Vectra AI Detect - Suspected Compromised Account

Status: available
Severity: informational
Time window: 5m
Group by: saccount
Source: github.com/Azure/Azure-Sentinel

'Create an incident when an Account is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1003` OS Credential Dumping
Discovery	`T1087` Account Discovery
Lateral Movement	`T1021` Remote Services
Collection	`T1119` Automated Collection
Command & Control	`T1071` Application Layer Protocol
Exfiltration	`T1041` Exfiltration Over C2 Channel
Impact	`T1499` Endpoint Denial of Service

Rule body kusto

id: 321f9dbd-64b7-4541-81dc-08cf7732ccb0
name: Vectra AI Detect - Suspected Compromised Account
description: |
  'Create an incident when an Account is suspected to be compromised. 
  The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. 
  Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
severity: Informational
status: Available
requiredDataConnectors:
  - connectorId: CefAma
    dataTypes:
      - CommonSecurityLog
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
  - CredentialAccess
  - Discovery
  - LateralMovement
  - Collection
  - CommandAndControl
  - Exfiltration
  - Impact
relevantTechniques:
  - T1003
  - T1087
  - T1021
  - T1119
  - T1071
  - T1041
  - T1499
query: |
  // Edit this variable to only keep the Severity level where an incident needs to be created.
  //Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
  let configured_level = dynamic(["High", "Critical"]);
  let upn_has_prefix = ":";
  CommonSecurityLog
  | where DeviceVendor == "Vectra Networks"
  | where DeviceProduct == "X Series"
  | where DeviceEventClassID == "asc"
  | extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
  | extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" ) 
  | extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
  | extend name = tostring(split(upn,"@")[0])
  | extend upn_suffix = tostring(split(upn,"@")[1])
  | project-rename threat_score = FlexNumber1
  | project-rename certainty_score = FlexNumber2
  | project-rename vectra_URL = DeviceCustomString4
  | project-rename detection_name = DeviceEventClassID
  | project-rename score_decreases = DeviceCustomString3
  | extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                        threat_score < 50 and certainty_score >= 50 , "Medium", 
                        threat_score >= 50 and certainty_score <= 50, "High", 
                        threat_score >= 50 and certainty_score >= 50, "Critical",
                        "UNKNOWN")
  | extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
  | where level in (configured_level) 
  //keep only the event with the highest threat score per Host
  | summarize arg_max(threat_score, *) by saccount
  | sort by TimeGenerated
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: name
      - identifier: UPNSuffix
        columnName: upn_suffix
alertDetailsOverride:
  alertDisplayNameFormat: Vectra AI Detect - Account {{saccount}} reaches {{level}} severity
  alertDescriptionFormat: |
    The account {{saccount}} has a threat score of {{threat_score}} and a
    certainty of {{certainty_score}}
  alertSeverityColumnName: Severity
  alertDynamicProperties:
    - alertProperty: AlertLink
      value: vectra_URL
    - alertProperty: ProductName
      value: DeviceProduct
    - alertProperty: ProviderName
      value: DeviceVendor
    - alertProperty: ConfidenceScore
      value: certainty_score
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: true
    lookbackDuration: 7d
    matchingMethod: AllEntities
customDetails:
  ScoreDecrease: score_decreases
version: 1.0.9
kind: Scheduled

Stages and Predicates

Parameters

let configured_level = dynamic(["High", "Critical"]);
let upn_has_prefix = ":";

Stage 1: `source`

CommonSecurityLog

Stage 2: `where`

| where DeviceVendor == "Vectra Networks"

Stage 3: `where`

| where DeviceProduct == "X Series"

Stage 4: `where`

| where DeviceEventClassID == "asc"

Stage 5: `extend` (5 consecutive steps)

| extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" )
| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
| extend name = tostring(split(upn,"@")[0])
| extend upn_suffix = tostring(split(upn,"@")[1])

Stage 6: `project-rename`

| project-rename threat_score = FlexNumber1

Stage 7: `project-rename`

| project-rename certainty_score = FlexNumber2

Stage 8: `project-rename`

| project-rename vectra_URL = DeviceCustomString4

Stage 9: `project-rename`

| project-rename detection_name = DeviceEventClassID

Stage 10: `project-rename`

| project-rename score_decreases = DeviceCustomString3

Stage 11: `extend`

| extend level = case( threat_score <  50 and certainty_score < 50, "Low",
                      threat_score < 50 and certainty_score >= 50 , "Medium", 
                      threat_score >= 50 and certainty_score <= 50, "High", 
                      threat_score >= 50 and certainty_score >= 50, "Critical",
                      "UNKNOWN")

level =

ifthreat_score < 50 and certainty_score < 50"Low"

elifthreat_score < 50 and certainty_score >= 50"Medium"

elifthreat_score >= 50 and certainty_score <= 50"High"

elifthreat_score >= 50 and certainty_score >= 50"Critical"

else"UNKNOWN"

Stage 12: `extend`

| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)

Severity =

iflevel == "Info""Informational"

eliflevel == "Critical""High"

elselevel

Stage 13: `where`

| where level in (configured_level)

Stage 14: `summarize`

| summarize arg_max(threat_score, *) by saccount

Stage 15: `sort`

| sort by TimeGenerated

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DeviceEventClassID`	eq	`asc` transforms: `cased`
`DeviceProduct`	eq	`X Series` transforms: `cased`
`DeviceVendor`	eq	`Vectra Networks` transforms: `cased`
`level`	in	`Critical` transforms: `cased` `High` transforms: `cased`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`saccount`	`summarize`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Vectra AI Detect - Suspected Compromised Account

MITRE ATT&CK coverage

Rule body kusto

Stages and Predicates

Parameters

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`

Stage 5: `extend` (5 consecutive steps)

Stage 6: `project-rename`

Stage 7: `project-rename`

Stage 8: `project-rename`

Stage 9: `project-rename`

Stage 10: `project-rename`

Stage 11: `extend`

Stage 12: `extend`

Stage 13: `where`

Stage 14: `summarize`

Stage 15: `sort`

Indicators

Output fields

Keyboard shortcuts

Search operators

Vectra AI Detect - Suspected Compromised Account

MITRE ATT&CK coverage

Rule body kusto

Stages and Predicates

Parameters

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: where

Stage 5: extend (5 consecutive steps)

Stage 6: project-rename

Stage 7: project-rename

Stage 8: project-rename

Stage 9: project-rename

Stage 10: project-rename

Stage 11: extend

Stage 12: extend

Stage 13: where

Stage 14: summarize

Stage 15: sort

Indicators

Output fields

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `where`

Stage 5: `extend` (5 consecutive steps)

Stage 6: `project-rename`

Stage 7: `project-rename`

Stage 8: `project-rename`

Stage 9: `project-rename`

Stage 10: `project-rename`

Stage 11: `extend`

Stage 12: `extend`

Stage 13: `where`

Stage 14: `summarize`

Stage 15: `sort`