Vectra Priority Entities
Id | 93de640a-314d-459a-9e21-00de2bffa92d |
Rulename | Vectra Priority Entities |
Description | Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters. |
Severity | High |
Required data connectors | VectraXDR |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_Prioritized_Entities.yaml |
Version | 1.0.0 |
Arm template | 93de640a-314d-459a-9e21-00de2bffa92d.json |
VectraEntityScoring
| where ['Is Prioritized'] == true
// custom details do not allow spaces in the attribute name
| extend attack_rating = ['Attack Rating']
| extend breadth = ['Breadth Contrib']
| extend detections = ['Active Detection Types']
| extend urgency = ['Urgency Score']
| extend url = ['Vectra Pivot']
| summarize arg_max(['Last Updated'], *) by ['Entity ID']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_Prioritized_Entities.yaml
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Entity_Scoring_Data_CL
suppressionEnabled: false
query: |
VectraEntityScoring
| where ['Is Prioritized'] == true
// custom details do not allow spaces in the attribute name
| extend attack_rating = ['Attack Rating']
| extend breadth = ['Breadth Contrib']
| extend detections = ['Active Detection Types']
| extend urgency = ['Urgency Score']
| extend url = ['Vectra Pivot']
| summarize arg_max(['Last Updated'], *) by ['Entity ID']
triggerOperator: gt
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: true
groupByAlertDetails: []
matchingMethod: AllEntities
lookbackDuration: 7d
groupByEntities: []
enabled: true
groupByCustomDetails: []
createIncident: true
severity: High
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionDuration: 5h
triggerThreshold: 0
kind: Scheduled
status: Available
name: Vectra Priority Entities
version: 1.0.0
queryFrequency: 5m
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: Name
entityType: Host
customDetails:
Entity_type: Type
Velocity: Velocity
Entity_importance: Importance
Attack_Rating: attack_rating
detections: detections
Breadth: breadth
id: 93de640a-314d-459a-9e21-00de2bffa92d
queryPeriod: 5m
alertDetailsOverride:
alertDynamicProperties:
- value: urgency
alertProperty: ConfidenceLevel
- value: url
alertProperty: AlertLink
alertDisplayNameFormat: 'Priority Incident - {{Name}} with Urgency Score of {{Urgency Score}} '
alertDescriptionFormat: |-
Entity {{Name}} has been prioritized by the Vectra AI prioritization algorithm with an urgency score of {{Urgency Score}}.
Attack rating is {{Attack Rating}}.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/93de640a-314d-459a-9e21-00de2bffa92d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/93de640a-314d-459a-9e21-00de2bffa92d')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Entity {{Name}} has been prioritized by the Vectra AI prioritization algorithm with an urgency score of {{Urgency Score}}.\nAttack rating is {{Attack Rating}}.",
"alertDisplayNameFormat": "Priority Incident - {{Name}} with Urgency Score of {{Urgency Score}} ",
"alertDynamicProperties": [
{
"alertProperty": "ConfidenceLevel",
"value": "urgency"
},
{
"alertProperty": "AlertLink",
"value": "url"
}
]
},
"alertRuleTemplateName": "93de640a-314d-459a-9e21-00de2bffa92d",
"customDetails": {
"Attack_Rating": "attack_rating",
"Breadth": "breadth",
"detections": "detections",
"Entity_importance": "Importance",
"Entity_type": "Type",
"Velocity": "Velocity"
},
"description": "Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.",
"displayName": "Vectra Priority Entities",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "P7D",
"matchingMethod": "AllEntities",
"reopenClosedIncident": true
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/DetectXDR_Prioritized_Entities.yaml",
"query": "VectraEntityScoring\n| where ['Is Prioritized'] == true\n// custom details do not allow spaces in the attribute name\n| extend attack_rating = ['Attack Rating']\n| extend breadth = ['Breadth Contrib']\n| extend detections = ['Active Detection Types']\n| extend urgency = ['Urgency Score']\n| extend url = ['Vectra Pivot']\n| summarize arg_max(['Last Updated'], *) by ['Entity ID']\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}