Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
queryFrequency: 10m
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
suppressionDuration: PT1H
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: name
triggerThreshold: 0
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
tactics:
- Persistence
version: 1.1.1
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Entities_Data_CL
alertDetailsOverride:
alertDynamicProperties:
- value: url
alertProperty: AlertLink
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDisplayNameFormat: Vectra AI Incident- {{name}}
queryPeriod: 10m
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: true
lookbackDuration: P7D
createIncident: true
customDetails:
attack_profile: attack_profile
tags: tags
entity_type: entity_type
ip_address: ip
entity_id: id
severity: Medium
name: Vectra Create Incident Based on Priority for Accounts
triggerOperator: GreaterThan
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
kind: Scheduled
status: Available
suppressionEnabled: false
relevantTechniques:
- T1546
