Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
status: Available
queryFrequency: 10m
queryPeriod: 10m
kind: Scheduled
version: 1.1.1
triggerThreshold: 0
relevantTechniques:
- T1546
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
customDetails:
attack_profile: attack_profile
ip_address: ip
entity_type: entity_type
entity_id: id
tags: tags
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Entities_Data_CL
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
tactics:
- Persistence
name: Vectra Create Incident Based on Priority for Accounts
triggerOperator: GreaterThan
suppressionDuration: PT1H
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
entityMappings:
- fieldMappings:
- identifier: Name
columnName: name
entityType: Account
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: true
matchingMethod: AllEntities
lookbackDuration: P7D
enabled: true
createIncident: true
suppressionEnabled: false
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDynamicProperties:
- value: url
alertProperty: AlertLink
severity: Medium
