Vectra Detection Alerts

Back


Id	065c0a50-3080-4f9a-acca-1fe6fbf63205
Rulename	Vectra Detection Alerts
Description	This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
Severity	Medium
Required data connectors	VectraXDR
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml
Version	1.0.1
Arm template	065c0a50-3080-4f9a-acca-1fe6fbf63205.json

KQL

VectraDetections
// Filter out triaged detection by default (recommended)
| where ["Is Triaged"] == false 
// custom details do not allow spaces in the attribute name
| extend entity_name = ['Entity UID']
| extend triaged = ['Is Triaged']
| extend detection = ['Detection Name']
| extend category = ['Detection Category']
| extend url_detection = ['Vectra Pivot']

YAML

customDetails:
  Summary: Summary
  triaged: triaged
triggerOperator: gt
suppressionDuration: 5h
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
version: 1.0.1
kind: Scheduled
triggerThreshold: 0
queryFrequency: 5m
incidentConfiguration:
  createIncident: false
  groupingConfiguration:
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities: []
    groupByAlertDetails: []
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
name: Vectra Detection Alerts
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml
id: 065c0a50-3080-4f9a-acca-1fe6fbf63205
alertDetailsOverride:
  alertDescriptionFormat: |
    Detection category:  {{category}}
    Details: {{Details}}     
  alertDisplayNameFormat: Vectra AI {{detection}} detected
  alertDynamicProperties:
  - value: url_detection
    alertProperty: AlertLink
status: Available
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: entity_name
  entityType: Host
requiredDataConnectors:
- connectorId: VectraXDR
  dataTypes:
  - Detections_Data_CL
query: |
  VectraDetections
  // Filter out triaged detection by default (recommended)
  | where ["Is Triaged"] == false 
  // custom details do not allow spaces in the attribute name
  | extend entity_name = ['Entity UID']
  | extend triaged = ['Is Triaged']
  | extend detection = ['Detection Name']
  | extend category = ['Detection Category']
  | extend url_detection = ['Vectra Pivot']

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Detection category:  {{category}}\nDetails: {{Details}} \n",
          "alertDisplayNameFormat": "Vectra AI {{detection}} detected",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "url_detection"
            }
          ]
        },
        "alertRuleTemplateName": "065c0a50-3080-4f9a-acca-1fe6fbf63205",
        "customDetails": {
          "Summary": "Summary",
          "triaged": "triaged"
        },
        "description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
        "displayName": "Vectra Detection Alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "entity_name",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml",
        "query": "VectraDetections\n// Filter out triaged detection by default (recommended)\n| where [\"Is Triaged\"] == false \n// custom details do not allow spaces in the attribute name\n| extend entity_name = ['Entity UID']\n| extend triaged = ['Is Triaged']\n| extend detection = ['Detection Name']\n| extend category = ['Detection Category']\n| extend url_detection = ['Vectra Pivot']\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}