Vectra Create Detection Alert for Hosts
Id | fb861539-da19-4266-831f-99459b8e7605 |
Rulename | Vectra Create Detection Alert for Hosts |
Description | This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform |
Severity | Medium |
Tactics | Persistence |
Techniques | T1546 |
Required data connectors | VectraXDR |
Kind | Scheduled |
Query frequency | 10m |
Query period | 10m |
Trigger threshold | 0 |
Trigger operator | GreaterThan |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml |
Version | 1.0.1 |
Arm template | fb861539-da19-4266-831f-99459b8e7605.json |
VectraDetections
| where Type == "host"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
suppressionEnabled: false
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Detection- {{detection}}
alertDescriptionFormat: Vectra AI has detected {{category}} - {{detection}} on entity {{entity_uid}}.
alertDynamicProperties:
- value: detection_url
alertProperty: AlertLink
suppressionDuration: PT1H
requiredDataConnectors:
- connectorId: VectraXDR
dataTypes:
- Detections_Data_CL
severity: Medium
queryFrequency: 10m
id: fb861539-da19-4266-831f-99459b8e7605
relevantTechniques:
- T1546
queryPeriod: 10m
name: Vectra Create Detection Alert for Hosts
status: Available
kind: Scheduled
incidentConfiguration:
createIncident: false
groupingConfiguration:
lookbackDuration: PT5H
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
tactics:
- Persistence
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.1
entityMappings:
- entityType: Host
fieldMappings:
- columnName: entity_uid
identifier: HostName
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
detection_id: detection_id
entity_id: entity_id
mitre_techniques: mitre
entity_type: entity_type
tags: tags
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml
query: |
VectraDetections
| where Type == "host"
| extend
entity_uid = ['Entity UID'],
entity_id = ['Entity ID'],
entity_type = ['Entity Type'],
detection_id = ['Detection ID'],
detection = ['Detection Name'],
category = ['Detection Category'],
detection_url = ['Vectra Pivot'],
mitre = Mitre,
tags = Tags
| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb861539-da19-4266-831f-99459b8e7605')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb861539-da19-4266-831f-99459b8e7605')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Vectra AI has detected {{category}} - {{detection}} on entity {{entity_uid}}.",
"alertDisplayNameFormat": "Vectra AI Detection- {{detection}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "detection_url"
}
]
},
"alertRuleTemplateName": "fb861539-da19-4266-831f-99459b8e7605",
"customDetails": {
"detection_id": "detection_id",
"entity_id": "entity_id",
"entity_type": "entity_type",
"mitre_techniques": "mitre",
"tags": "tags"
},
"description": "This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform",
"displayName": "Vectra Create Detection Alert for Hosts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "entity_uid",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra XDR/Analytic Rules/Detection_Host.yaml",
"query": "VectraDetections\n| where Type == \"host\"\n| extend\n entity_uid = ['Entity UID'],\n entity_id = ['Entity ID'],\n entity_type = ['Entity Type'],\n detection_id = ['Detection ID'],\n detection = ['Detection Name'],\n category = ['Detection Category'],\n detection_url = ['Vectra Pivot'],\n mitre = Mitre,\n tags = Tags\n| summarize arg_max(TimeGenerated, *) by ['Detection ID'], entity_uid\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1546"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}