Vectra Create Incident Based on Priority for Accounts
| Id | af6f2812-0187-4cc9-822a-952f8b5b6b7e |
| Rulename | Vectra Create Incident Based on Priority for Accounts |
| Description | Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters. |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1546 |
| Required data connectors | VectraXDR |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml |
| Version | 1.0.1 |
| Arm template | af6f2812-0187-4cc9-822a-952f8b5b6b7e.json |
Entities_Data_CL
| where type_s == "account" and is_prioritized_b == true
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
status: Available
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
tactics:
- Persistence
alertDetailsOverride:
alertDynamicProperties:
- value: url_s
alertProperty: AlertLink
alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}.
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
name: Vectra Create Incident Based on Priority for Accounts
query: |
Entities_Data_CL
| where type_s == "account" and is_prioritized_b == true
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
severity: Medium
customDetails:
attack_profile: attack_profile_s
tags: tags_s
ip_address: ip_s
entity_importance: entity_importance_d
entity_id: id_d
entity_type: type_s
triggerOperator: GreaterThan
kind: Scheduled
suppressionDuration: PT1H
relevantTechniques:
- T1546
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: P7D
reopenClosedIncident: true
enabled: true
matchingMethod: AllEntities
queryFrequency: 10m
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Entities_Data_CL
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
suppressionEnabled: false
version: 1.0.1
entityMappings:
- fieldMappings:
- columnName: name_s
identifier: Name
entityType: Account
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af6f2812-0187-4cc9-822a-952f8b5b6b7e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af6f2812-0187-4cc9-822a-952f8b5b6b7e')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "An incident has been generated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}.",
"alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "url_s"
}
]
},
"alertRuleTemplateName": "af6f2812-0187-4cc9-822a-952f8b5b6b7e",
"customDetails": {
"attack_profile": "attack_profile_s",
"entity_id": "id_d",
"entity_importance": "entity_importance_d",
"entity_type": "type_s",
"ip_address": "ip_s",
"tags": "tags_s"
},
"description": "Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.",
"displayName": "Vectra Create Incident Based on Priority for Accounts",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "name_s",
"identifier": "Name"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "P7D",
"matchingMethod": "AllEntities",
"reopenClosedIncident": true
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml",
"query": "Entities_Data_CL\n| where type_s == \"account\" and is_prioritized_b == true\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}