Vectra AI Detect - Detections with High Severity
| Id | 39e48890-2c02-487e-aa9e-3ba494061798 |
| Rulename | Vectra AI Detect - Detections with High Severity |
| Description | Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. The severity_threshold variable can be adjusted as desired.' |
| Severity | High |
| Tactics | CredentialAccess Discovery LateralMovement Collection CommandAndControl Exfiltration Impact |
| Techniques | T1003 T1087 T1021 T1119 T1071 T1041 T1499 |
| Required data connectors | CefAma |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml |
| Version | 1.1.0 |
| Arm template | 39e48890-2c02-487e-aa9e-3ba494061798.json |
// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: "COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE")
let configured_tactics = dynamic(["COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE"]);
//default threshold is 7 (meaning a threat score of 70)
let severity_threshold = 7.0;
//Map by default to High Severity in Sentinel
let Severity = "High";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc"
| extend Category = coalesce(
column_ifexists("DeviceEventCategory", ""),
extract("cat=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| where todecimal(LogSeverity) >= severity_threshold
| extend Tactic = case( Category == "COMMAND & CONTROL", "CommandAndControl",
Category == "BOTNET ACTIVITY" , "Impact",
Category == "EXFILTRATION", "Exfiltration",
Category == "LATERAL MOVEMENT", "LateralMovement",
Category == "RECONNAISSANCE", "Discovery",
"UNKNOWN")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50, "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| extend account = extract("account=(.+?);", 1, AdditionalExtensions)
| extend upn = iff(account matches regex ":", tostring(split(account,":")[1]) ,tostring(split(account,":")[0]))
| extend name = tostring(split(upn, "@")[0])
| extend upn_suffix = tostring(split(upn, "@")[1])
| extend source_entity = case( isnotempty(upn), upn,
isnotempty(SourceHostName), SourceHostName,
"UNKNWON")
| where Category in (configured_tactics)
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
customDetails:
AttackCategory: Category
AttackType: Activity
name: Vectra AI Detect - Detections with High Severity
alertDetailsOverride:
alertDynamicProperties:
- value: vectra_URL
alertProperty: AlertLink
- value: DeviceProduct
alertProperty: ProductName
- value: DeviceVendor
alertProperty: ProviderName
- value: certainty_score
alertProperty: ConfidenceScore
alertSeverityColumnName: Severity
alertDisplayNameFormat: Vectra AI Detect - {{Activity}} detected
alertDescriptionFormat: Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.
kind: Scheduled
queryPeriod: 5m
query: |
// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: "COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE")
let configured_tactics = dynamic(["COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE"]);
//default threshold is 7 (meaning a threat score of 70)
let severity_threshold = 7.0;
//Map by default to High Severity in Sentinel
let Severity = "High";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc"
| extend Category = coalesce(
column_ifexists("DeviceEventCategory", ""),
extract("cat=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| where todecimal(LogSeverity) >= severity_threshold
| extend Tactic = case( Category == "COMMAND & CONTROL", "CommandAndControl",
Category == "BOTNET ACTIVITY" , "Impact",
Category == "EXFILTRATION", "Exfiltration",
Category == "LATERAL MOVEMENT", "LateralMovement",
Category == "RECONNAISSANCE", "Discovery",
"UNKNOWN")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50, "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| extend account = extract("account=(.+?);", 1, AdditionalExtensions)
| extend upn = iff(account matches regex ":", tostring(split(account,":")[1]) ,tostring(split(account,":")[0]))
| extend name = tostring(split(upn, "@")[0])
| extend upn_suffix = tostring(split(upn, "@")[1])
| extend source_entity = case( isnotempty(upn), upn,
isnotempty(SourceHostName), SourceHostName,
"UNKNWON")
| where Category in (configured_tactics)
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml
triggerThreshold: 0
description: |
'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0).
The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10.
The severity_threshold variable can be adjusted as desired.'
version: 1.1.0
status: Available
queryFrequency: 5m
severity: High
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
- entityType: Account
fieldMappings:
- identifier: Name
columnName: name
- identifier: UPNSuffix
columnName: upn_suffix
triggerOperator: gt
id: 39e48890-2c02-487e-aa9e-3ba494061798
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 7d
enabled: true
matchingMethod: AllEntities
reopenClosedIncident: true
createIncident: true