Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra AI Detect - New Campaign Detected

Back
Ida34d0338-eda0-42b5-8b93-32aae0d7a501
RulenameVectra AI Detect - New Campaign Detected
DescriptionIdentifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.
SeverityMedium
TacticsLateralMovement
CommandAndControl
TechniquesT1021
T1071
Required data connectorsCefAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml
Version1.2.3
Arm templatea34d0338-eda0-42b5-8b93-32aae0d7a501.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID contains "campaign"
| where DeviceAction == "START"
| extend reason = coalesce(
                          column_ifexists("Reason", ""), 
                          extract("reason=(.+?)($|;)", 1, AdditionalExtensions),
                          ""
                      )
| project-rename vectra_URL = DeviceCustomString4
| sort by TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml
query: |
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID contains "campaign"
  | where DeviceAction == "START"
  | extend reason = coalesce(
                            column_ifexists("Reason", ""), 
                            extract("reason=(.+?)($|;)", 1, AdditionalExtensions),
                            ""
                        )
  | project-rename vectra_URL = DeviceCustomString4
  | sort by TimeGenerated  
description: |
    'Identifies when a new Campaign has been detected.  This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.'
severity: Medium
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 7d
    reopenClosedIncident: true
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
name: Vectra AI Detect - New Campaign Detected
triggerThreshold: 0
version: 1.2.3
customDetails:
  CampaignReason: reason
  CampaignName: Activity
  CampaignSourceHost: SourceHostName
tactics:
- LateralMovement
- CommandAndControl
alertDetailsOverride:
  alertDynamicProperties:
  - value: vectra_URL
    alertProperty: AlertLink
  - value: DeviceProduct
    alertProperty: ProductName
  - value: DeviceVendor
    alertProperty: ProviderName
  alertDescriptionFormat: |
        A new campaign named {{Activity}} has been detected (reason is {{reason}})
  alertDisplayNameFormat: Vectra AI - New Campaign Detected
relevantTechniques:
- T1021
- T1071
triggerOperator: gt
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: Activity
    identifier: DomainName
id: a34d0338-eda0-42b5-8b93-32aae0d7a501
status: Available
kind: Scheduled
queryFrequency: 5m
queryPeriod: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a34d0338-eda0-42b5-8b93-32aae0d7a501')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a34d0338-eda0-42b5-8b93-32aae0d7a501')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A new campaign named {{Activity}} has been detected (reason is {{reason}})\n",
          "alertDisplayNameFormat": "Vectra AI - New Campaign Detected",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "vectra_URL"
            },
            {
              "alertProperty": "ProductName",
              "value": "DeviceProduct"
            },
            {
              "alertProperty": "ProviderName",
              "value": "DeviceVendor"
            }
          ]
        },
        "alertRuleTemplateName": "a34d0338-eda0-42b5-8b93-32aae0d7a501",
        "customDetails": {
          "CampaignName": "Activity",
          "CampaignReason": "reason",
          "CampaignSourceHost": "SourceHostName"
        },
        "description": "'Identifies when a new Campaign has been detected.  This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.'\n",
        "displayName": "Vectra AI Detect - New Campaign Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Activity",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID contains \"campaign\"\n| where DeviceAction == \"START\"\n| extend reason = coalesce(\n                          column_ifexists(\"Reason\", \"\"), \n                          extract(\"reason=(.+?)($|;)\", 1, AdditionalExtensions),\n                          \"\"\n                      )\n| project-rename vectra_URL = DeviceCustomString4\n| sort by TimeGenerated\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "LateralMovement"
        ],
        "techniques": [
          "T1021",
          "T1071"
        ],
        "templateVersion": "1.2.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}