Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra Create Incident Based on Priority for Accounts

Back
Idaf6f2812-0187-4cc9-822a-952f8b5b6b7e
RulenameVectra Create Incident Based on Priority for Accounts
DescriptionCreate an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsVectraXDR
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
Version1.0.1
Arm templateaf6f2812-0187-4cc9-822a-952f8b5b6b7e.json
Deploy To Azure
Entities_Data_CL
| where type_s == "account" and is_prioritized_b == true
| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']
suppressionDuration: PT1H
status: Available
relevantTechniques:
- T1546
suppressionEnabled: false
customDetails:
  ip_address: ip_s
  entity_type: type_s
  entity_id: id_d
  tags: tags_s
  attack_profile: attack_profile_s
  entity_importance: entity_importance_d
queryPeriod: 10m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Incident- {{name_s}}
  alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}.
  alertDynamicProperties:
  - value: url_s
    alertProperty: AlertLink
query: |
  Entities_Data_CL
  | where type_s == "account" and is_prioritized_b == true
  | summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']  
version: 1.0.1
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
tactics:
- Persistence
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: name_s
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - Entities_Data_CL
  connectorId: VectraXDR
name: Vectra Create Incident Based on Priority for Accounts
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    lookbackDuration: P7D
    matchingMethod: AllEntities
    reopenClosedIncident: true
triggerOperator: GreaterThan
triggerThreshold: 0
queryFrequency: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af6f2812-0187-4cc9-822a-952f8b5b6b7e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af6f2812-0187-4cc9-822a-952f8b5b6b7e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "An incident has been generated for Vectra AI entity {{name_s}} that is presenting an urgency score of {{urgency_score_d}}.",
          "alertDisplayNameFormat": "Vectra AI Incident- {{name_s}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "url_s"
            }
          ]
        },
        "alertRuleTemplateName": "af6f2812-0187-4cc9-822a-952f8b5b6b7e",
        "customDetails": {
          "attack_profile": "attack_profile_s",
          "entity_id": "id_d",
          "entity_importance": "entity_importance_d",
          "entity_type": "type_s",
          "ip_address": "ip_s",
          "tags": "tags_s"
        },
        "description": "Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.",
        "displayName": "Vectra Create Incident Based on Priority for Accounts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "name_s",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml",
        "query": "Entities_Data_CL\n| where type_s == \"account\" and is_prioritized_b == true\n| summarize arg_max(['last_modified_timestamp_t'], *) by ['name_s']\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}