Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra Hosts Behaviors

Back
Id33e3b6da-2660-4cd7-9032-11be76db88d2
RulenameVectra Host’s Behaviors
DescriptionThis analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on host’s detections.
SeverityInformational
TacticsCredentialAccess
Discovery
LateralMovement
Collection
CommandAndControl
Exfiltration
Impact
TechniquesT1003
T1087
T1021
T1119
T1071
T1041
T1499
Required data connectorsCefAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-Detections.yaml
Version1.0.5
Arm template33e3b6da-2660-4cd7-9032-11be76db88d2.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns"
    and DeviceEventClassID != "hsc"
    and DeviceEventClassID != "audit"
    and DeviceEventClassID != "health"
    and DeviceEventClassID != "asc"
| extend Category = coalesce(
    column_ifexists("DeviceEventCategory", ""), 
    extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
    ""
    )
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename triaged = DeviceCustomString5
| where triaged != "True" and AdditionalExtensions !has "account"
| extend source_entity = case(isnotempty(SourceHostName), SourceHostName,
    "UNKNWON")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
    threat_score < 50 and certainty_score < 50, "Low",
    threat_score < 50 and certainty_score >= 50, "Medium", 
    threat_score >= 50 and certainty_score <= 50, "High", 
    threat_score >= 50 and certainty_score >= 50, "Critical",
    "UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-Detections.yaml
query: |
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID != "campaigns"
      and DeviceEventClassID != "hsc"
      and DeviceEventClassID != "audit"
      and DeviceEventClassID != "health"
      and DeviceEventClassID != "asc"
  | extend Category = coalesce(
      column_ifexists("DeviceEventCategory", ""), 
      extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
      ""
      )
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | project-rename triaged = DeviceCustomString5
  | where triaged != "True" and AdditionalExtensions !has "account"
  | extend source_entity = case(isnotempty(SourceHostName), SourceHostName,
      "UNKNWON")
  | extend level = case(threat_score == 0 and certainty_score == 0, "Info",
      threat_score < 50 and certainty_score < 50, "Low",
      threat_score < 50 and certainty_score >= 50, "Medium", 
      threat_score >= 50 and certainty_score <= 50, "High", 
      threat_score >= 50 and certainty_score >= 50, "Critical",
      "UNKNOWN")
  | extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | summarize arg_max(threat_score, *) by source_entity, Activity
  | sort by TimeGenerated  
description: |
    'This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on host's detections.'
severity: Informational
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Vectra Host's Behaviors
triggerThreshold: 0
version: 1.0.5
customDetails:
  AttackType: Activity
  AttackCategory: Category
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
alertDetailsOverride:
  alertDynamicProperties:
  - value: vectra_URL
    alertProperty: AlertLink
  - value: DeviceProduct
    alertProperty: ProductName
  - value: DeviceVendor
    alertProperty: ProviderName
  - value: certainty_score
    alertProperty: ConfidenceScore
  alertDescriptionFormat: |
        Entity is a host. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.
  alertDisplayNameFormat: Vectra AI - {{Activity}} Detected
  alertSeverityColumnName: Severity
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
id: 33e3b6da-2660-4cd7-9032-11be76db88d2
status: Available
kind: Scheduled
queryFrequency: 5m
queryPeriod: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/33e3b6da-2660-4cd7-9032-11be76db88d2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/33e3b6da-2660-4cd7-9032-11be76db88d2')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Entity is a host. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n",
          "alertDisplayNameFormat": "Vectra AI - {{Activity}} Detected",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "vectra_URL"
            },
            {
              "alertProperty": "ProductName",
              "value": "DeviceProduct"
            },
            {
              "alertProperty": "ProviderName",
              "value": "DeviceVendor"
            },
            {
              "alertProperty": "ConfidenceScore",
              "value": "certainty_score"
            }
          ],
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "33e3b6da-2660-4cd7-9032-11be76db88d2",
        "customDetails": {
          "AttackCategory": "Category",
          "AttackType": "Activity"
        },
        "description": "'This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on host's detections.'\n",
        "displayName": "Vectra Host's Behaviors",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-Detections.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\"\n    and DeviceEventClassID != \"hsc\"\n    and DeviceEventClassID != \"audit\"\n    and DeviceEventClassID != \"health\"\n    and DeviceEventClassID != \"asc\"\n| extend Category = coalesce(\n    column_ifexists(\"DeviceEventCategory\", \"\"), \n    extract(\"cat=(.+?)(;|$)\", 1, AdditionalExtensions), \n    \"\"\n    )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename triaged = DeviceCustomString5\n| where triaged != \"True\" and AdditionalExtensions !has \"account\"\n| extend source_entity = case(isnotempty(SourceHostName), SourceHostName,\n    \"UNKNWON\")\n| extend level = case(threat_score == 0 and certainty_score == 0, \"Info\",\n    threat_score < 50 and certainty_score < 50, \"Low\",\n    threat_score < 50 and certainty_score >= 50, \"Medium\", \n    threat_score >= 50 and certainty_score <= 50, \"High\", \n    threat_score >= 50 and certainty_score >= 50, \"Critical\",\n    \"UNKNOWN\")\n| extend Severity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| summarize arg_max(threat_score, *) by source_entity, Activity\n| sort by TimeGenerated\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "Discovery",
          "Exfiltration",
          "Impact",
          "LateralMovement"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1071",
          "T1087",
          "T1119",
          "T1499"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}