Vectra AI Detect - Suspected Compromised Host
| Id | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 |
| Rulename | Vectra AI Detect - Suspected Compromised Host |
| Description | Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical. |
| Severity | Informational |
| Tactics | CredentialAccess Discovery LateralMovement Collection CommandAndControl Exfiltration Impact |
| Required data connectors | AIVectraDetect |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml |
| Version | 1.0.5 |
| Arm template | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63.json |
// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "High", "Critical" ). Possible values are: "Low", "Medium", "High", "Critical"
let configured_level = dynamic(["High", "Critical"]);
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "hsc"
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50 , "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| where level in (configured_level)
//keep only the event with the highest threat score per Host
| summarize arg_max(TimeGenerated, *) by SourceHostName
| sort by TimeGenerated
severity: Informational
queryFrequency: 5m
triggerOperator: gt
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: true
lookbackDuration: 7d
enabled: true
createIncident: true
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
alertDetailsOverride:
alertDescriptionFormat: |
The host {{SourceHostName}} has a Threat score of {{threat_score}} and a
certainty of {{certainty_score}}
alertSeverityColumnName: Severity
alertDisplayNameFormat: Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity
alertDynamicProperties:
- alertProperty: AlertLink
value: vectra_URL
- alertProperty: ProductName
value: DeviceProduct
- alertProperty: ProviderName
value: DeviceVendor
- alertProperty: ConfidenceScore
value: certainty_score
customDetails:
ScoreDecrease: score_decreases
query: |
// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "High", "Critical" ). Possible values are: "Low", "Medium", "High", "Critical"
let configured_level = dynamic(["High", "Critical"]);
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "hsc"
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50 , "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| where level in (configured_level)
//keep only the event with the highest threat score per Host
| summarize arg_max(TimeGenerated, *) by SourceHostName
| sort by TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml
queryPeriod: 5m
status: Available
version: 1.0.5
name: Vectra AI Detect - Suspected Compromised Host
relevantTechniques:
kind: Scheduled
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: AIVectraDetect
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
id: 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63
description: |
'Create an incident when a Host is suspected to be compromised.
The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat.
Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Vectra AI Detect - Suspected Compromised Host",
"description": "'Create an incident when a Host is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'\n",
"severity": "Informational",
"enabled": true,
"query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"High\", \"Critical\" ). Possible values are: \"Low\", \"Medium\", \"High\", \"Critical\"\nlet configured_level = dynamic([\"High\", \"Critical\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"hsc\"\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(TimeGenerated, *) by SourceHostName\n| sort by TimeGenerated\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Discovery",
"LateralMovement",
"Collection",
"CommandAndControl",
"Exfiltration",
"Impact"
],
"techniques": null,
"alertRuleTemplateName": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63",
"incidentConfiguration": {
"groupingConfiguration": {
"matchingMethod": "AllEntities",
"reopenClosedIncident": true,
"lookbackDuration": "P7D",
"enabled": true
},
"createIncident": true
},
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "The host {{SourceHostName}} has a Threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n",
"alertSeverityColumnName": "Severity",
"alertDisplayNameFormat": "Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity",
"alertDynamicProperties": [
{
"value": "vectra_URL",
"alertProperty": "AlertLink"
},
{
"value": "DeviceProduct",
"alertProperty": "ProductName"
},
{
"value": "DeviceVendor",
"alertProperty": "ProviderName"
},
{
"value": "certainty_score",
"alertProperty": "ConfidenceScore"
}
]
},
"customDetails": {
"ScoreDecrease": "score_decreases"
},
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "SourceHostName",
"identifier": "HostName"
}
],
"entityType": "Host"
}
],
"templateVersion": "1.0.5",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml",
"status": "Available"
}
}
]
}