Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra AI Detect - Suspicious Behaviors by Category

Back
Id6cb75f65-231f-46c4-a0b3-50ff21ee6ed3
RulenameVectra AI Detect - Suspicious Behaviors by Category
DescriptionCreate an incident for each new malicious behavior detected by Vectra Detect for a specific Category.

By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.
SeverityInformational
TacticsCredentialAccess
Discovery
LateralMovement
Collection
CommandAndControl
Exfiltration
Impact
TechniquesT1003
T1087
T1021
T1119
T1071
T1041
T1499
Required data connectorsAIVectraDetect
AIVectraDetectAma
CefAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Suspected-Behavior-by-Tactics.yaml
Version1.1.0
Arm template6cb75f65-231f-46c4-a0b3-50ff21ee6ed3.json
Deploy To Azure
// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: "COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE")   
let configured_tactics = dynamic(["COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE"]);
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
| extend Category = coalesce(
                          column_ifexists("DeviceEventCategory", ""), 
                          extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
                          ""
                      )
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename triaged = DeviceCustomString5
| where triaged != "True"
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| extend Tactic = case( Category == "COMMAND & CONTROL", "CommandAndControl",
                        Category == "BOTNET ACTIVITY" , "Impact",
                        Category == "EXFILTRATION", "Exfiltration",
                        Category == "LATERAL MOVEMENT", "LateralMovement",
                        Category == "RECONNAISSANCE", "Discovery",
                        "UNKNOWN")
| extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                       threat_score < 50 and certainty_score >= 50 , "Medium", 
                       threat_score >= 50 and certainty_score <= 50, "High", 
                       threat_score >= 50 and certainty_score >= 50, "Critical",
                       "UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| extend account = extract("account=(.+?);", 1, AdditionalExtensions)
| extend upn = iff(account matches regex ":", tostring(split(account,":")[1]) ,tostring(split(account,":")[0]))
| extend name = tostring(split(upn, "@")[0])
| extend upn_suffix = tostring(split(upn, "@")[1])
| extend source_entity = case(level == "Info", "Informational",level == "Critical", "High", level)
| where Category in (configured_tactics) 
| summarize arg_max(threat_score, *) by source_entity , Activity
| sort by TimeGenerated
status: Available
queryFrequency: 5m
description: |
  'Create an incident for each new malicious behavior detected by Vectra Detect for a specific Category. 
  By default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.'  
customDetails:
  AttackType: Activity
  AttackCategory: Category
severity: Informational
version: 1.1.0
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
kind: Scheduled
name: Vectra AI Detect - Suspicious Behaviors by Category
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  // Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: "COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE")   
  let configured_tactics = dynamic(["COMMAND & CONTROL", "BOTNET ACTIVITY", "EXFILTRATION", "LATERAL MOVEMENT", "RECONNAISSANCE"]);
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
  | extend Category = coalesce(
                            column_ifexists("DeviceEventCategory", ""), 
                            extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
                            ""
                        )
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename triaged = DeviceCustomString5
  | where triaged != "True"
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | extend Tactic = case( Category == "COMMAND & CONTROL", "CommandAndControl",
                          Category == "BOTNET ACTIVITY" , "Impact",
                          Category == "EXFILTRATION", "Exfiltration",
                          Category == "LATERAL MOVEMENT", "LateralMovement",
                          Category == "RECONNAISSANCE", "Discovery",
                          "UNKNOWN")
  | extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                         threat_score < 50 and certainty_score >= 50 , "Medium", 
                         threat_score >= 50 and certainty_score <= 50, "High", 
                         threat_score >= 50 and certainty_score >= 50, "Critical",
                         "UNKNOWN")
  | extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | extend account = extract("account=(.+?);", 1, AdditionalExtensions)
  | extend upn = iff(account matches regex ":", tostring(split(account,":")[1]) ,tostring(split(account,":")[0]))
  | extend name = tostring(split(upn, "@")[0])
  | extend upn_suffix = tostring(split(upn, "@")[1])
  | extend source_entity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | where Category in (configured_tactics) 
  | summarize arg_max(threat_score, *) by source_entity , Activity
  | sort by TimeGenerated  
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Detect - {{Activity}} detected
  alertDescriptionFormat: Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: vectra_URL
  - alertProperty: ProductName
    value: DeviceProduct
  - alertProperty: ProviderName
    value: DeviceVendor
  - alertProperty: ConfidenceScore
    value: certainty_score
  alertSeverityColumnName: Severity
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Suspected-Behavior-by-Tactics.yaml
requiredDataConnectors:
- connectorId: AIVectraDetect
  dataTypes:
  - CommonSecurityLog
- connectorId: AIVectraDetectAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
id: 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3
queryPeriod: 5m
entityMappings:
- fieldMappings:
  - columnName: SourceHostName
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: name
    identifier: Name
  - columnName: upn_suffix
    identifier: UPNSuffix
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cb75f65-231f-46c4-a0b3-50ff21ee6ed3')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.",
          "alertDisplayNameFormat": "Vectra AI Detect - {{Activity}} detected",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "vectra_URL"
            },
            {
              "alertProperty": "ProductName",
              "value": "DeviceProduct"
            },
            {
              "alertProperty": "ProviderName",
              "value": "DeviceVendor"
            },
            {
              "alertProperty": "ConfidenceScore",
              "value": "certainty_score"
            }
          ],
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "6cb75f65-231f-46c4-a0b3-50ff21ee6ed3",
        "customDetails": {
          "AttackCategory": "Category",
          "AttackType": "Activity"
        },
        "description": "'Create an incident for each new malicious behavior detected by Vectra Detect for a specific Category. \nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.'\n",
        "displayName": "Vectra AI Detect - Suspicious Behaviors by Category",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "SourceHostName",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "name",
                "identifier": "Name"
              },
              {
                "columnName": "upn_suffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Suspected-Behavior-by-Tactics.yaml",
        "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\")   \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\" \n| extend Category = coalesce(\n                          column_ifexists(\"DeviceEventCategory\", \"\"), \n                          extract(\"cat=(.+?)(;|$)\", 1, AdditionalExtensions), \n                          \"\"\n                      )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename triaged = DeviceCustomString5\n| where triaged != \"True\"\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n                        Category == \"BOTNET ACTIVITY\" , \"Impact\",\n                        Category == \"EXFILTRATION\", \"Exfiltration\",\n                        Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n                        Category == \"RECONNAISSANCE\", \"Discovery\",\n                        \"UNKNOWN\")\n| extend level = case( threat_score <  50 and certainty_score < 50, \"Low\",\n                       threat_score < 50 and certainty_score >= 50 , \"Medium\", \n                       threat_score >= 50 and certainty_score <= 50, \"High\", \n                       threat_score >= 50 and certainty_score >= 50, \"Critical\",\n                       \"UNKNOWN\")\n| extend Severity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0]))\n| extend name = tostring(split(upn, \"@\")[0])\n| extend upn_suffix = tostring(split(upn, \"@\")[1])\n| extend source_entity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity , Activity\n| sort by TimeGenerated\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "Discovery",
          "Exfiltration",
          "Impact",
          "LateralMovement"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1071",
          "T1087",
          "T1119",
          "T1499"
        ],
        "templateVersion": "1.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}