Vectra Create Detection Alert for Hosts
| Id | fb861539-da19-4266-831f-99459b8e7605 |
| Rulename | Vectra Create Detection Alert for Hosts |
| Description | This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1546 |
| Required data connectors | VectraXDR |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml |
| Version | 1.0.1 |
| Arm template | fb861539-da19-4266-831f-99459b8e7605.json |
VectraDetections
| where Type == "host"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
status: Available
triggerOperator: GreaterThan
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
createIncident: false
triggerThreshold: 0
name: Vectra Create Detection Alert for Hosts
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml
queryPeriod: 10m
severity: Medium
eventGroupingSettings:
aggregationKind: AlertPerResult
kind: Scheduled
entityMappings:
- entityType: Host
fieldMappings:
- columnName: entity_uid
identifier: HostName
queryFrequency: 10m
relevantTechniques:
- T1546
requiredDataConnectors:
- dataTypes:
- Detections_Data_CL
connectorId: VectraXDR
customDetails:
mitre_techniques: mitre
tags: tags
entity_id: entity_id
entity_type: entity_type
detection_id: detection_id
suppressionDuration: PT1H
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
tactics:
- Persistence
query: |
VectraDetections
| where Type == "host"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
id: fb861539-da19-4266-831f-99459b8e7605
version: 1.0.1
alertDetailsOverride:
alertDescriptionFormat: Vectra AI has detected {{category}} - {{detection}} on entity {{entity_uid}}.
alertDynamicProperties:
- alertProperty: AlertLink
value: detection_url
alertDisplayNameFormat: Vectra AI Detection- {{detection}}
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb861539-da19-4266-831f-99459b8e7605')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb861539-da19-4266-831f-99459b8e7605')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Vectra AI has detected {{category}} - {{detection}} on entity {{entity_uid}}.",
"alertDisplayNameFormat": "Vectra AI Detection- {{detection}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "detection_url"
}
]
},
"alertRuleTemplateName": "fb861539-da19-4266-831f-99459b8e7605",
"customDetails": {
"detection_id": "detection_id",
"entity_id": "entity_id",
"entity_type": "entity_type",
"mitre_techniques": "mitre",
"tags": "tags"
},
"description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
"displayName": "Vectra Create Detection Alert for Hosts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "entity_uid",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml",
"query": "VectraDetections\n| where Type == \"host\"\n| extend\n entity_uid = ['Entity UID'],\n entity_id = ['Entity ID'],\n entity_type = ['Entity Type'],\n detection_id = ['Detection ID'],\n detection = ['Detection Name'],\n category = ['Detection Category'],\n detection_url = ['Vectra Pivot'],\n mitre = Mitre,\n tags = Tags\n| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}