Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
tactics:
- Persistence
relevantTechniques:
- T1546
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
name: Vectra Create Incident Based on Priority for Accounts
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
incidentConfiguration:
groupingConfiguration:
enabled: true
matchingMethod: AllEntities
reopenClosedIncident: true
lookbackDuration: P7D
createIncident: true
suppressionDuration: PT1H
suppressionEnabled: false
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDynamicProperties:
- alertProperty: AlertLink
value: url
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
entityMappings:
- fieldMappings:
- identifier: Name
columnName: name
entityType: Account
severity: Medium
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
queryFrequency: 10m
queryPeriod: 10m
triggerThreshold: 0
customDetails:
tags: tags
entity_type: entity_type
ip_address: ip
entity_id: id
attack_profile: attack_profile
kind: Scheduled
version: 1.1.1
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
