh
TacticsPersistence
TechniquesT1546
Required data connectorsVectraXDR
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml
Version1.0.0
Arm template8b7a1a64-8ef2-4000-b8c9-9bca3b93aace.json
Deploy To Azure
Entities_Data_CL
| where type_s == "host"
| extend Tags = todynamic(tags_s)
| where set_has_element(Tags, "MDR - Customer Escalation")
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml
query: |
  Entities_Data_CL
  | where type_s == "host"
  | extend Tags = todynamic(tags_s)
  | where set_has_element(Tags, "MDR - Customer Escalation")
  | summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']  
description: Create an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.
severity: High
requiredDataConnectors:
- dataTypes:
  - Entities_Data_CL
  connectorId: VectraXDR
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: name_s
    identifier: HostName
incidentConfiguration:
  groupingConfiguration:
    groupByAlertDetails:
    - DisplayName
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: P7D
    groupByEntities:
    - Host
    matchingMethod: AllEntities
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Vectra Create Incident Based on Tag for Hosts
triggerThreshold: 0
customDetails:
  entity_type: type_s
  entity_importance: entity_importance_d
  tags: tags_s
  ip_address: ip_s
  attack_profile: attack_profile_s
  entity_id: id_d
suppressionDuration: PT1H
status: Available
version: 1.0.0
relevantTechniques:
- T1546
triggerOperator: GreaterThan
kind: Scheduled
id: 8b7a1a64-8ef2-4000-b8c9-9bca3b93aace
suppressionEnabled: false
queryFrequency: 10m
alertDetailsOverride:
  alertDynamicProperties:
  - value: url_s
    alertProperty: AlertLink
  alertDescriptionFormat: An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}
  alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
queryPeriod: 10m
tactics:
- Persistence
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8b7a1a64-8ef2-4000-b8c9-9bca3b93aace')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8b7a1a64-8ef2-4000-b8c9-9bca3b93aace')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An incident has been escalated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}",
          "alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "url_s"
            }
          ]
        },
        "alertRuleTemplateName": "8b7a1a64-8ef2-4000-b8c9-9bca3b93aace",
        "customDetails": {
          "attack_profile": "attack_profile_s",
          "entity_id": "id_d",
          "entity_importance": "entity_importance_d",
          "entity_type": "type_s",
          "ip_address": "ip_s",
          "tags": "tags_s"
        },
        "description": "Create an incident when the host entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority.",
        "displayName": "Vectra Create Incident Based on Tag for Hosts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "name_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [
              "DisplayName"
            ],
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml",
        "query": "Entities_Data_CL\n| where type_s == \"host\"\n| extend Tags = todynamic(tags_s)\n| where set_has_element(Tags, \"MDR - Customer Escalation\")\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}