Vectra Create Incident Based on Priority for Hosts
| Id | 9b51b0fb-0419-4450-9ea0-0a48751c4902 |
| Rulename | Vectra Create Incident Based on Priority for Hosts |
| Description | Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters. |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1546 |
| Required data connectors | VectraXDR |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml |
| Version | 1.0.1 |
| Arm template | 9b51b0fb-0419-4450-9ea0-0a48751c4902.json |
Entities_Data_CL
| where type_s == "host" and is_prioritized_b == true
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
kind: Scheduled
triggerThreshold: 0
tactics:
- Persistence
id: 9b51b0fb-0419-4450-9ea0-0a48751c4902
query: |
Entities_Data_CL
| where type_s == "host" and is_prioritized_b == true
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
name: Vectra Create Incident Based on Priority for Hosts
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: name_s
status: Available
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
severity: Medium
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
alertDynamicProperties:
- value: url_s
alertProperty: AlertLink
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}.
queryFrequency: 10m
suppressionEnabled: false
version: 1.0.1
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml
suppressionDuration: PT1H
relevantTechniques:
- T1546
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: true
lookbackDuration: P7D
matchingMethod: AllEntities
enabled: true
customDetails:
entity_type: type_s
entity_id: id_d
attack_profile: attack_profile_s
entity_importance: entity_importance_d
ip_address: ip_s
tags: tags_s
queryPeriod: 10m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9b51b0fb-0419-4450-9ea0-0a48751c4902')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9b51b0fb-0419-4450-9ea0-0a48751c4902')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "An incident has been generated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}.",
"alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "url_s"
}
]
},
"alertRuleTemplateName": "9b51b0fb-0419-4450-9ea0-0a48751c4902",
"customDetails": {
"attack_profile": "attack_profile_s",
"entity_id": "id_d",
"entity_importance": "entity_importance_d",
"entity_type": "type_s",
"ip_address": "ip_s",
"tags": "tags_s"
},
"description": "Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.",
"displayName": "Vectra Create Incident Based on Priority for Hosts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "name_s",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "P7D",
"matchingMethod": "AllEntities",
"reopenClosedIncident": true
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml",
"query": "Entities_Data_CL\n| where type_s == \"host\" and is_prioritized_b == true\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}