Vectra AI Detect - Detections with High Severity
| Id | 39e48890-2c02-487e-aa9e-3ba494061798 |
| Rulename | Vectra AI Detect - Detections with High Severity |
| Description | Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' |
| Severity | High |
| Tactics | CredentialAccess Discovery LateralMovement Collection CommandAndControl Exfiltration Impact |
| Techniques | T1003 T1087 T1021 T1119 T1071 T1041 T1499 |
| Required data connectors | AIVectraDetect AIVectraDetectAma CefAma |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml |
| Version | 1.0.9 |
| Arm template | 39e48890-2c02-487e-aa9e-3ba494061798.json |
// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: "COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE")
let configured_tactics = dynamic(["COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE"]);
//default threshold is 7 (meaning a threat score of 70)
let severity_threshold = 7.0;
//Map by default to High Severity in Sentinel
let Severity = "High";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc"
| extend Category = coalesce(
column_ifexists("DeviceEventCategory", ""),
extract("cat=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| where todecimal(LogSeverity) >= severity_threshold
| extend Tactic = case( Category == "COMMAND & CONTROL", "CommandAndControl",
Category == "BOTNET ACTIVITY" , "Impact",
Category == "EXFILTRATION", "Exfiltration",
Category == "LATERAL MOVEMENT", "LateralMovement",
Category == "RECONNAISSANCE", "Discovery",
"UNKNOWN")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50, "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| extend account = extract("account=(.+?);", 1, AdditionalExtensions)
| extend upn = iff(account matches regex ":", tostring(split(account,":")[1]) ,tostring(split(account,":")[0]))
| extend name = tostring(split(upn, "@")[0])
| extend upn_suffix = tostring(split(upn, "@")[1])
| extend source_entity = case( isnotempty(upn), upn,
isnotempty(SourceHostName), SourceHostName,
"UNKNWON")
| where Category in (configured_tactics)
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 7d
enabled: true
reopenClosedIncident: true
matchingMethod: AllEntities
name: Vectra AI Detect - Detections with High Severity
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: AIVectraDetect
- dataTypes:
- CommonSecurityLog
connectorId: AIVectraDetectAma
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: SourceHostName
entityType: Host
- fieldMappings:
- identifier: Name
columnName: name
- identifier: UPNSuffix
columnName: upn_suffix
entityType: Account
triggerThreshold: 0
id: 39e48890-2c02-487e-aa9e-3ba494061798
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
version: 1.0.9
customDetails:
AttackType: Activity
AttackCategory: Category
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: AlertLink
value: vectra_URL
- alertProperty: ProductName
value: DeviceProduct
- alertProperty: ProviderName
value: DeviceVendor
- alertProperty: ConfidenceScore
value: certainty_score
alertDisplayNameFormat: Vectra AI Detect - {{Activity}} detected
alertSeverityColumnName: Severity
alertDescriptionFormat: Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.
queryPeriod: 5m
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml
queryFrequency: 5m
severity: High
status: Available
description: |
'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0).
The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10.
The severity_threshold variable can be adjusted as desired.'
query: |
// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: "COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE")
let configured_tactics = dynamic(["COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE"]);
//default threshold is 7 (meaning a threat score of 70)
let severity_threshold = 7.0;
//Map by default to High Severity in Sentinel
let Severity = "High";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc"
| extend Category = coalesce(
column_ifexists("DeviceEventCategory", ""),
extract("cat=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| where todecimal(LogSeverity) >= severity_threshold
| extend Tactic = case( Category == "COMMAND & CONTROL", "CommandAndControl",
Category == "BOTNET ACTIVITY" , "Impact",
Category == "EXFILTRATION", "Exfiltration",
Category == "LATERAL MOVEMENT", "LateralMovement",
Category == "RECONNAISSANCE", "Discovery",
"UNKNOWN")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50, "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| extend account = extract("account=(.+?);", 1, AdditionalExtensions)
| extend upn = iff(account matches regex ":", tostring(split(account,":")[1]) ,tostring(split(account,":")[0]))
| extend name = tostring(split(upn, "@")[0])
| extend upn_suffix = tostring(split(upn, "@")[1])
| extend source_entity = case( isnotempty(upn), upn,
isnotempty(SourceHostName), SourceHostName,
"UNKNWON")
| where Category in (configured_tactics)
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/39e48890-2c02-487e-aa9e-3ba494061798')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/39e48890-2c02-487e-aa9e-3ba494061798')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.",
"alertDisplayNameFormat": "Vectra AI Detect - {{Activity}} detected",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "vectra_URL"
},
{
"alertProperty": "ProductName",
"value": "DeviceProduct"
},
{
"alertProperty": "ProviderName",
"value": "DeviceVendor"
},
{
"alertProperty": "ConfidenceScore",
"value": "certainty_score"
}
],
"alertSeverityColumnName": "Severity"
},
"alertRuleTemplateName": "39e48890-2c02-487e-aa9e-3ba494061798",
"customDetails": {
"AttackCategory": "Category",
"AttackType": "Activity"
},
"description": "'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \nThe severity_threshold variable can be adjusted as desired.' \n",
"displayName": "Vectra AI Detect - Detections with High Severity",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "name",
"identifier": "Name"
},
{
"columnName": "upn_suffix",
"identifier": "UPNSuffix"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "P7D",
"matchingMethod": "AllEntities",
"reopenClosedIncident": true
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml",
"query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\n//default threshold is 7 (meaning a threat score of 70)\nlet severity_threshold = 7.0;\n//Map by default to High Severity in Sentinel\nlet Severity = \"High\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\"\n| extend Category = coalesce(\n column_ifexists(\"DeviceEventCategory\", \"\"), \n extract(\"cat=(.+?)(;|$)\", 1, AdditionalExtensions), \n \"\"\n )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| where todecimal(LogSeverity) >= severity_threshold\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend level = case(threat_score == 0 and certainty_score == 0, \"Info\",\n threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50, \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0]))\n| extend name = tostring(split(upn, \"@\")[0])\n| extend upn_suffix = tostring(split(upn, \"@\")[1])\n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity, Activity\n| sort by TimeGenerated\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"CommandAndControl",
"CredentialAccess",
"Discovery",
"Exfiltration",
"Impact",
"LateralMovement"
],
"techniques": [
"T1003",
"T1021",
"T1041",
"T1071",
"T1087",
"T1119",
"T1499"
],
"templateVersion": "1.0.9",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}