Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
version: 1.1.1
severity: Medium
incidentConfiguration:
groupingConfiguration:
enabled: true
reopenClosedIncident: true
lookbackDuration: P7D
matchingMethod: AllEntities
createIncident: true
relevantTechniques:
- T1546
triggerOperator: GreaterThan
alertDetailsOverride:
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDynamicProperties:
- value: url
alertProperty: AlertLink
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
queryFrequency: 10m
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: name
identifier: Name
entityType: Account
eventGroupingSettings:
aggregationKind: AlertPerResult
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
status: Available
suppressionEnabled: false
suppressionDuration: PT1H
name: Vectra Create Incident Based on Priority for Accounts
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
queryPeriod: 10m
tactics:
- Persistence
kind: Scheduled
customDetails:
ip_address: ip
entity_type: entity_type
attack_profile: attack_profile
entity_id: id
tags: tags
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
