VectraDetections
// Filter out triaged detection by default (recommended)
| where ["Is Triaged"] == false
// custom details do not allow spaces in the attribute name
| extend entity_name = ['Entity UID']
| extend triaged = ['Is Triaged']
| extend detection = ['Detection Name']
| extend category = ['Detection Category']
| extend url_detection = ['Vectra Pivot']
incidentConfiguration:
groupingConfiguration:
groupByAlertDetails: []
enabled: false
lookbackDuration: PT5H
matchingMethod: AllEntities
groupByCustomDetails: []
reopenClosedIncident: false
groupByEntities: []
createIncident: false
suppressionDuration: 5h
queryPeriod: 5m
kind: Scheduled
requiredDataConnectors:
- dataTypes:
- Detections_Data_CL
connectorId: VectraXDR
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 065c0a50-3080-4f9a-acca-1fe6fbf63205
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: entity_name
entityType: Host
name: Vectra Detection Alerts
status: Available
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI {{detection}} detected
alertDescriptionFormat: |
Detection category: {{category}}
Details: {{Details}}
alertDynamicProperties:
- value: url_detection
alertProperty: AlertLink
customDetails:
triaged: triaged
Summary: Summary
severity: Medium
queryFrequency: 5m
version: 1.0.1
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
query: |
VectraDetections
// Filter out triaged detection by default (recommended)
| where ["Is Triaged"] == false
// custom details do not allow spaces in the attribute name
| extend entity_name = ['Entity UID']
| extend triaged = ['Is Triaged']
| extend detection = ['Detection Name']
| extend category = ['Detection Category']
| extend url_detection = ['Vectra Pivot']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Detection category: {{category}}\nDetails: {{Details}} \n",
"alertDisplayNameFormat": "Vectra AI {{detection}} detected",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "url_detection"
}
]
},
"alertRuleTemplateName": "065c0a50-3080-4f9a-acca-1fe6fbf63205",
"customDetails": {
"Summary": "Summary",
"triaged": "triaged"
},
"description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
"displayName": "Vectra Detection Alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "entity_name",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml",
"query": "VectraDetections\n// Filter out triaged detection by default (recommended)\n| where [\"Is Triaged\"] == false \n// custom details do not allow spaces in the attribute name\n| extend entity_name = ['Entity UID']\n| extend triaged = ['Is Triaged']\n| extend detection = ['Detection Name']\n| extend category = ['Detection Category']\n| extend url_detection = ['Vectra Pivot']\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}