Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Vectra Create Detection Alert for Hosts

Back
Idfb861539-da19-4266-831f-99459b8e7605
RulenameVectra Create Detection Alert for Hosts
DescriptionThis analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
SeverityMedium
TacticsPersistence
TechniquesT1546
Required data connectorsVectraXDR
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml
Version1.0.1
Arm templatefb861539-da19-4266-831f-99459b8e7605.json
Deploy To Azure
VectraDetections
| where Type == "host"
| extend
    entity_uid = ['Entity UID'],
    entity_id = ['Entity ID'],
    entity_type = ['Entity Type'],
    detection_id = ['Detection ID'],
    detection = ['Detection Name'],
    category = ['Detection Category'],
    detection_url = ['Vectra Pivot'],
    mitre = Mitre,
    tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
kind: Scheduled
triggerThreshold: 0
tactics:
- Persistence
id: fb861539-da19-4266-831f-99459b8e7605
query: |
  VectraDetections
  | where Type == "host"
  | extend
      entity_uid = ['Entity UID'],
      entity_id = ['Entity ID'],
      entity_type = ['Entity Type'],
      detection_id = ['Detection ID'],
      detection = ['Detection Name'],
      category = ['Detection Category'],
      detection_url = ['Vectra Pivot'],
      mitre = Mitre,
      tags = Tags
  | summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid  
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - Detections_Data_CL
  connectorId: VectraXDR
name: Vectra Create Detection Alert for Hosts
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: entity_uid
status: Available
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
severity: Medium
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Detection- {{detection}}
  alertDynamicProperties:
  - value: detection_url
    alertProperty: AlertLink
  alertDescriptionFormat: Vectra AI has detected {{category}} - {{detection}} on entity {{entity_uid}}.
queryFrequency: 10m
suppressionEnabled: false
version: 1.0.1
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml
suppressionDuration: PT1H
relevantTechniques:
- T1546
incidentConfiguration:
  createIncident: false
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
customDetails:
  entity_type: entity_type
  mitre_techniques: mitre
  entity_id: entity_id
  tags: tags
  detection_id: detection_id
queryPeriod: 10m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb861539-da19-4266-831f-99459b8e7605')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb861539-da19-4266-831f-99459b8e7605')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Vectra AI has detected {{category}} - {{detection}} on entity {{entity_uid}}.",
          "alertDisplayNameFormat": "Vectra AI Detection- {{detection}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "detection_url"
            }
          ]
        },
        "alertRuleTemplateName": "fb861539-da19-4266-831f-99459b8e7605",
        "customDetails": {
          "detection_id": "detection_id",
          "entity_id": "entity_id",
          "entity_type": "entity_type",
          "mitre_techniques": "mitre",
          "tags": "tags"
        },
        "description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
        "displayName": "Vectra Create Detection Alert for Hosts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "entity_uid",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml",
        "query": "VectraDetections\n| where Type == \"host\"\n| extend\n    entity_uid = ['Entity UID'],\n    entity_id = ['Entity ID'],\n    entity_type = ['Entity Type'],\n    detection_id = ['Detection ID'],\n    detection = ['Detection Name'],\n    category = ['Detection Category'],\n    detection_url = ['Vectra Pivot'],\n    mitre = Mitre,\n    tags = Tags\n| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}