VectraDetections
| where Type == "account"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
suppressionEnabled: false
relevantTechniques:
- T1546
suppressionDuration: PT1H
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Account.yaml
entityMappings:
- fieldMappings:
- identifier: Name
columnName: entity_uid
entityType: Account
requiredDataConnectors:
- dataTypes:
- Detections_Data_CL
connectorId: VectraXDR
triggerOperator: GreaterThan
queryFrequency: 10m
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: AlertLink
value: detection_url
alertDisplayNameFormat: Vectra AI Detection- {{detection}}
alertDescriptionFormat: Vectra AI has detected {{category}} - {{detection} on entity {{entity_uid}}.
queryPeriod: 10m
status: Available
incidentConfiguration:
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
createIncident: false
query: |
VectraDetections
| where Type == "account"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
name: Vectra Create Detection Alert for Accounts
kind: Scheduled
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
severity: Medium
tactics:
- Persistence
triggerThreshold: 0
version: 1.0.1
id: e796701f-6b39-4c54-bf8a-1d543a990784
customDetails:
tags: tags
mitre_techniques: mitre
entity_id: entity_id
detection_id: detection_id
entity_type: entity_type