Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
relevantTechniques:
- T1546
alertDetailsOverride:
alertDescriptionFormat: An incident has been generated for Vectra AI entity {{name}} that is presenting an urgency score of {{urgency_score}}.
alertDisplayNameFormat: Vectra AI Incident- {{name}}
alertDynamicProperties:
- value: url
alertProperty: AlertLink
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: name
customDetails:
entity_id: id
ip_address: ip
entity_type: entity_type
tags: tags
attack_profile: attack_profile
query: |
Entities_Data_CL
| where entity_type == "account" and is_prioritized == true
| summarize arg_max(['last_modified_timestamp'], *) by ['name']
triggerThreshold: 0
version: 1.1.1
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
lookbackDuration: P7D
reopenClosedIncident: true
matchingMethod: AllEntities
requiredDataConnectors:
- dataTypes:
- Entities_Data_CL
connectorId: VectraXDR
status: Available
queryFrequency: 10m
triggerOperator: GreaterThan
kind: Scheduled
suppressionDuration: PT1H
suppressionEnabled: false
description: Create an incident when an identity is suspected to be compromised. Vectra is using AI to prioritize an entity based on multiple factors (attack rating, velocity, breadth, importance.etc.). This layer of aggregation at the entity level provides a greater signal-to-noise ratio and help analyst focus on what matters.
eventGroupingSettings:
aggregationKind: AlertPerResult
severity: Medium
tactics:
- Persistence
name: Vectra Create Incident Based on Priority for Accounts
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
id: af6f2812-0187-4cc9-822a-952f8b5b6b7e
queryPeriod: 10m
