Entities_Data_CL
| where entity_type == "host" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: name
tactics:
- Persistence
suppressionEnabled: false
suppressionDuration: PT1H
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDynamicProperties:
- value: url
alertProperty: AlertLink
incidentConfiguration:
groupingConfiguration:
enabled: true
lookbackDuration: P7D
reopenClosedIncident: true
matchingMethod: AllEntities
createIncident: true
id: 9b51b0fb-0419-4450-9ea0-0a48751c4902
severity: Medium
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
customDetails:
attack_profile: attack_profile
ip_address: ip
entity_id: id
tags: tags
entity_type: entity_type
query: |
Entities_Data_CL
| where entity_type == "host" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml
kind: Scheduled
queryPeriod: 10m
name: Vectra Create Incident Based on Priority for Hosts
queryFrequency: 10m
triggerOperator: GreaterThan
relevantTechniques:
- T1546
version: 1.1.1
triggerThreshold: 0
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
