Vectra Accounts Behaviors

Back


Id	ce54b5d3-4c31-4eaf-a73e-31412270b6ab
Rulename	Vectra Account’s Behaviors
Description	This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on account’s detections.
Severity	Informational
Tactics	CredentialAccess Discovery LateralMovement Collection CommandAndControl Exfiltration Impact
Techniques	T1003 T1087 T1021 T1119 T1071 T1041 T1499
Required data connectors	CefAma
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml
Version	1.0.5
Arm template	ce54b5d3-4c31-4eaf-a73e-31412270b6ab.json

KQL

CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns"
    and DeviceEventClassID != "hsc"
    and DeviceEventClassID != "audit"
    and DeviceEventClassID != "health"
    and DeviceEventClassID != "asc"
| extend Category = coalesce(
    column_ifexists("DeviceEventCategory", ""), 
    extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
    ""
    )
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename triaged = DeviceCustomString5
| where triaged != "True" and AdditionalExtensions contains "account"
| extend account = extract("account=(.+?);", 1, AdditionalExtensions)
| extend upn = iff(account matches regex ":", tostring(split(account, ":")[1]), tostring(split(account, ":")[0]))
| extend name = tostring(split(upn, "@")[0])
| extend upn_suffix = tostring(split(upn, "@")[1])
| extend source_entity = case(isnotempty(upn), upn,
    isnotempty(SourceHostName), SourceHostName,
    "UNKNWON")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
    threat_score < 50 and certainty_score < 50, "Low",
    threat_score < 50 and certainty_score >= 50, "Medium", 
    threat_score >= 50 and certainty_score <= 50, "High", 
    threat_score >= 50 and certainty_score >= 50, "Critical",
    "UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml
query: |
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID != "campaigns"
      and DeviceEventClassID != "hsc"
      and DeviceEventClassID != "audit"
      and DeviceEventClassID != "health"
      and DeviceEventClassID != "asc"
  | extend Category = coalesce(
      column_ifexists("DeviceEventCategory", ""), 
      extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
      ""
      )
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | project-rename triaged = DeviceCustomString5
  | where triaged != "True" and AdditionalExtensions contains "account"
  | extend account = extract("account=(.+?);", 1, AdditionalExtensions)
  | extend upn = iff(account matches regex ":", tostring(split(account, ":")[1]), tostring(split(account, ":")[0]))
  | extend name = tostring(split(upn, "@")[0])
  | extend upn_suffix = tostring(split(upn, "@")[1])
  | extend source_entity = case(isnotempty(upn), upn,
      isnotempty(SourceHostName), SourceHostName,
      "UNKNWON")
  | extend level = case(threat_score == 0 and certainty_score == 0, "Info",
      threat_score < 50 and certainty_score < 50, "Low",
      threat_score < 50 and certainty_score >= 50, "Medium", 
      threat_score >= 50 and certainty_score <= 50, "High", 
      threat_score >= 50 and certainty_score >= 50, "Critical",
      "UNKNOWN")
  | extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | summarize arg_max(threat_score, *) by source_entity, Activity
  | sort by TimeGenerated  
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: name
  - identifier: UPNSuffix
    columnName: upn_suffix
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
triggerThreshold: 0
queryPeriod: 5m
version: 1.0.5
queryFrequency: 5m
severity: Informational
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI - {{Activity}} Detected
  alertSeverityColumnName: Severity
  alertDynamicProperties:
  - value: vectra_URL
    alertProperty: AlertLink
  - value: DeviceProduct
    alertProperty: ProductName
  - value: DeviceVendor
    alertProperty: ProviderName
  - value: certainty_score
    alertProperty: ConfidenceScore
  alertDescriptionFormat: |
        Entity is an account. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.
customDetails:
  AttackCategory: Category
  AttackType: Activity
name: Vectra Account's Behaviors
id: ce54b5d3-4c31-4eaf-a73e-31412270b6ab
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
description: |
    'This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on account's detections.'

ARM