Entities_Data_CL
| where entity_type == "host" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
status: Available
queryFrequency: 10m
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: true
lookbackDuration: P7D
enabled: true
createIncident: true
suppressionDuration: PT1H
triggerOperator: GreaterThan
alertDetailsOverride:
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDynamicProperties:
- alertProperty: AlertLink
value: url
query: |
Entities_Data_CL
| where entity_type == "host" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
tactics:
- Persistence
triggerThreshold: 0
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: name
queryPeriod: 10m
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Entities_Data_CL
kind: Scheduled
relevantTechniques:
- T1546
customDetails:
entity_id: id
ip_address: ip
attack_profile: attack_profile
tags: tags
entity_type: entity_type
version: 1.1.1
severity: Medium
name: Vectra Create Incident Based on Priority for Hosts
id: 9b51b0fb-0419-4450-9ea0-0a48751c4902
suppressionEnabled: false
