Detection rules › Kusto
Vectra Host's Behaviors
'This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on host's detections.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping |
| Discovery | T1087 Account Discovery |
| Lateral Movement | T1021 Remote Services |
| Collection | T1119 Automated Collection |
| Command & Control | T1071 Application Layer Protocol |
| Exfiltration | T1041 Exfiltration Over C2 Channel |
| Impact | T1499 Endpoint Denial of Service |
Rule body kusto
id: 33e3b6da-2660-4cd7-9032-11be76db88d2
name: Vectra Host's Behaviors
description: |
'This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. This rule is focused on host's detections.'
severity: Informational
status: Available
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
query: |
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID != "campaigns"
and DeviceEventClassID != "hsc"
and DeviceEventClassID != "audit"
and DeviceEventClassID != "health"
and DeviceEventClassID != "asc"
| extend Category = coalesce(
column_ifexists("DeviceEventCategory", ""),
extract("cat=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename triaged = DeviceCustomString5
| where triaged != "True" and AdditionalExtensions !has "account"
| extend source_entity = case(isnotempty(SourceHostName), SourceHostName,
"UNKNWON")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50, "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| summarize arg_max(threat_score, *) by source_entity, Activity
| sort by TimeGenerated
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI - {{Activity}} Detected
alertDescriptionFormat: |
Entity is a host. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.
alertSeverityColumnName: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: vectra_URL
- alertProperty: ProductName
value: DeviceProduct
- alertProperty: ProviderName
value: DeviceVendor
- alertProperty: ConfidenceScore
value: certainty_score
customDetails:
AttackType: Activity
AttackCategory: Category
version: 1.0.5
kind: Scheduled
Stages and Predicates
Stage 1: source
CommonSecurityLog
Stage 2: where
| where DeviceVendor == "Vectra Networks"
Stage 3: where
| where DeviceProduct == "X Series"
Stage 4: where
| where DeviceEventClassID != "campaigns"
and DeviceEventClassID != "hsc"
and DeviceEventClassID != "audit"
and DeviceEventClassID != "health"
and DeviceEventClassID != "asc"
Stage 5: extend
| extend Category = coalesce(
column_ifexists("DeviceEventCategory", ""),
extract("cat=(.+?)(;|$)", 1, AdditionalExtensions),
""
)
Stage 6: project-rename
| project-rename threat_score = FlexNumber1
Stage 7: project-rename
| project-rename certainty_score = FlexNumber2
Stage 8: project-rename
| project-rename vectra_URL = DeviceCustomString4
Stage 9: project-rename
| project-rename detection_name = DeviceEventClassID
Stage 10: project-rename
| project-rename triaged = DeviceCustomString5
Stage 11: where
| where triaged != "True" and AdditionalExtensions !has "account"
Stage 12: extend (3 consecutive steps)
| extend source_entity = case(isnotempty(SourceHostName), SourceHostName,
"UNKNWON")
| extend level = case(threat_score == 0 and certainty_score == 0, "Info",
threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50, "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
source_entity =if
isnotempty(SourceHostName)SourceHostNameelse
"UNKNWON"Stage 13: summarize
| summarize arg_max(threat_score, *) by source_entity, Activity
Stage 14: sort
| sort by TimeGenerated
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
AdditionalExtensions | match | account |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DeviceEventClassID | ne |
|
DeviceProduct | eq |
|
DeviceVendor | eq |
|
triaged | ne |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
Activity | summarize |
source_entity | summarize |