Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Vectra Create Incident Based on Priority for Hosts

Vectra Create Incident Based on Priority for Hosts

Back
Id9b51b0fb-0419-4450-9ea0-0a48751c4902
RulenameVectra Create Incident Based on Priority for Hosts
DescriptionCreate an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsVectraXDR
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml
Version1.1.1
Arm template9b51b0fb-0419-4450-9ea0-0a48751c4902.json
Deploy To Azure
Entities_Data_CL
| where entity_type == "host" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']

eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml
severity: Medium
queryPeriod: 10m
suppressionDuration: PT1H
name: Vectra Create Incident Based on Priority for Hosts
query: |
  Entities_Data_CL
  | where entity_type == "host" and is_prioritized == true
  | summarize arg_max(['last_modified_timestamp'], *) by ['name']  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: P7D
    reopenClosedIncident: true
requiredDataConnectors:
- connectorId: VectraXDR
  dataTypes:
  - Entities_Data_CL
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: name
    identifier: HostName
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
relevantTechniques:
- T1546
tactics:
- Persistence
queryFrequency: 10m
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: url
  alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
  alertDisplayNameFormat: Vectra AI Incident- {{name}}
customDetails:
  attack_profile: attack_profile
  entity_id: id
  ip_address: ip
  entity_type: entity_type
  tags: tags
triggerThreshold: 0
triggerOperator: GreaterThan
kind: Scheduled
status: Available
version: 1.1.1
suppressionEnabled: false
id: 9b51b0fb-0419-4450-9ea0-0a48751c4902