Vectra Create Detection Alert for Accounts
Id | e796701f-6b39-4c54-bf8a-1d543a990784 |
Rulename | Vectra Create Detection Alert for Accounts |
Description | This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform |
Severity | Medium |
Tactics | Persistence |
Techniques | T1546 |
Required data connectors | VectraXDR |
Kind | Scheduled |
Query frequency | 10m |
Query period | 10m |
Trigger threshold | 0 |
Trigger operator | GreaterThan |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml |
Version | 1.0.1 |
Arm template | e796701f-6b39-4c54-bf8a-1d543a990784.json |
VectraDetections
| where Type == "account"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
queryPeriod: 10m
query: |
VectraDetections
| where Type == "account"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml
suppressionEnabled: false
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Detections_Data_CL
version: 1.0.1
id: e796701f-6b39-4c54-bf8a-1d543a990784
customDetails:
tags: tags
entity_type: entity_type
mitre_techniques: mitre
entity_id: entity_id
detection_id: detection_id
triggerOperator: GreaterThan
name: Vectra Create Detection Alert for Accounts
status: Available
severity: Medium
queryFrequency: 10m
triggerThreshold: 0
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
incidentConfiguration:
createIncident: false
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
enabled: false
lookbackDuration: PT5H
tactics:
- Persistence
alertDetailsOverride:
alertDynamicProperties:
- value: detection_url
alertProperty: AlertLink
alertDisplayNameFormat: Vectra AI Detection- {{detection}}
alertDescriptionFormat: Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionDuration: PT1H
entityMappings:
- fieldMappings:
- identifier: Name
columnName: entity_uid
entityType: Account
relevantTechniques:
- T1546
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e796701f-6b39-4c54-bf8a-1d543a990784')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e796701f-6b39-4c54-bf8a-1d543a990784')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.",
"alertDisplayNameFormat": "Vectra AI Detection- {{detection}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "detection_url"
}
]
},
"alertRuleTemplateName": "e796701f-6b39-4c54-bf8a-1d543a990784",
"customDetails": {
"detection_id": "detection_id",
"entity_id": "entity_id",
"entity_type": "entity_type",
"mitre_techniques": "mitre",
"tags": "tags"
},
"description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
"displayName": "Vectra Create Detection Alert for Accounts",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "entity_uid",
"identifier": "Name"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml",
"query": "VectraDetections\n| where Type == \"account\"\n| extend\n entity_uid = ['Entity UID'],\n entity_id = ['Entity ID'],\n entity_type = ['Entity Type'],\n detection_id = ['Detection ID'],\n detection = ['Detection Name'],\n category = ['Detection Category'],\n detection_url = ['Vectra Pivot'],\n mitre = Mitre,\n tags = Tags\n| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}