Vectra Create Detection Alert for Accounts
| Id | e796701f-6b39-4c54-bf8a-1d543a990784 |
| Rulename | Vectra Create Detection Alert for Accounts |
| Description | This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1546 |
| Required data connectors | VectraXDR |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml |
| Version | 1.0.1 |
| Arm template | e796701f-6b39-4c54-bf8a-1d543a990784.json |
VectraDetections
| where Type == "account"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
VectraDetections
| where Type == "account"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml
name: Vectra Create Detection Alert for Accounts
incidentConfiguration:
groupingConfiguration:
enabled: false
lookbackDuration: PT5H
matchingMethod: AllEntities
reopenClosedIncident: false
createIncident: false
queryPeriod: 10m
suppressionDuration: PT1H
entityMappings:
- entityType: Account
fieldMappings:
- columnName: entity_uid
identifier: Name
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Detections_Data_CL
customDetails:
entity_type: entity_type
tags: tags
mitre_techniques: mitre
detection_id: detection_id
entity_id: entity_id
tactics:
- Persistence
suppressionEnabled: false
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
id: e796701f-6b39-4c54-bf8a-1d543a990784
status: Available
queryFrequency: 10m
triggerOperator: GreaterThan
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: AlertLink
value: detection_url
alertDisplayNameFormat: Vectra AI Detection- {{detection}}
alertDescriptionFormat: Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.
severity: Medium
relevantTechniques:
- T1546
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e796701f-6b39-4c54-bf8a-1d543a990784')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e796701f-6b39-4c54-bf8a-1d543a990784')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.",
"alertDisplayNameFormat": "Vectra AI Detection- {{detection}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "detection_url"
}
]
},
"alertRuleTemplateName": "e796701f-6b39-4c54-bf8a-1d543a990784",
"customDetails": {
"detection_id": "detection_id",
"entity_id": "entity_id",
"entity_type": "entity_type",
"mitre_techniques": "mitre",
"tags": "tags"
},
"description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
"displayName": "Vectra Create Detection Alert for Accounts",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "entity_uid",
"identifier": "Name"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml",
"query": "VectraDetections\n| where Type == \"account\"\n| extend\n entity_uid = ['Entity UID'],\n entity_id = ['Entity ID'],\n entity_type = ['Entity Type'],\n detection_id = ['Detection ID'],\n detection = ['Detection Name'],\n category = ['Detection Category'],\n detection_url = ['Vectra Pivot'],\n mitre = Mitre,\n tags = Tags\n| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}