Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra AI Detect - Suspected Compromised Account

Back
Id321f9dbd-64b7-4541-81dc-08cf7732ccb0
RulenameVectra AI Detect - Suspected Compromised Account
DescriptionCreate an incident when an Account is suspected to be compromised.

The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat.

Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.
SeverityInformational
TacticsCredentialAccess
Discovery
LateralMovement
Collection
CommandAndControl
Exfiltration
Impact
Required data connectorsAIVectraDetect
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml
Version1.0.5
Arm template321f9dbd-64b7-4541-81dc-08cf7732ccb0.json
Deploy To Azure
// Edit this variable to only keep the Severity level where an incident needs to be created.
//Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
let configured_level = dynamic(["High", "Critical"]);
let upn_has_prefix = ":";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "asc"
| extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" ) 
| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
| extend name = tostring(split(upn,"@")[0])
| extend upn_suffix = tostring(split(upn,"@")[1])
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                      threat_score < 50 and certainty_score >= 50 , "Medium", 
                      threat_score >= 50 and certainty_score <= 50, "High", 
                      threat_score >= 50 and certainty_score >= 50, "Critical",
                      "UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| where level in (configured_level) 
//keep only the event with the highest threat score per Host
| summarize arg_max(threat_score, *) by saccount
| sort by TimeGenerated
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml
description: |
  'Create an incident when an Account is suspected to be compromised. 
  The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. 
  Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'  
triggerOperator: gt
customDetails:
  ScoreDecrease: score_decreases
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: AIVectraDetect
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: true
    matchingMethod: AllEntities
    lookbackDuration: 7d
    enabled: true
queryFrequency: 5m
triggerThreshold: 0
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDynamicProperties:
  - value: vectra_URL
    alertProperty: AlertLink
  - value: DeviceProduct
    alertProperty: ProductName
  - value: DeviceVendor
    alertProperty: ProviderName
  - value: certainty_score
    alertProperty: ConfidenceScore
  alertDescriptionFormat: |
    The account {{saccount}} has a threat score of {{threat_score}} and a
    certainty of {{certainty_score}}    
  alertDisplayNameFormat: Vectra AI Detect - Account {{saccount}} reaches {{level}} severity
query: |
  // Edit this variable to only keep the Severity level where an incident needs to be created.
  //Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
  let configured_level = dynamic(["High", "Critical"]);
  let upn_has_prefix = ":";
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID == "asc"
  | extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
  | extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" ) 
  | extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
  | extend name = tostring(split(upn,"@")[0])
  | extend upn_suffix = tostring(split(upn,"@")[1])
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | project-rename score_decreases = DeviceCustomString3
  | extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                        threat_score < 50 and certainty_score >= 50 , "Medium", 
                        threat_score >= 50 and certainty_score <= 50, "High", 
                        threat_score >= 50 and certainty_score >= 50, "Critical",
                        "UNKNOWN")
  | extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | where level in (configured_level) 
  //keep only the event with the highest threat score per Host
  | summarize arg_max(threat_score, *) by saccount
  | sort by TimeGenerated  
status: Available
kind: Scheduled
relevantTechniques: 
version: 1.0.5
id: 321f9dbd-64b7-4541-81dc-08cf7732ccb0
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - columnName: name
    identifier: Name
  - columnName: upn_suffix
    identifier: UPNSuffix
  entityType: Account
name: Vectra AI Detect - Suspected Compromised Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/321f9dbd-64b7-4541-81dc-08cf7732ccb0')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/321f9dbd-64b7-4541-81dc-08cf7732ccb0')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Vectra AI Detect - Suspected Compromised Account",
        "description": "'Create an incident when an Account is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'\n",
        "severity": "Informational",
        "enabled": true,
        "query": "// Edit this variable to only keep the Severity level where an incident needs to be created.\n//Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'\nlet configured_level = dynamic([\"High\", \"Critical\"]);\nlet upn_has_prefix = \":\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"asc\"\n| extend saccount = extract(\"saccount=(.+?);\", 1, AdditionalExtensions)\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[0]) ,\"network\" ) \n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[1]) , saccount )\n| extend name = tostring(split(upn,\"@\")[0])\n| extend upn_suffix = tostring(split(upn,\"@\")[1])\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score <  50 and certainty_score < 50, \"Low\",\n                      threat_score < 50 and certainty_score >= 50 , \"Medium\", \n                      threat_score >= 50 and certainty_score <= 50, \"High\", \n                      threat_score >= 50 and certainty_score >= 50, \"Critical\",\n                      \"UNKNOWN\")\n| extend Severity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by saccount\n| sort by TimeGenerated\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "LateralMovement",
          "Collection",
          "CommandAndControl",
          "Exfiltration",
          "Impact"
        ],
        "techniques": null,
        "alertRuleTemplateName": "321f9dbd-64b7-4541-81dc-08cf7732ccb0",
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "reopenClosedIncident": true,
            "matchingMethod": "AllEntities",
            "lookbackDuration": "P7D"
          }
        },
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertDynamicProperties": [
            {
              "value": "vectra_URL",
              "alertProperty": "AlertLink"
            },
            {
              "value": "DeviceProduct",
              "alertProperty": "ProductName"
            },
            {
              "value": "DeviceVendor",
              "alertProperty": "ProviderName"
            },
            {
              "value": "certainty_score",
              "alertProperty": "ConfidenceScore"
            }
          ],
          "alertDisplayNameFormat": "Vectra AI Detect - Account {{saccount}} reaches {{level}} severity",
          "alertDescriptionFormat": "The account {{saccount}} has a threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n",
          "alertSeverityColumnName": "Severity"
        },
        "customDetails": {
          "ScoreDecrease": "score_decreases"
        },
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "name",
                "identifier": "Name"
              },
              {
                "columnName": "upn_suffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-by-Severity.yaml",
        "templateVersion": "1.0.5",
        "status": "Available"
      }
    }
  ]
}