Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
queryPeriod: 10m
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
name: Vectra Create Incident Based on Priority for Accounts
entityMappings:
- fieldMappings:
- columnName: name
identifier: Name
entityType: Account
suppressionDuration: PT1H
queryFrequency: 10m
suppressionEnabled: false
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDynamicProperties:
- value: url
alertProperty: AlertLink
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
kind: Scheduled
version: 1.1.1
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Entities_Data_CL
triggerOperator: GreaterThan
triggerThreshold: 0
incidentConfiguration:
groupingConfiguration:
lookbackDuration: P7D
reopenClosedIncident: true
matchingMethod: AllEntities
enabled: true
createIncident: true
customDetails:
attack_profile: attack_profile
ip_address: ip
entity_id: id
tags: tags
entity_type: entity_type
tactics:
- Persistence
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
relevantTechniques:
- T1546
