Vectra AI Detect - Suspected Compromised Host

Back


Id	60eb6cf0-3fa1-44c1-b1fe-220fbee23d63
Rulename	Vectra AI Detect - Suspected Compromised Host
Description	Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.
Severity	High
Tactics	CredentialAccess Discovery LateralMovement Collection CommandAndControl Exfiltration Impact
Required data connectors	AIVectraDetect
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml
Version	1.0.3
Arm template	60eb6cf0-3fa1-44c1-b1fe-220fbee23d63.json

KQL

// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "Low", "Medium", "High", "Critical" )   
let configured_level = dynamic(["Low", "Medium", "High", "Critical"]);
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "hsc"
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                       threat_score < 50 and certainty_score >= 50 , "Medium", 
                       threat_score >= 50 and certainty_score <= 50, "High", 
                       threat_score >= 50 and certainty_score >= 50, "Critical",
                       "UNKNOWN")
| extend Severity = case( level == "Low", "Low",
                          level == "Medium", "Medium",
                          level == "High", "Medium",
                          level == "Critical", "High",
                          "UNKNOWN")
| where level in (configured_level) 
//keep only the event with the highest threat score per Host
| summarize arg_max(threat_score, *) by SourceHostName
| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL
| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, timestamp = TimeGenerated

YAML

severity: High
triggerThreshold: 0
query: |
  // Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "Low", "Medium", "High", "Critical" )   
  let configured_level = dynamic(["Low", "Medium", "High", "Critical"]);
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID == "hsc"
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | project-rename score_decreases = DeviceCustomString3
  | extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                         threat_score < 50 and certainty_score >= 50 , "Medium", 
                         threat_score >= 50 and certainty_score <= 50, "High", 
                         threat_score >= 50 and certainty_score >= 50, "Critical",
                         "UNKNOWN")
  | extend Severity = case( level == "Low", "Low",
                            level == "Medium", "Medium",
                            level == "High", "Medium",
                            level == "Critical", "High",
                            "UNKNOWN")
  | where level in (configured_level) 
  //keep only the event with the highest threat score per Host
  | summarize arg_max(threat_score, *) by SourceHostName
  | project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL
  | extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, timestamp = TimeGenerated  
queryFrequency: 1h
requiredDataConnectors:
- connectorId: AIVectraDetect
  dataTypes:
  - CommonSecurityLog
id: 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63
version: 1.0.3
name: Vectra AI Detect - Suspected Compromised Host
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml
queryPeriod: 1h
relevantTechniques: 
triggerOperator: gt
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDescriptionFormat: The host {{SourceHostName}} is in the {{level}} quadrant. Pivot to Detect UI with {{vectra_URL}}
  alertTacticsColumnName: 
  alertDisplayNameFormat: Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity
description: |
  'Create an incident when a Host is suspected to be compromised. 
  The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. 
  Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'  
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Vectra AI Detect - Suspected Compromised Host",
        "description": "'Create an incident when a Host is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'\n",
        "severity": "High",
        "enabled": true,
        "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" )   \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"hsc\"\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score <  50 and certainty_score < 50, \"Low\",\n                       threat_score < 50 and certainty_score >= 50 , \"Medium\", \n                       threat_score >= 50 and certainty_score <= 50, \"High\", \n                       threat_score >= 50 and certainty_score >= 50, \"Critical\",\n                       \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n                          level == \"Medium\", \"Medium\",\n                          level == \"High\", \"Medium\",\n                          level == \"Critical\", \"High\",\n                          \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by SourceHostName\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, timestamp = TimeGenerated\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "LateralMovement",
          "Collection",
          "CommandAndControl",
          "Exfiltration",
          "Impact"
        ],
        "techniques": null,
        "alertRuleTemplateName": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63",
        "alertDetailsOverride": {
          "alertDisplayNameFormat": "Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity",
          "alertSeverityColumnName": "Severity",
          "alertTacticsColumnName": null,
          "alertDescriptionFormat": "The host {{SourceHostName}} is in the {{level}} quadrant. Pivot to Detect UI with {{vectra_URL}}"
        },
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml",
        "templateVersion": "1.0.3",
        "status": "Available"
      }
    }
  ]
}