Vectra AI Detect - New Campaign Detected

Back


Id	a34d0338-eda0-42b5-8b93-32aae0d7a501
Rulename	Vectra AI Detect - New Campaign Detected
Description	Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.
Severity	Medium
Tactics	LateralMovement CommandAndControl
Techniques	T1021 T1071
Required data connectors	CefAma
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml
Version	1.2.3
Arm template	a34d0338-eda0-42b5-8b93-32aae0d7a501.json

KQL

CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID contains "campaign"
| where DeviceAction == "START"
| extend reason = coalesce(
                          column_ifexists("Reason", ""), 
                          extract("reason=(.+?)($|;)", 1, AdditionalExtensions),
                          ""
                      )
| project-rename vectra_URL = DeviceCustomString4
| sort by TimeGenerated

YAML

id: a34d0338-eda0-42b5-8b93-32aae0d7a501
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-NewCampaign.yaml
queryPeriod: 5m
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 7d
    enabled: true
    matchingMethod: AllEntities
    reopenClosedIncident: true
  createIncident: true
status: Available
name: Vectra AI Detect - New Campaign Detected
triggerThreshold: 0
relevantTechniques:
- T1021
- T1071
customDetails:
  CampaignReason: reason
  CampaignSourceHost: SourceHostName
  CampaignName: Activity
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
severity: Medium
query: |
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID contains "campaign"
  | where DeviceAction == "START"
  | extend reason = coalesce(
                            column_ifexists("Reason", ""), 
                            extract("reason=(.+?)($|;)", 1, AdditionalExtensions),
                            ""
                        )
  | project-rename vectra_URL = DeviceCustomString4
  | sort by TimeGenerated  
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Activity
  entityType: DNS
tactics:
- LateralMovement
- CommandAndControl
version: 1.2.3
triggerOperator: gt
description: |
    'Identifies when a new Campaign has been detected.  This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.'
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: vectra_URL
  - alertProperty: ProductName
    value: DeviceProduct
  - alertProperty: ProviderName
    value: DeviceVendor
  alertDescriptionFormat: |
        A new campaign named {{Activity}} has been detected (reason is {{reason}})
  alertDisplayNameFormat: Vectra AI - New Campaign Detected
kind: Scheduled

ARM