detection.wiki

Detection rules › Kusto

Create Incident for XDR Alerts

This is a third-party alert feed, not a detection over modeled telemetry. The vendor product raised the finding; this rule forwards it into the SIEM. It is searchable for reference but is excluded from the detection-rule browse and the ATT&CK coverage matrix.

Status
available
Severity
high
Time window
5m
Source
github.com/Azure/Azure-Sentinel

'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'

Rule body kusto

id: 0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd
name: Create Incident for XDR Alerts
description: |
  'This Query creates an incident based on Trend Vision One Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage.'
severity: High
status: Available
requiredDataConnectors:
  - connectorId: TrendMicroXDR
    dataTypes:
      - TrendMicro_XDR_WORKBENCH_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
relevantTechniques:
suppressionDuration: 5h
suppressionEnabled: false
query: |
  TrendMicro_XDR_WORKBENCH_CL
  | extend Severity = case(severity_s == "low", "Informational",
                          severity_s == "medium", "Low",
                          severity_s == "high", "Medium",
                          "High"
                          )
  | extend 
      UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
      UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
      FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
      FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
      ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
      RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
      RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
      RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))
alertRuleTemplateName: null
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5m
    matchingMethod: Selected
    groupByCustomDetails: 
      - WorkbenchID
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: UserAccountName_s
      - identifier: NTDomain
        columnName: UserAccountNTDomain_s
  - entityType: File
    fieldMappings:
      - identifier: Name
        columnName: FileName_s
      - identifier: Directory
        columnName: FileDirectory_s
  - entityType: Process
    fieldMappings:
      - identifier: CommandLine
        columnName: ProcessCommandLine_s
  - entityType: RegistryKey
    fieldMappings:
      - identifier: Key
        columnName: RegistryKey_s
  - entityType: RegistryValue
    fieldMappings:
      - identifier: Name
        columnName: ProcessCommandLine_s
      - identifier: Value
        columnName: RegistryValue_s
alertDetailsOverride:
  alertDisplayNameFormat: '{{workbenchName_s}}'
  alertDescriptionFormat: '{{description_s}}'
  alertSeverityColumnName: Severity
customDetails:
  XDRCustomerID: xdrCustomerID_g
  WorkbenchID: workbenchId_s
  WorkbenchName: workbenchName_s
  WorkbenchLink: workbenchLink_s
  PriorityScore: priorityScore_d
  CreatedAt: createdTime_t
  Severity: severity_s
  ImpactScopeSummary: impactScope_Summary_s
  Provider: alertProvider_s
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.4
kind: Scheduled

Stages and Predicates

Stage 1: source

TrendMicro_XDR_WORKBENCH_CL

Stage 2: extend

| extend Severity = case(severity_s == "low", "Informational",
                        severity_s == "medium", "Low",
                        severity_s == "high", "Medium",
                        "High"
                        )
Severity =
ifseverity_s == "low""Informational"
elifseverity_s == "medium""Low"
elifseverity_s == "high""Medium"
else"High"

Stage 3: extend

| extend 
    UserAccountName_s = todynamic(column_ifexists("UserAccountName_s", "[]")),
    UserAccountNTDomain_s = todynamic(column_ifexists("UserAccountNTDomain_s", "[]")),
    FileName_s = todynamic(column_ifexists("FileName_s", "[]")),
    FileDirectory_s = todynamic(column_ifexists("FileDirectory_s", "[]")),
    ProcessCommandLine_s = todynamic(column_ifexists("ProcessCommandLine_s", "[]")),
    RegistryKey_s = todynamic(column_ifexists("RegistryKey_s", "[]")),
    RegistryValue_s = todynamic(column_ifexists("RegistryValue_s", "[]")),
    RegistryValueName_s = todynamic(column_ifexists("RegistryValueName_s", "[]"))

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Severityextend
FileDirectory_sextend
FileName_sextend
ProcessCommandLine_sextend
RegistryKey_sextend
RegistryValueName_sextend
RegistryValue_sextend
UserAccountNTDomain_sextend
UserAccountName_sextend