Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra AI Detect - Detections with High Severity

Back
Id39e48890-2c02-487e-aa9e-3ba494061798
RulenameVectra AI Detect - Detections with High Severity
DescriptionCreate an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0).

The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10.

The severity_threshold variable can be adjusted as desired.'
SeverityHigh
TacticsCredentialAccess
Discovery
LateralMovement
Collection
CommandAndControl
Exfiltration
Impact
TechniquesT1003
T1087
T1021
T1119
T1071
T1041
T1499
Required data connectorsAIVectraDetect
AIVectraDetectAma
CefAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml
Version1.0.9
Arm template39e48890-2c02-487e-aa9e-3ba494061798.json
Deploy To Azure
// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: "COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE")   
let configured_tactics = dynamic(["COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE"]);
//default threshold is 7 (meaning a threat score of 70)
let severity_threshold = 7.0;
//Map by default to High Severity in Sentinel
let Severity = "High";
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc"
| extend Category = coalesce(
                          column_ifexists("DeviceEventCategory", ""), 
                          extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
                          ""
                      )
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| where todecimal(LogSeverity) >= severity_threshold
| extend Tactic = case( Category == "COMMAND & CONTROL", "CommandAndControl",
                        Category == "BOTNET ACTIVITY" , "Impact",
                        Category == "EXFILTRATION", "Exfiltration",
                        Category == "LATERAL MOVEMENT", "LateralMovement",
                        Category == "RECONNAISSANCE", "Discovery",
                        "UNKNOWN")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
    threat_score < 50 and certainty_score < 50, "Low",
    threat_score < 50 and certainty_score >= 50, "Medium", 
    threat_score >= 50 and certainty_score <= 50, "High", 
    threat_score >= 50 and certainty_score >= 50, "Critical",
    "UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| extend account = extract("account=(.+?);", 1, AdditionalExtensions)
| extend upn = iff(account matches regex ":", tostring(split(account,":")[1]) ,tostring(split(account,":")[0]))
| extend name = tostring(split(upn, "@")[0])
| extend upn_suffix = tostring(split(upn, "@")[1])
| extend source_entity = case( isnotempty(upn), upn,
                               isnotempty(SourceHostName), SourceHostName,
                               "UNKNWON") 
| where Category in (configured_tactics) 
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated
queryPeriod: 5m
version: 1.0.9
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
alertDetailsOverride:
  alertDescriptionFormat: Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: vectra_URL
  - alertProperty: ProductName
    value: DeviceProduct
  - alertProperty: ProviderName
    value: DeviceVendor
  - alertProperty: ConfidenceScore
    value: certainty_score
  alertSeverityColumnName: Severity
  alertDisplayNameFormat: Vectra AI Detect - {{Activity}} detected
queryFrequency: 5m
id: 39e48890-2c02-487e-aa9e-3ba494061798
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: AIVectraDetect
- dataTypes:
  - CommonSecurityLog
  connectorId: AIVectraDetectAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
- entityType: Account
  fieldMappings:
  - columnName: name
    identifier: Name
  - columnName: upn_suffix
    identifier: UPNSuffix
triggerThreshold: 0
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
query: |
  // Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: "COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE")   
  let configured_tactics = dynamic(["COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE"]);
  //default threshold is 7 (meaning a threat score of 70)
  let severity_threshold = 7.0;
  //Map by default to High Severity in Sentinel
  let Severity = "High";
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc"
  | extend Category = coalesce(
                            column_ifexists("DeviceEventCategory", ""), 
                            extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
                            ""
                        )
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | where todecimal(LogSeverity) >= severity_threshold
  | extend Tactic = case( Category == "COMMAND & CONTROL", "CommandAndControl",
                          Category == "BOTNET ACTIVITY" , "Impact",
                          Category == "EXFILTRATION", "Exfiltration",
                          Category == "LATERAL MOVEMENT", "LateralMovement",
                          Category == "RECONNAISSANCE", "Discovery",
                          "UNKNOWN")
  | extend level = case(threat_score == 0 and certainty_score == 0, "Info",
      threat_score < 50 and certainty_score < 50, "Low",
      threat_score < 50 and certainty_score >= 50, "Medium", 
      threat_score >= 50 and certainty_score <= 50, "High", 
      threat_score >= 50 and certainty_score >= 50, "Critical",
      "UNKNOWN")
  | extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | extend account = extract("account=(.+?);", 1, AdditionalExtensions)
  | extend upn = iff(account matches regex ":", tostring(split(account,":")[1]) ,tostring(split(account,":")[0]))
  | extend name = tostring(split(upn, "@")[0])
  | extend upn_suffix = tostring(split(upn, "@")[1])
  | extend source_entity = case( isnotempty(upn), upn,
                                 isnotempty(SourceHostName), SourceHostName,
                                 "UNKNWON") 
  | where Category in (configured_tactics) 
  | summarize arg_max(threat_score, *) by source_entity, Activity
  | sort by TimeGenerated  
kind: Scheduled
name: Vectra AI Detect - Detections with High Severity
customDetails:
  AttackType: Activity
  AttackCategory: Category
description: |
  'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). 
  The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. 
  The severity_threshold variable can be adjusted as desired.'   
status: Available
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: true
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: 7d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/39e48890-2c02-487e-aa9e-3ba494061798')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/39e48890-2c02-487e-aa9e-3ba494061798')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.",
          "alertDisplayNameFormat": "Vectra AI Detect - {{Activity}} detected",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "vectra_URL"
            },
            {
              "alertProperty": "ProductName",
              "value": "DeviceProduct"
            },
            {
              "alertProperty": "ProviderName",
              "value": "DeviceVendor"
            },
            {
              "alertProperty": "ConfidenceScore",
              "value": "certainty_score"
            }
          ],
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "39e48890-2c02-487e-aa9e-3ba494061798",
        "customDetails": {
          "AttackCategory": "Category",
          "AttackType": "Activity"
        },
        "description": "'Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \nThe severity_threshold variable can be adjusted as desired.' \n",
        "displayName": "Vectra AI Detect - Detections with High Severity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "name",
                "identifier": "Name"
              },
              {
                "columnName": "upn_suffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-HighSeverityDetection-by-Tactics.yaml",
        "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\")   \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\n//default threshold is 7 (meaning a threat score of 70)\nlet severity_threshold = 7.0;\n//Map by default to High Severity in Sentinel\nlet Severity = \"High\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\"\n| extend Category = coalesce(\n                          column_ifexists(\"DeviceEventCategory\", \"\"), \n                          extract(\"cat=(.+?)(;|$)\", 1, AdditionalExtensions), \n                          \"\"\n                      )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| where todecimal(LogSeverity) >= severity_threshold\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n                        Category == \"BOTNET ACTIVITY\" , \"Impact\",\n                        Category == \"EXFILTRATION\", \"Exfiltration\",\n                        Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n                        Category == \"RECONNAISSANCE\", \"Discovery\",\n                        \"UNKNOWN\")\n| extend level = case(threat_score == 0 and certainty_score == 0, \"Info\",\n    threat_score < 50 and certainty_score < 50, \"Low\",\n    threat_score < 50 and certainty_score >= 50, \"Medium\", \n    threat_score >= 50 and certainty_score <= 50, \"High\", \n    threat_score >= 50 and certainty_score >= 50, \"Critical\",\n    \"UNKNOWN\")\n| extend Severity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0]))\n| extend name = tostring(split(upn, \"@\")[0])\n| extend upn_suffix = tostring(split(upn, \"@\")[1])\n| extend source_entity = case( isnotempty(upn), upn,\n                               isnotempty(SourceHostName), SourceHostName,\n                               \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity, Activity\n| sort by TimeGenerated\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "Discovery",
          "Exfiltration",
          "Impact",
          "LateralMovement"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1071",
          "T1087",
          "T1119",
          "T1499"
        ],
        "templateVersion": "1.0.9",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}