VectraDetections
// Filter out triaged detection by default (recommended)
| where ["Is Triaged"] == false
// custom details do not allow spaces in the attribute name
| extend entity_name = ['Entity UID']
| extend triaged = ['Is Triaged']
| extend detection = ['Detection Name']
| extend category = ['Detection Category']
| extend url_detection = ['Vectra Pivot']
queryPeriod: 5m
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
kind: Scheduled
id: 065c0a50-3080-4f9a-acca-1fe6fbf63205
name: Vectra Detection Alerts
status: Available
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
customDetails:
triaged: triaged
Summary: Summary
suppressionDuration: 5h
triggerOperator: gt
query: |
VectraDetections
// Filter out triaged detection by default (recommended)
| where ["Is Triaged"] == false
// custom details do not allow spaces in the attribute name
| extend entity_name = ['Entity UID']
| extend triaged = ['Is Triaged']
| extend detection = ['Detection Name']
| extend category = ['Detection Category']
| extend url_detection = ['Vectra Pivot']
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 5h
reopenClosedIncident: false
groupByEntities: []
matchingMethod: AllEntities
enabled: false
groupByAlertDetails: []
groupByCustomDetails: []
createIncident: false
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: entity_name
identifier: HostName
entityType: Host
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml
requiredDataConnectors:
- dataTypes:
- Detections_Data_CL
connectorId: VectraXDR
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: AlertLink
value: url_detection
alertDisplayNameFormat: Vectra AI {{detection}} detected
alertDescriptionFormat: |
Detection category: {{category}}
Details: {{Details}}
severity: Medium
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Detection category: {{category}}\nDetails: {{Details}} \n",
"alertDisplayNameFormat": "Vectra AI {{detection}} detected",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "url_detection"
}
]
},
"alertRuleTemplateName": "065c0a50-3080-4f9a-acca-1fe6fbf63205",
"customDetails": {
"Summary": "Summary",
"triaged": "triaged"
},
"description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
"displayName": "Vectra Detection Alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "entity_name",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml",
"query": "VectraDetections\n// Filter out triaged detection by default (recommended)\n| where [\"Is Triaged\"] == false \n// custom details do not allow spaces in the attribute name\n| extend entity_name = ['Entity UID']\n| extend triaged = ['Is Triaged']\n| extend detection = ['Detection Name']\n| extend category = ['Detection Category']\n| extend url_detection = ['Vectra Pivot']\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}