Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra AI Detect - Suspected Compromised Host

Back
Id60eb6cf0-3fa1-44c1-b1fe-220fbee23d63
RulenameVectra AI Detect - Suspected Compromised Host
DescriptionCreate an incident when a Host is suspected to be compromised.

The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat.

Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.
SeverityInformational
TacticsCredentialAccess
Discovery
LateralMovement
Collection
CommandAndControl
Exfiltration
Impact
TechniquesT1003
T1087
T1021
T1119
T1071
T1041
T1499
Required data connectorsAIVectraDetect
AIVectraDetectAma
CefAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml
Version1.0.8
Arm template60eb6cf0-3fa1-44c1-b1fe-220fbee23d63.json
Deploy To Azure
// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "High", "Critical" ). Possible values are: "Low", "Medium", "High", "Critical"
let configured_level = dynamic(["High", "Critical"]);
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "hsc"
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                      threat_score < 50 and certainty_score >= 50 , "Medium", 
                      threat_score >= 50 and certainty_score <= 50, "High", 
                      threat_score >= 50 and certainty_score >= 50, "Critical",
                      "UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| where level in (configured_level) 
//keep only the event with the highest threat score per Host
| summarize arg_max(TimeGenerated, *) by SourceHostName
| sort by TimeGenerated
status: Available
queryFrequency: 5m
description: |
  'Create an incident when a Host is suspected to be compromised. 
  The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. 
  Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'  
customDetails:
  ScoreDecrease: score_decreases
severity: Informational
version: 1.0.8
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: true
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: 7d
  createIncident: true
name: Vectra AI Detect - Suspected Compromised Host
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  // Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "High", "Critical" ). Possible values are: "Low", "Medium", "High", "Critical"
  let configured_level = dynamic(["High", "Critical"]);
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID == "hsc"
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | project-rename score_decreases = DeviceCustomString3
  | extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                        threat_score < 50 and certainty_score >= 50 , "Medium", 
                        threat_score >= 50 and certainty_score <= 50, "High", 
                        threat_score >= 50 and certainty_score >= 50, "Critical",
                        "UNKNOWN")
  | extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | where level in (configured_level) 
  //keep only the event with the highest threat score per Host
  | summarize arg_max(TimeGenerated, *) by SourceHostName
  | sort by TimeGenerated  
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity
  alertDescriptionFormat: |
    The host {{SourceHostName}} has a Threat score of {{threat_score}} and a
    certainty of {{certainty_score}}    
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: vectra_URL
  - alertProperty: ProductName
    value: DeviceProduct
  - alertProperty: ProviderName
    value: DeviceVendor
  - alertProperty: ConfidenceScore
    value: certainty_score
  alertSeverityColumnName: Severity
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml
requiredDataConnectors:
- connectorId: AIVectraDetect
  dataTypes:
  - CommonSecurityLog
- connectorId: AIVectraDetectAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
kind: Scheduled
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
id: 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63
queryPeriod: 5m
entityMappings:
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  entityType: Host
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The host {{SourceHostName}} has a Threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n",
          "alertDisplayNameFormat": "Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "vectra_URL"
            },
            {
              "alertProperty": "ProductName",
              "value": "DeviceProduct"
            },
            {
              "alertProperty": "ProviderName",
              "value": "DeviceVendor"
            },
            {
              "alertProperty": "ConfidenceScore",
              "value": "certainty_score"
            }
          ],
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63",
        "customDetails": {
          "ScoreDecrease": "score_decreases"
        },
        "description": "'Create an incident when a Host is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'\n",
        "displayName": "Vectra AI Detect - Suspected Compromised Host",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Host-by-Severity.yaml",
        "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"High\", \"Critical\" ). Possible values are: \"Low\", \"Medium\", \"High\", \"Critical\"\nlet configured_level = dynamic([\"High\", \"Critical\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"hsc\"\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score <  50 and certainty_score < 50, \"Low\",\n                      threat_score < 50 and certainty_score >= 50 , \"Medium\", \n                      threat_score >= 50 and certainty_score <= 50, \"High\", \n                      threat_score >= 50 and certainty_score >= 50, \"Critical\",\n                      \"UNKNOWN\")\n| extend Severity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(TimeGenerated, *) by SourceHostName\n| sort by TimeGenerated\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "Discovery",
          "Exfiltration",
          "Impact",
          "LateralMovement"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1071",
          "T1087",
          "T1119",
          "T1499"
        ],
        "templateVersion": "1.0.8",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}