Vectra AI Detect - Suspected Compromised Account
| Id | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 |
| Rulename | Vectra AI Detect - Suspected Compromised Account |
| Description | Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical. |
| Severity | Medium |
| Tactics | CredentialAccess Discovery LateralMovement Collection CommandAndControl Exfiltration Impact |
| Required data connectors | AIVectraDetect |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml |
| Version | 1.0.3 |
| Arm template | 321f9dbd-64b7-4541-81dc-08cf7732ccb0.json |
// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "Low", "Medium", "High", "Critical" )
let configured_level = dynamic(["Low", "Medium", "High", "Critical"]);
let upn_has_prefix = ":";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "asc"
| extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" )
| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50 , "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case( level == "Low", "Low",
level == "Medium", "Medium",
level == "High", "Medium",
level == "Critical", "High",
"UNKNOWN")
| where level in (configured_level)
//keep only the event with the highest threat score per Host
| summarize arg_max(threat_score, *) by saccount
| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL
| extend AccountCustomEntity = upn, timestamp = TimeGenerated
severity: Medium
triggerThreshold: 0
query: |
// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "Low", "Medium", "High", "Critical" )
let configured_level = dynamic(["Low", "Medium", "High", "Critical"]);
let upn_has_prefix = ":";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "asc"
| extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" )
| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50 , "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case( level == "Low", "Low",
level == "Medium", "Medium",
level == "High", "Medium",
level == "Critical", "High",
"UNKNOWN")
| where level in (configured_level)
//keep only the event with the highest threat score per Host
| summarize arg_max(threat_score, *) by saccount
| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL
| extend AccountCustomEntity = upn, timestamp = TimeGenerated
queryFrequency: 1h
requiredDataConnectors:
- connectorId: AIVectraDetect
dataTypes:
- CommonSecurityLog
id: 321f9dbd-64b7-4541-81dc-08cf7732ccb0
version: 1.0.3
name: Vectra AI Detect - Suspected Compromised Account
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml
queryPeriod: 1h
relevantTechniques:
triggerOperator: gt
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
alertDetailsOverride:
alertSeverityColumnName: Severity
alertDescriptionFormat: The account {{saccount}} is in the {{level}} quadrant. Pivot to Detect UI with {{vectra_URL}}
alertTacticsColumnName:
alertDisplayNameFormat: Vectra AI Detect - Account {{saccount}} reaches {{level}} severity
description: |
'Create an incident when an Account is suspected to be compromised.
The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat.
Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/321f9dbd-64b7-4541-81dc-08cf7732ccb0')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/321f9dbd-64b7-4541-81dc-08cf7732ccb0')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Vectra AI Detect - Suspected Compromised Account",
"description": "'Create an incident when an Account is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'\n",
"severity": "Medium",
"enabled": true,
"query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nlet upn_has_prefix = \":\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"asc\"\n| extend saccount = extract(\"saccount=(.+?);\", 1, AdditionalExtensions)\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[0]) ,\"network\" ) \n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[1]) , saccount )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by saccount\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\n| extend AccountCustomEntity = upn, timestamp = TimeGenerated\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Discovery",
"LateralMovement",
"Collection",
"CommandAndControl",
"Exfiltration",
"Impact"
],
"techniques": null,
"alertRuleTemplateName": "321f9dbd-64b7-4541-81dc-08cf7732ccb0",
"alertDetailsOverride": {
"alertDisplayNameFormat": "Vectra AI Detect - Account {{saccount}} reaches {{level}} severity",
"alertSeverityColumnName": "Severity",
"alertTacticsColumnName": null,
"alertDescriptionFormat": "The account {{saccount}} is in the {{level}} quadrant. Pivot to Detect UI with {{vectra_URL}}"
},
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
],
"entityType": "Account"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml",
"templateVersion": "1.0.3",
"status": "Available"
}
}
]
}