VectraDetections
// Filter out triaged detection by default (recommended)
| where ["Is Triaged"] == false
// custom details do not allow spaces in the attribute name
| extend entity_name = ['Entity UID']
| extend triaged = ['Is Triaged']
| extend detection = ['Detection Name']
| extend category = ['Detection Category']
| extend url_detection = ['Vectra Pivot']
customDetails:
Summary: Summary
triaged: triaged
triggerOperator: gt
suppressionDuration: 5h
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
version: 1.0.1
kind: Scheduled
triggerThreshold: 0
queryFrequency: 5m
incidentConfiguration:
createIncident: false
groupingConfiguration:
reopenClosedIncident: false
groupByCustomDetails: []
groupByEntities: []
groupByAlertDetails: []
lookbackDuration: PT5H
matchingMethod: AllEntities
enabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
queryPeriod: 5m
name: Vectra Detection Alerts
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml
id: 065c0a50-3080-4f9a-acca-1fe6fbf63205
alertDetailsOverride:
alertDescriptionFormat: |
Detection category: {{category}}
Details: {{Details}}
alertDisplayNameFormat: Vectra AI {{detection}} detected
alertDynamicProperties:
- value: url_detection
alertProperty: AlertLink
status: Available
severity: Medium
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: entity_name
entityType: Host
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Detections_Data_CL
query: |
VectraDetections
// Filter out triaged detection by default (recommended)
| where ["Is Triaged"] == false
// custom details do not allow spaces in the attribute name
| extend entity_name = ['Entity UID']
| extend triaged = ['Is Triaged']
| extend detection = ['Detection Name']
| extend category = ['Detection Category']
| extend url_detection = ['Vectra Pivot']
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Detection category: {{category}}\nDetails: {{Details}} \n",
"alertDisplayNameFormat": "Vectra AI {{detection}} detected",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "url_detection"
}
]
},
"alertRuleTemplateName": "065c0a50-3080-4f9a-acca-1fe6fbf63205",
"customDetails": {
"Summary": "Summary",
"triaged": "triaged"
},
"description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
"displayName": "Vectra Detection Alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "entity_name",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml",
"query": "VectraDetections\n// Filter out triaged detection by default (recommended)\n| where [\"Is Triaged\"] == false \n// custom details do not allow spaces in the attribute name\n| extend entity_name = ['Entity UID']\n| extend triaged = ['Is Triaged']\n| extend detection = ['Detection Name']\n| extend category = ['Detection Category']\n| extend url_detection = ['Vectra Pivot']\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}