Vectra Create Detection Alert for Accounts
| Id | e796701f-6b39-4c54-bf8a-1d543a990784 |
| Rulename | Vectra Create Detection Alert for Accounts |
| Description | This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1546 |
| Required data connectors | VectraXDR |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml |
| Version | 1.0.1 |
| Arm template | e796701f-6b39-4c54-bf8a-1d543a990784.json |
VectraDetections
| where Type == "account"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
version: 1.0.1
queryFrequency: 10m
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- Detections_Data_CL
connectorId: VectraXDR
name: Vectra Create Detection Alert for Accounts
triggerOperator: GreaterThan
id: e796701f-6b39-4c54-bf8a-1d543a990784
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml
suppressionEnabled: false
queryPeriod: 10m
suppressionDuration: PT1H
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
VectraDetections
| where Type == "account"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
relevantTechniques:
- T1546
status: Available
entityMappings:
- entityType: Account
fieldMappings:
- columnName: entity_uid
identifier: Name
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
enabled: false
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: PT5H
createIncident: false
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Detection- {{detection}}
alertDescriptionFormat: Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.
alertDynamicProperties:
- value: detection_url
alertProperty: AlertLink
tactics:
- Persistence
customDetails:
detection_id: detection_id
tags: tags
entity_id: entity_id
mitre_techniques: mitre
entity_type: entity_type
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e796701f-6b39-4c54-bf8a-1d543a990784')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e796701f-6b39-4c54-bf8a-1d543a990784')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.",
"alertDisplayNameFormat": "Vectra AI Detection- {{detection}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "detection_url"
}
]
},
"alertRuleTemplateName": "e796701f-6b39-4c54-bf8a-1d543a990784",
"customDetails": {
"detection_id": "detection_id",
"entity_id": "entity_id",
"entity_type": "entity_type",
"mitre_techniques": "mitre",
"tags": "tags"
},
"description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
"displayName": "Vectra Create Detection Alert for Accounts",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "entity_uid",
"identifier": "Name"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml",
"query": "VectraDetections\n| where Type == \"account\"\n| extend\n entity_uid = ['Entity UID'],\n entity_id = ['Entity ID'],\n entity_type = ['Entity Type'],\n detection_id = ['Detection ID'],\n detection = ['Detection Name'],\n category = ['Detection Category'],\n detection_url = ['Vectra Pivot'],\n mitre = Mitre,\n tags = Tags\n| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}