Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
status: Available
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
name: Vectra Create Incident Based on Priority for Accounts
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
tactics:
- Persistence
triggerOperator: GreaterThan
severity: Medium
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: P7D
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: true
customDetails:
entity_type: entity_type
entity_id: id
attack_profile: attack_profile
tags: tags
ip_address: ip
version: 1.1.1
kind: Scheduled
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: name
relevantTechniques:
- T1546
queryPeriod: 10m
suppressionDuration: PT1H
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
alertDetailsOverride:
alertDynamicProperties:
- value: url
alertProperty: AlertLink
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDisplayNameFormat: Vectra AI Incident- {{name}}
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
queryFrequency: 10m
