Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra Create Detection Alert for Accounts

Back
Ide796701f-6b39-4c54-bf8a-1d543a990784
RulenameVectra Create Detection Alert for Accounts
DescriptionThis analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsVectraXDR
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml
Version1.0.1
Arm templatee796701f-6b39-4c54-bf8a-1d543a990784.json
Deploy To Azure
VectraDetections
| where Type == "account"
| extend
    entity_uid = ['Entity UID'],
    entity_id = ['Entity ID'],
    entity_type = ['Entity Type'],
    detection_id = ['Detection ID'],
    detection = ['Detection Name'],
    category = ['Detection Category'],
    detection_url = ['Vectra Pivot'],
    mitre = Mitre,
    tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Detection-  {{detection}}
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: detection_url
  alertDescriptionFormat: Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.
suppressionDuration: PT1H
incidentConfiguration:
  createIncident: false
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
version: 1.0.1
kind: Scheduled
relevantTechniques:
- T1546
severity: Medium
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
requiredDataConnectors:
- connectorId: VectraXDR
  dataTypes:
  - Detections_Data_CL
query: |
  VectraDetections
  | where Type == "account"
  | extend
      entity_uid = ['Entity UID'],
      entity_id = ['Entity ID'],
      entity_type = ['Entity Type'],
      detection_id = ['Detection ID'],
      detection = ['Detection Name'],
      category = ['Detection Category'],
      detection_url = ['Vectra Pivot'],
      mitre = Mitre,
      tags = Tags
  | summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid  
name: Vectra Create Detection Alert for Accounts
tactics:
- Persistence
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: entity_uid
  entityType: Account
triggerThreshold: 0
id: e796701f-6b39-4c54-bf8a-1d543a990784
triggerOperator: GreaterThan
queryFrequency: 10m
customDetails:
  mitre_techniques: mitre
  entity_type: entity_type
  entity_id: entity_id
  detection_id: detection_id
  tags: tags
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e796701f-6b39-4c54-bf8a-1d543a990784')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e796701f-6b39-4c54-bf8a-1d543a990784')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.",
          "alertDisplayNameFormat": "Vectra AI Detection-  {{detection}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "detection_url"
            }
          ]
        },
        "alertRuleTemplateName": "e796701f-6b39-4c54-bf8a-1d543a990784",
        "customDetails": {
          "detection_id": "detection_id",
          "entity_id": "entity_id",
          "entity_type": "entity_type",
          "mitre_techniques": "mitre",
          "tags": "tags"
        },
        "description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
        "displayName": "Vectra Create Detection Alert for Accounts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "entity_uid",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml",
        "query": "VectraDetections\n| where Type == \"account\"\n| extend\n    entity_uid = ['Entity UID'],\n    entity_id = ['Entity ID'],\n    entity_type = ['Entity Type'],\n    detection_id = ['Detection ID'],\n    detection = ['Detection Name'],\n    category = ['Detection Category'],\n    detection_url = ['Vectra Pivot'],\n    mitre = Mitre,\n    tags = Tags\n| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}