Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
suppressionEnabled: false
entityMappings:
- fieldMappings:
- columnName: name
identifier: Name
entityType: Account
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
triggerThreshold: 0
kind: Scheduled
tactics:
- Persistence
alertDetailsOverride:
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDynamicProperties:
- value: url
alertProperty: AlertLink
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
customDetails:
attack_profile: attack_profile
tags: tags
entity_id: id
ip_address: ip
entity_type: entity_type
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
queryPeriod: 10m
severity: Medium
version: 1.1.1
queryFrequency: 10m
triggerOperator: GreaterThan
relevantTechniques:
- T1546
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
suppressionDuration: PT1H
status: Available
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: P7D
reopenClosedIncident: true
enabled: true
createIncident: true
name: Vectra Create Incident Based on Priority for Accounts
