Vectra Detection Alerts

Back


Id	065c0a50-3080-4f9a-acca-1fe6fbf63205
Rulename	Vectra Detection Alerts
Description	This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
Severity	Medium
Required data connectors	VectraXDR
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml
Version	1.0.0
Arm template	065c0a50-3080-4f9a-acca-1fe6fbf63205.json

KQL

VectraDetections
// Filter out triaged detection by default (recommended)
| where ["Is Triaged"] == false 
// custom details do not allow spaces in the attribute name
| extend entity_name = ['Entity UID']
| extend triaged = ['Is Triaged']
| extend detection = ['Detection Name']
| extend category = ['Detection Category']
| extend url_detection = ['Vectra Pivot']

YAML

queryPeriod: 5m
suppressionEnabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
id: 065c0a50-3080-4f9a-acca-1fe6fbf63205
name: Vectra Detection Alerts
status: Available
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
customDetails:
  triaged: triaged
  Summary: Summary
suppressionDuration: 5h
triggerOperator: gt
query: |
  VectraDetections
  // Filter out triaged detection by default (recommended)
  | where ["Is Triaged"] == false 
  // custom details do not allow spaces in the attribute name
  | extend entity_name = ['Entity UID']
  | extend triaged = ['Is Triaged']
  | extend detection = ['Detection Name']
  | extend category = ['Detection Category']
  | extend url_detection = ['Vectra Pivot']  
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 5h
    reopenClosedIncident: false
    groupByEntities: []
    matchingMethod: AllEntities
    enabled: false
    groupByAlertDetails: []
    groupByCustomDetails: []
  createIncident: false
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: entity_name
    identifier: HostName
  entityType: Host
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml
requiredDataConnectors:
- dataTypes:
  - Detections_Data_CL
  connectorId: VectraXDR
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: url_detection
  alertDisplayNameFormat: Vectra AI {{detection}} detected
  alertDescriptionFormat: |
    Detection category:  {{category}}
    Details: {{Details}}     
severity: Medium

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Detection category:  {{category}}\nDetails: {{Details}} \n",
          "alertDisplayNameFormat": "Vectra AI {{detection}} detected",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "url_detection"
            }
          ]
        },
        "alertRuleTemplateName": "065c0a50-3080-4f9a-acca-1fe6fbf63205",
        "customDetails": {
          "Summary": "Summary",
          "triaged": "triaged"
        },
        "description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
        "displayName": "Vectra Detection Alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "entity_name",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml",
        "query": "VectraDetections\n// Filter out triaged detection by default (recommended)\n| where [\"Is Triaged\"] == false \n// custom details do not allow spaces in the attribute name\n| extend entity_name = ['Entity UID']\n| extend triaged = ['Is Triaged']\n| extend detection = ['Detection Name']\n| extend category = ['Detection Category']\n| extend url_detection = ['Vectra Pivot']\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}