Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vectra Priority Entities

Vectra Priority Entities

Back
Id93de640a-314d-459a-9e21-00de2bffa92d
RulenameVectra Priority Entities
DescriptionCreate an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
SeverityHigh
Required data connectorsVectraXDR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_Prioritized_Entities.yaml
Version1.0.0
Arm template93de640a-314d-459a-9e21-00de2bffa92d.json
Deploy To Azure
VectraEntityScoring
| where ['Is Prioritized'] == true
// custom details do not allow spaces in the attribute name
| extend attack_rating = ['Attack Rating']
| extend breadth = ['Breadth Contrib']
| extend detections = ['Active Detection Types']
| extend urgency = ['Urgency Score']
| extend url = ['Vectra Pivot']
| summarize arg_max(['Last Updated'], *) by ['Entity ID']

customDetails:
  detections: detections
  Velocity: Velocity
  Entity_importance: Importance
  Entity_type: Type
  Breadth: breadth
  Attack_Rating: attack_rating
triggerOperator: gt
suppressionDuration: 5h
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
version: 1.0.0
kind: Scheduled
triggerThreshold: 0
queryFrequency: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: true
    groupByCustomDetails: []
    groupByEntities: []
    groupByAlertDetails: []
    lookbackDuration: 7d
    matchingMethod: AllEntities
    enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
name: Vectra Priority Entities
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_Prioritized_Entities.yaml
id: 93de640a-314d-459a-9e21-00de2bffa92d
alertDetailsOverride:
  alertDescriptionFormat: |-
    Entity {{Name}} has been prioritized by the Vectra AI prioritization algorithm with an urgency score of {{Urgency Score}}.
    Attack rating is {{Attack Rating}}.    
  alertDisplayNameFormat: 'Priority Incident - {{Name}}  with Urgency Score of {{Urgency Score}}  '
  alertDynamicProperties:
  - value: urgency
    alertProperty: ConfidenceLevel
  - value: url
    alertProperty: AlertLink
status: Available
severity: High
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: Name
  entityType: Host
requiredDataConnectors:
- connectorId: VectraXDR
  dataTypes:
  - Entity_Scoring_Data_CL
query: |
  VectraEntityScoring
  | where ['Is Prioritized'] == true
  // custom details do not allow spaces in the attribute name
  | extend attack_rating = ['Attack Rating']
  | extend breadth = ['Breadth Contrib']
  | extend detections = ['Active Detection Types']
  | extend urgency = ['Urgency Score']
  | extend url = ['Vectra Pivot']
  | summarize arg_max(['Last Updated'], *) by ['Entity ID']  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/93de640a-314d-459a-9e21-00de2bffa92d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/93de640a-314d-459a-9e21-00de2bffa92d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Entity {{Name}} has been prioritized by the Vectra AI prioritization algorithm with an urgency score of {{Urgency Score}}.\nAttack rating is {{Attack Rating}}.",
          "alertDisplayNameFormat": "Priority Incident - {{Name}}  with Urgency Score of {{Urgency Score}}  ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ConfidenceLevel",
              "value": "urgency"
            },
            {
              "alertProperty": "AlertLink",
              "value": "url"
            }
          ]
        },
        "alertRuleTemplateName": "93de640a-314d-459a-9e21-00de2bffa92d",
        "customDetails": {
          "Attack_Rating": "attack_rating",
          "Breadth": "breadth",
          "detections": "detections",
          "Entity_importance": "Importance",
          "Entity_type": "Type",
          "Velocity": "Velocity"
        },
        "description": "Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.",
        "displayName": "Vectra Priority Entities",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_Prioritized_Entities.yaml",
        "query": "VectraEntityScoring\n| where ['Is Prioritized'] == true\n// custom details do not allow spaces in the attribute name\n| extend attack_rating = ['Attack Rating']\n| extend breadth = ['Breadth Contrib']\n| extend detections = ['Active Detection Types']\n| extend urgency = ['Urgency Score']\n| extend url = ['Vectra Pivot']\n| summarize arg_max(['Last Updated'], *) by ['Entity ID']\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}