Detection rules › Kusto
Vectra AI Detect - Suspected Compromised Host
'Create an incident when a Host is suspected to be compromised. The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1003 OS Credential Dumping |
| Discovery | T1087 Account Discovery |
| Lateral Movement | T1021 Remote Services |
| Collection | T1119 Automated Collection |
| Command & Control | T1071 Application Layer Protocol |
| Exfiltration | T1041 Exfiltration Over C2 Channel |
| Impact | T1499 Endpoint Denial of Service |
Rule body kusto
id: 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63
name: Vectra AI Detect - Suspected Compromised Host
description: |
'Create an incident when a Host is suspected to be compromised.
The higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat.
Level of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.'
severity: Informational
status: Available
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
tactics:
- CredentialAccess
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
- Impact
relevantTechniques:
- T1003
- T1087
- T1021
- T1119
- T1071
- T1041
- T1499
query: |
// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: "High", "Critical" ). Possible values are: "Low", "Medium", "High", "Critical"
let configured_level = dynamic(["High", "Critical"]);
CommonSecurityLog
| where DeviceVendor == "Vectra Networks"
| where DeviceProduct == "X Series"
| where DeviceEventClassID == "hsc"
| project-rename threat_score = FlexNumber1
| project-rename certainty_score = FlexNumber2
| project-rename vectra_URL = DeviceCustomString4
| project-rename detection_name = DeviceEventClassID
| project-rename score_decreases = DeviceCustomString3
| extend level = case( threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50 , "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
| where level in (configured_level)
//keep only the event with the highest threat score per Host
| summarize arg_max(TimeGenerated, *) by SourceHostName
| sort by TimeGenerated
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SourceHostName
alertDetailsOverride:
alertDisplayNameFormat: Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity
alertDescriptionFormat: |
The host {{SourceHostName}} has a Threat score of {{threat_score}} and a
certainty of {{certainty_score}}
alertSeverityColumnName: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: vectra_URL
- alertProperty: ProductName
value: DeviceProduct
- alertProperty: ProviderName
value: DeviceVendor
- alertProperty: ConfidenceScore
value: certainty_score
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: true
lookbackDuration: 7d
matchingMethod: AllEntities
customDetails:
ScoreDecrease: score_decreases
version: 1.0.9
kind: Scheduled
Stages and Predicates
Parameters
let configured_level = dynamic(["High", "Critical"]);
Stage 1: source
CommonSecurityLog
Stage 2: where
| where DeviceVendor == "Vectra Networks"
Stage 3: where
| where DeviceProduct == "X Series"
Stage 4: where
| where DeviceEventClassID == "hsc"
Stage 5: project-rename
| project-rename threat_score = FlexNumber1
Stage 6: project-rename
| project-rename certainty_score = FlexNumber2
Stage 7: project-rename
| project-rename vectra_URL = DeviceCustomString4
Stage 8: project-rename
| project-rename detection_name = DeviceEventClassID
Stage 9: project-rename
| project-rename score_decreases = DeviceCustomString3
Stage 10: extend
| extend level = case( threat_score < 50 and certainty_score < 50, "Low",
threat_score < 50 and certainty_score >= 50 , "Medium",
threat_score >= 50 and certainty_score <= 50, "High",
threat_score >= 50 and certainty_score >= 50, "Critical",
"UNKNOWN")
level =if
threat_score < 50 and certainty_score < 50"Low"elif
threat_score < 50 and certainty_score >= 50"Medium"elif
threat_score >= 50 and certainty_score <= 50"High"elif
threat_score >= 50 and certainty_score >= 50"Critical"else
"UNKNOWN"Stage 11: extend
| extend Severity = case(level == "Info", "Informational",level == "Critical", "High", level)
Severity =if
level == "Info""Informational"elif
level == "Critical""High"else
levelStage 12: where
| where level in (configured_level)
Stage 13: summarize
| summarize arg_max(TimeGenerated, *) by SourceHostName
Stage 14: sort
| sort by TimeGenerated
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DeviceEventClassID | eq |
|
DeviceProduct | eq |
|
DeviceVendor | eq |
|
level | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
SourceHostName | summarize |