Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra Accounts Behaviors

Back
Idce54b5d3-4c31-4eaf-a73e-31412270b6ab
RulenameVectra Account’s Behaviors
DescriptionThis analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on account’s detections.
SeverityInformational
TacticsCredentialAccess
Discovery
LateralMovement
Collection
CommandAndControl
Exfiltration
Impact
TechniquesT1003
T1087
T1021
T1119
T1071
T1041
T1499
Required data connectorsAIVectraDetect
AIVectraDetectAma
CefAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml
Version1.0.4
Arm templatece54b5d3-4c31-4eaf-a73e-31412270b6ab.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns"
    and DeviceEventClassID != "hsc"
    and DeviceEventClassID != "audit"
    and DeviceEventClassID != "health"
    and DeviceEventClassID != "asc"
| extend Category = coalesce(
    column_ifexists("DeviceEventCategory", ""), 
    extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
    ""
    )
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename triaged = DeviceCustomString5
| where triaged != "True" and AdditionalExtensions contains "account"
| extend account = extract("account=(.+?);", 1, AdditionalExtensions)
| extend upn = iff(account matches regex ":", tostring(split(account, ":")[1]), tostring(split(account, ":")[0]))
| extend name = tostring(split(upn, "@")[0])
| extend upn_suffix = tostring(split(upn, "@")[1])
| extend source_entity = case(isnotempty(upn), upn,
    isnotempty(SourceHostName), SourceHostName,
    "UNKNWON")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
    threat_score < 50 and certainty_score < 50, "Low",
    threat_score < 50 and certainty_score >= 50, "Medium", 
    threat_score >= 50 and certainty_score <= 50, "High", 
    threat_score >= 50 and certainty_score >= 50, "Critical",
    "UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated
id: ce54b5d3-4c31-4eaf-a73e-31412270b6ab
name: Vectra Account's Behaviors
triggerOperator: gt
status: Available
query: |
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID != "campaigns"
      and DeviceEventClassID != "hsc"
      and DeviceEventClassID != "audit"
      and DeviceEventClassID != "health"
      and DeviceEventClassID != "asc"
  | extend Category = coalesce(
      column_ifexists("DeviceEventCategory", ""), 
      extract("cat=(.+?)(;|$)", 1, AdditionalExtensions), 
      ""
      )
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | project-rename triaged = DeviceCustomString5
  | where triaged != "True" and AdditionalExtensions contains "account"
  | extend account = extract("account=(.+?);", 1, AdditionalExtensions)
  | extend upn = iff(account matches regex ":", tostring(split(account, ":")[1]), tostring(split(account, ":")[0]))
  | extend name = tostring(split(upn, "@")[0])
  | extend upn_suffix = tostring(split(upn, "@")[1])
  | extend source_entity = case(isnotempty(upn), upn,
      isnotempty(SourceHostName), SourceHostName,
      "UNKNWON")
  | extend level = case(threat_score == 0 and certainty_score == 0, "Info",
      threat_score < 50 and certainty_score < 50, "Low",
      threat_score < 50 and certainty_score >= 50, "Medium", 
      threat_score >= 50 and certainty_score <= 50, "High", 
      threat_score >= 50 and certainty_score >= 50, "Critical",
      "UNKNOWN")
  | extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | summarize arg_max(threat_score, *) by source_entity, Activity
  | sort by TimeGenerated  
queryPeriod: 5m
requiredDataConnectors:
- connectorId: AIVectraDetect
  dataTypes:
  - CommonSecurityLog
- connectorId: AIVectraDetectAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
severity: Informational
queryFrequency: 5m
customDetails:
  AttackType: Activity
  AttackCategory: Category
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
alertDetailsOverride:
  alertDescriptionFormat: |
        Entity is an account. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.
  alertSeverityColumnName: Severity
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: vectra_URL
  - alertProperty: ProductName
    value: DeviceProduct
  - alertProperty: ProviderName
    value: DeviceVendor
  - alertProperty: ConfidenceScore
    value: certainty_score
  alertDisplayNameFormat: Vectra AI - {{Activity}} Detected
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: name
  - identifier: UPNSuffix
    columnName: upn_suffix
  entityType: Account
description: |
    'This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on account's detections.'
version: 1.0.4
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce54b5d3-4c31-4eaf-a73e-31412270b6ab')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce54b5d3-4c31-4eaf-a73e-31412270b6ab')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Entity is an account. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n",
          "alertDisplayNameFormat": "Vectra AI - {{Activity}} Detected",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "vectra_URL"
            },
            {
              "alertProperty": "ProductName",
              "value": "DeviceProduct"
            },
            {
              "alertProperty": "ProviderName",
              "value": "DeviceVendor"
            },
            {
              "alertProperty": "ConfidenceScore",
              "value": "certainty_score"
            }
          ],
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "ce54b5d3-4c31-4eaf-a73e-31412270b6ab",
        "customDetails": {
          "AttackCategory": "Category",
          "AttackType": "Activity"
        },
        "description": "'This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on account's detections.'\n",
        "displayName": "Vectra Account's Behaviors",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "name",
                "identifier": "Name"
              },
              {
                "columnName": "upn_suffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra AI Detect/Analytic Rules/VectraDetect-Account-Detections.yaml",
        "query": "CommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\"\n    and DeviceEventClassID != \"hsc\"\n    and DeviceEventClassID != \"audit\"\n    and DeviceEventClassID != \"health\"\n    and DeviceEventClassID != \"asc\"\n| extend Category = coalesce(\n    column_ifexists(\"DeviceEventCategory\", \"\"), \n    extract(\"cat=(.+?)(;|$)\", 1, AdditionalExtensions), \n    \"\"\n    )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename triaged = DeviceCustomString5\n| where triaged != \"True\" and AdditionalExtensions contains \"account\"\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account, \":\")[1]), tostring(split(account, \":\")[0]))\n| extend name = tostring(split(upn, \"@\")[0])\n| extend upn_suffix = tostring(split(upn, \"@\")[1])\n| extend source_entity = case(isnotempty(upn), upn,\n    isnotempty(SourceHostName), SourceHostName,\n    \"UNKNWON\")\n| extend level = case(threat_score == 0 and certainty_score == 0, \"Info\",\n    threat_score < 50 and certainty_score < 50, \"Low\",\n    threat_score < 50 and certainty_score >= 50, \"Medium\", \n    threat_score >= 50 and certainty_score <= 50, \"High\", \n    threat_score >= 50 and certainty_score >= 50, \"Critical\",\n    \"UNKNOWN\")\n| extend Severity = case(level == \"Info\", \"Informational\",level == \"Critical\", \"High\", level)\n| summarize arg_max(threat_score, *) by source_entity, Activity\n| sort by TimeGenerated\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "Discovery",
          "Exfiltration",
          "Impact",
          "LateralMovement"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1041",
          "T1071",
          "T1087",
          "T1119",
          "T1499"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}