Vaikora - High severity security alerts
| Id | ac3ec787-fd49-4e93-88cc-aaa9b31061ac |
| Rulename | Vaikora - High severity security alerts |
| Description | Identifies high or critical severity security alerts ingested from Vaikora in the last 6 hours, indicating active threats such as malware activity, intrusion attempts, or policy violations. |
| Severity | High |
| Tactics | InitialAccess Execution Persistence DefenseEvasion CredentialAccess Discovery LateralMovement Collection CommandAndControl Exfiltration Impact |
| Required data connectors | VaikoraSecurityCenter |
| Kind | Scheduled |
| Query frequency | 6h |
| Query period | 6h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml |
| Version | 1.0.0 |
| Arm template | ac3ec787-fd49-4e93-88cc-aaa9b31061ac.json |
Vaikora_SecurityAlerts_CL
| where TimeGenerated >= ago(6h)
| where Severity_s in ("high", "critical")
| extend
AlertId = AlertId_s,
AgentId = AgentId_s,
ActionType = ActionType_s,
Severity = Severity_s,
Title = Title_s,
Description = Description_s,
SourceIP = SourceIP,
DestinationIP = DestinationIP_s,
SourceHost = SourceHost_s,
DestHost = DestinationHost_s,
ProcessName = ProcessName_s,
UserName = UserName_s,
FilePath = FilePath_s,
Confidence = ConfidenceScore_d,
ThreatFlag = ThreatDetected_b,
AnomalyFlag = IsAnomaly_b
| project
TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description,
SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath,
Confidence, ThreatFlag, AnomalyFlag
| order by TimeGenerated desc
severity: High
name: Vaikora - High severity security alerts
alertDetailsOverride:
alertDescriptionFormat: Vaikora detected a {{Severity_s}} severity event on agent {{AgentId_s}}. {{Description_s}}
alertSeverityColumnName: Severity_s
alertDisplayNameFormat: 'Vaikora {{Severity_s}} Alert: {{Title_s}}'
triggerOperator: gt
query: |
Vaikora_SecurityAlerts_CL
| where TimeGenerated >= ago(6h)
| where Severity_s in ("high", "critical")
| extend
AlertId = AlertId_s,
AgentId = AgentId_s,
ActionType = ActionType_s,
Severity = Severity_s,
Title = Title_s,
Description = Description_s,
SourceIP = SourceIP,
DestinationIP = DestinationIP_s,
SourceHost = SourceHost_s,
DestHost = DestinationHost_s,
ProcessName = ProcessName_s,
UserName = UserName_s,
FilePath = FilePath_s,
Confidence = ConfidenceScore_d,
ThreatFlag = ThreatDetected_b,
AnomalyFlag = IsAnomaly_b
| project
TimeGenerated, AlertId, AgentId, ActionType, Severity, Title, Description,
SourceIP, DestinationIP, SourceHost, DestHost, ProcessName, UserName, FilePath,
Confidence, ThreatFlag, AnomalyFlag
| order by TimeGenerated desc
tactics:
- InitialAccess
- Execution
- Persistence
- DefenseEvasion
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
status: Available
version: 1.0.0
relevantTechniques: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-AzureSecurityCenter/Analytic Rules/Vaikora - High Severity Security Alerts.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- Vaikora_SecurityAlerts_CL
connectorId: VaikoraSecurityCenter
id: ac3ec787-fd49-4e93-88cc-aaa9b31061ac
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
- entityType: IP
fieldMappings:
- identifier: Address
columnName: DestinationIP
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHost
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UserName
- entityType: Process
fieldMappings:
- identifier: ProcessId
columnName: ProcessName
kind: Scheduled
queryFrequency: 6h
queryPeriod: 6h
description: |
Identifies high or critical severity security alerts ingested from Vaikora in the last 6 hours, indicating active threats such as malware activity, intrusion attempts, or policy violations.