Vectra AI Detect - Suspected Compromised Account
| Id | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 |
| Rulename | Vectra AI Detect - Suspected Compromised Account |
| Description | Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical. |
| Severity | Informational |
| Tactics | CredentialAccess Discovery LateralMovement Collection CommandAndControl Exfiltration Impact |
| Techniques | T1003 T1087 T1021 T1119 T1071 T1041 T1499 |
| Required data connectors | CefAma |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml |
| Version | 1.0.9 |
| Arm template | 321f9dbd-64b7-4541-81dc-08cf7732ccb0.json |
// Edit this variable to only keep the Severity level where an incident needs to be created.
//Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
let configured_level = dynamic(["High", "Critical"]);
let upn_has_prefix = ":";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "asc"
| extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" )
| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
| extend name = tostring(split(upn,"@")[0])
| extend upn_suffix = tostring(split(upn,"@")[1])
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50 , "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| where level in (configured_level)
//keep only the event with the highest threat score per Host
| summarize arg_max(threat_score, *) by saccount
| sort by TimeGenerated
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 7d
enabled: true
matchingMethod: AllEntities
reopenClosedIncident: true
createIncident: true
status: Available
version: 1.0.9
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
name: Vectra AI Detect - Suspected Compromised Account
entityMappings:
- fieldMappings:
- columnName: name
identifier: Name
- columnName: upn_suffix
identifier: UPNSuffix
entityType: Account
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
query: |
// Edit this variable to only keep the Severity level where an incident needs to be created.
//Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
let configured_level = dynamic(["High", "Critical"]);
let upn_has_prefix = ":";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "asc"
| extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" )
| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
| extend name = tostring(split(upn,"@")[0])
| extend upn_suffix = tostring(split(upn,"@")[1])
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50 , "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| where level in (configured_level)
//keep only the event with the highest threat score per Host
| summarize arg_max(threat_score, *) by saccount
| sort by TimeGenerated
triggerOperator: gt
id: 321f9dbd-64b7-4541-81dc-08cf7732ccb0
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
severity: Informational
customDetails:
ScoreDecrease: score_decreases
description: |
'Create an incident when an Account is suspected to be compromised.
The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat.
Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
kind: Scheduled
queryFrequency: 5m
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDynamicProperties:
- value: vectra_URL
alertProperty: AlertLink
- value: DeviceProduct
alertProperty: ProductName
- value: DeviceVendor
alertProperty: ProviderName
- value: certainty_score
alertProperty: ConfidenceScore
alertSeverityColumnName: Severity
alertDisplayNameFormat: Vectra AI Detect - Account {{saccount}} reaches {{level}} severity
alertDescriptionFormat: |
The account {{saccount}} has a threat score of {{threat_score}} and a
certainty of {{certainty_score}}
queryPeriod: 5m