Vectra AI Detect - New Campaign Detected
| Id | a34d0338-eda0-42b5-8b93-32aae0d7a501 |
| Rulename | Vectra AI Detect - New Campaign Detected |
| Description | Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign. |
| Severity | Medium |
| Tactics | LateralMovement CommandAndControl |
| Techniques | T1021 T1071 |
| Required data connectors | CefAma |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml |
| Version | 1.2.3 |
| Arm template | a34d0338-eda0-42b5-8b93-32aae0d7a501.json |
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID contains "campaign"
| where DeviceAction == "START"
| extend reason = coalesce(
column_ifexists("Reason", ""),
extract("reason=(.+?)($|;)", 1, AdditionalExtensions),
""
)
| project-rename vectra_URL = DeviceCustomString4
| sort by TimeGenerated
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: AlertLink
value: vectra_URL
- alertProperty: ProductName
value: DeviceProduct
- alertProperty: ProviderName
value: DeviceVendor
alertDescriptionFormat: |
A new campaign named {{Activity}} has been detected (reason is {{reason}})
alertDisplayNameFormat: Vectra AI - New Campaign Detected
description: |
'Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.'
kind: Scheduled
tactics:
- LateralMovement
- CommandAndControl
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: true
lookbackDuration: 7d
enabled: true
matchingMethod: AllEntities
createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml
severity: Medium
name: Vectra AI Detect - New Campaign Detected
customDetails:
CampaignReason: reason
CampaignName: Activity
CampaignSourceHost: SourceHostName
triggerThreshold: 0
queryPeriod: 5m
query: |
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID contains "campaign"
| where DeviceAction == "START"
| extend reason = coalesce(
column_ifexists("Reason", ""),
extract("reason=(.+?)($|;)", 1, AdditionalExtensions),
""
)
| project-rename vectra_URL = DeviceCustomString4
| sort by TimeGenerated
relevantTechniques:
- T1021
- T1071
id: a34d0338-eda0-42b5-8b93-32aae0d7a501
queryFrequency: 5m
status: Available
triggerOperator: gt
version: 1.2.3
entityMappings:
- entityType: DNS
fieldMappings:
- columnName: Activity
identifier: DomainName