Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra Create Incident Based on Priority for Hosts

Back
Id9b51b0fb-0419-4450-9ea0-0a48751c4902
RulenameVectra Create Incident Based on Priority for Hosts
DescriptionCreate an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsVectraXDR
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml
Version1.0.1
Arm template9b51b0fb-0419-4450-9ea0-0a48751c4902.json
Deploy To Azure
Entities_Data_CL
| where type_s == "host" and is_prioritized_b == true
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
queryFrequency: 10m
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: name_s
  entityType: Host
customDetails:
  entity_importance: entity_importance_d
  attack_profile: attack_profile_s
  entity_id: id_d
  ip_address: ip_s
  entity_type: type_s
  tags: tags_s
queryPeriod: 10m
query: |
  Entities_Data_CL
  | where type_s == "host" and is_prioritized_b == true
  | summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']  
suppressionEnabled: false
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: url_s
  alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}.
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: P7D
    reopenClosedIncident: true
    enabled: true
  createIncident: true
status: Available
id: 9b51b0fb-0419-4450-9ea0-0a48751c4902
name: Vectra Create Incident Based on Priority for Hosts
kind: Scheduled
version: 1.0.1
requiredDataConnectors:
- connectorId: VectraXDR
  dataTypes:
  - Entities_Data_CL
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml
triggerThreshold: 0
triggerOperator: GreaterThan
tactics:
- Persistence
relevantTechniques:
- T1546
suppressionDuration: PT1H
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9b51b0fb-0419-4450-9ea0-0a48751c4902')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9b51b0fb-0419-4450-9ea0-0a48751c4902')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An incident has been generated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}.",
          "alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "url_s"
            }
          ]
        },
        "alertRuleTemplateName": "9b51b0fb-0419-4450-9ea0-0a48751c4902",
        "customDetails": {
          "attack_profile": "attack_profile_s",
          "entity_id": "id_d",
          "entity_importance": "entity_importance_d",
          "entity_type": "type_s",
          "ip_address": "ip_s",
          "tags": "tags_s"
        },
        "description": "Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.",
        "displayName": "Vectra Create Incident Based on Priority for Hosts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "name_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml",
        "query": "Entities_Data_CL\n| where type_s == \"host\" and is_prioritized_b == true\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}