Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
customDetails:
ip_address: ip
tags: tags
entity_id: id
entity_type: entity_type
attack_profile: attack_profile
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
tactics:
- Persistence
relevantTechniques:
- T1546
triggerThreshold: 0
status: Available
name: Vectra Create Incident Based on Priority for Accounts
triggerOperator: GreaterThan
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: AlertLink
value: url
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDisplayNameFormat: Vectra AI Incident- {{name}}
version: 1.1.1
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
queryPeriod: 10m
entityMappings:
- entityType: Account
fieldMappings:
- columnName: name
identifier: Name
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
eventGroupingSettings:
aggregationKind: AlertPerResult
severity: Medium
kind: Scheduled
suppressionDuration: PT1H
suppressionEnabled: false
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: true
lookbackDuration: P7D
reopenClosedIncident: true
createIncident: true
queryFrequency: 10m
