![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AIVectraDetect.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20AI%20Detect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Vectra AI Detect](https://www.vectra.ai/products/platform%22%20/t%20%22_blank) solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\n\r This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20AI%20Detect/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Vectra AI Detect](https://www.vectra.ai/products/platform%22%20/t%20%22_blank) solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.\n\r This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on **Aug 31, 2024.**\n\n**Workbooks:** 1, **Analytic Rules:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -51,30 +51,6 @@
}
],
"steps": [
- {
- "name": "dataconnectors",
- "label": "Data Connectors",
- "bladeTitle": "Data Connectors",
- "elements": [
- {
- "name": "dataconnectors1-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This Solution installs the data connector for Vectra AI Detect. You can get Vectra AI Detect CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
- }
- },
- {
- "name": "dataconnectors-link2",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "link": {
- "label": "Learn more about connecting data sources",
- "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
- }
- }
- }
- ]
- },
{
"name": "workbooks",
"label": "Workbooks",
diff --git a/Solutions/Vectra AI Detect/Package/mainTemplate.json b/Solutions/Vectra AI Detect/Package/mainTemplate.json
index 06228dec2ec..6c56bf8cf55 100644
--- a/Solutions/Vectra AI Detect/Package/mainTemplate.json
+++ b/Solutions/Vectra AI Detect/Package/mainTemplate.json
@@ -39,27 +39,9 @@
},
"variables": {
"_solutionName": "Vectra AI Detect",
- "_solutionVersion": "3.0.1",
+ "_solutionVersion": "3.0.2",
"solutionId": "vectraaiinc.ai_vectra_detect_mss",
"_solutionId": "[variables('solutionId')]",
- "uiConfigId1": "AIVectraDetect",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "AIVectraDetect",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "uiConfigId2": "AIVectraDetectAma",
- "_uiConfigId2": "[variables('uiConfigId2')]",
- "dataConnectorContentId2": "AIVectraDetectAma",
- "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
- "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "_dataConnectorId2": "[variables('dataConnectorId2')]",
- "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
- "dataConnectorVersion2": "1.0.0",
- "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"workbookVersion1": "1.1.1",
"workbookContentId1": "AIVectraDetectWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
@@ -68,787 +50,57 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.7",
+ "analyticRuleVersion1": "1.0.9",
"_analyticRulecontentId1": "321f9dbd-64b7-4541-81dc-08cf7732ccb0",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '321f9dbd-64b7-4541-81dc-08cf7732ccb0')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('321f9dbd-64b7-4541-81dc-08cf7732ccb0')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','321f9dbd-64b7-4541-81dc-08cf7732ccb0','-', '1.0.7')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','321f9dbd-64b7-4541-81dc-08cf7732ccb0','-', '1.0.9')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.3",
+ "analyticRuleVersion2": "1.0.5",
"_analyticRulecontentId2": "ce54b5d3-4c31-4eaf-a73e-31412270b6ab",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ce54b5d3-4c31-4eaf-a73e-31412270b6ab')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ce54b5d3-4c31-4eaf-a73e-31412270b6ab')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ce54b5d3-4c31-4eaf-a73e-31412270b6ab','-', '1.0.3')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ce54b5d3-4c31-4eaf-a73e-31412270b6ab','-', '1.0.5')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.8",
+ "analyticRuleVersion3": "1.1.0",
"_analyticRulecontentId3": "39e48890-2c02-487e-aa9e-3ba494061798",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39e48890-2c02-487e-aa9e-3ba494061798')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39e48890-2c02-487e-aa9e-3ba494061798')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39e48890-2c02-487e-aa9e-3ba494061798','-', '1.0.8')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39e48890-2c02-487e-aa9e-3ba494061798','-', '1.1.0')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.7",
+ "analyticRuleVersion4": "1.0.9",
"_analyticRulecontentId4": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('60eb6cf0-3fa1-44c1-b1fe-220fbee23d63')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60eb6cf0-3fa1-44c1-b1fe-220fbee23d63','-', '1.0.7')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60eb6cf0-3fa1-44c1-b1fe-220fbee23d63','-', '1.0.9')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.3",
+ "analyticRuleVersion5": "1.0.5",
"_analyticRulecontentId5": "33e3b6da-2660-4cd7-9032-11be76db88d2",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '33e3b6da-2660-4cd7-9032-11be76db88d2')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('33e3b6da-2660-4cd7-9032-11be76db88d2')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','33e3b6da-2660-4cd7-9032-11be76db88d2','-', '1.0.3')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','33e3b6da-2660-4cd7-9032-11be76db88d2','-', '1.0.5')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.1.8",
+ "analyticRuleVersion6": "1.2.3",
"_analyticRulecontentId6": "a34d0338-eda0-42b5-8b93-32aae0d7a501",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a34d0338-eda0-42b5-8b93-32aae0d7a501')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a34d0338-eda0-42b5-8b93-32aae0d7a501')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a34d0338-eda0-42b5-8b93-32aae0d7a501','-', '1.1.8')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a34d0338-eda0-42b5-8b93-32aae0d7a501','-', '1.2.3')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.0.9",
+ "analyticRuleVersion7": "1.1.1",
"_analyticRulecontentId7": "6cb75f65-231f-46c4-a0b3-50ff21ee6ed3",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6cb75f65-231f-46c4-a0b3-50ff21ee6ed3')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6cb75f65-231f-46c4-a0b3-50ff21ee6ed3')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6cb75f65-231f-46c4-a0b3-50ff21ee6ed3','-', '1.0.9')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6cb75f65-231f-46c4-a0b3-50ff21ee6ed3','-', '1.1.1')))]"
},
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Vectra AI Detect data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "[Deprecated] Vectra AI Detect via Legacy Agent",
- "publisher": "Vectra AI",
- "descriptionMarkdown": "The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AIVectraDetect",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n"
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| sort by TimeGenerated \n"
- },
- {
- "description": "Host Count by Severity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\", FlexNumber1>=50 and FlexNumber2>=50, \"Critical\", FlexNumber1<50 and FlexNumber2>=50, \"Medium\", FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\", \"Other\")\n| where status != \"Other\"\n| summarize Count = count() by status"
- },
- {
- "description": "List of worst offenders",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| sort by FlexNumber1 desc, FlexNumber2 desc\n| limit 10\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\n| project-rename Sr_No = Column1, Source = src, Source_IP = SourceIP, Threat = FlexNumber1, Certainty = FlexNumber2, Latest_Detection = TimeGenerated"
- },
- {
- "description": "Top 10 Detection Types",
- "query": "CommonSecurityLog\r\n| extend ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"), tostring(ExternalID), \"\")\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| summarize Count = count() by DeviceEventClassID\r\n| top 10 by Count desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AIVectraDetect)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 over TCP, UDP or TLS.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI.",
- "title": "2. Forward AI Vectra Detect logs to Syslog agent in CEF format"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "metadata": {
- "id": "2de7b355-5f0b-4eb1-a264-629314ef86e5",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "link": "https://www.vectra.ai/support",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Vectra AI Detect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "tier": "Partner",
- "email": "support@vectra.ai",
- "link": "https://www.vectra.ai/support"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Vectra AI Detect via Legacy Agent",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Vectra AI Detect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "tier": "Partner",
- "email": "support@vectra.ai",
- "link": "https://www.vectra.ai/support"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Vectra AI Detect via Legacy Agent",
- "publisher": "Vectra AI",
- "descriptionMarkdown": "The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AIVectraDetect",
- "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AIVectraDetect)",
- "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| sort by TimeGenerated \n"
- },
- {
- "description": "Host Count by Severity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\", FlexNumber1>=50 and FlexNumber2>=50, \"Critical\", FlexNumber1<50 and FlexNumber2>=50, \"Medium\", FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\", \"Other\")\n| where status != \"Other\"\n| summarize Count = count() by status"
- },
- {
- "description": "List of worst offenders",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| sort by FlexNumber1 desc, FlexNumber2 desc\n| limit 10\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\n| project-rename Sr_No = Column1, Source = src, Source_IP = SourceIP, Threat = FlexNumber1, Certainty = FlexNumber2, Latest_Detection = TimeGenerated"
- },
- {
- "description": "Top 10 Detection Types",
- "query": "CommonSecurityLog\r\n| extend ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"), tostring(ExternalID), \"\")\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| summarize Count = count() by DeviceEventClassID\r\n| top 10 by Count desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 over TCP, UDP or TLS.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI.",
- "title": "2. Forward AI Vectra Detect logs to Syslog agent in CEF format"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId1')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Vectra AI Detect data connector with template version 3.0.1",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId2')]",
- "title": "[Deprecated] Vectra AI Detect via AMA",
- "publisher": "Vectra AI",
- "descriptionMarkdown": "The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AIVectraDetect",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| sort by TimeGenerated \n"
- },
- {
- "description": "Host Count by Severity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\", FlexNumber1>=50 and FlexNumber2>=50, \"Critical\", FlexNumber1<50 and FlexNumber2>=50, \"Medium\", FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\", \"Other\")\n| where status != \"Other\"\n| summarize Count = count() by status"
- },
- {
- "description": "List of worst offenders",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| sort by FlexNumber1 desc, FlexNumber2 desc\n| limit 10\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\n| project-rename Sr_No = Column1, Source = src, Source_IP = SourceIP, Threat = FlexNumber1, Certainty = FlexNumber2, Latest_Detection = TimeGenerated"
- },
- {
- "description": "Top 10 Detection Types",
- "query": "CommonSecurityLog\r\n| extend ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"), tostring(ExternalID), \"\")\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| summarize Count = count() by DeviceEventClassID\r\n| top 10 by Count desc"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AIVectraDetect)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward AI Vectra Detect logs to Syslog agent in CEF format",
- "description": "Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "metadata": {
- "id": "2de7b355-5f0b-4eb1-a264-629314ef86e5",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "community"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "link": "https://www.vectra.ai/support",
- "tier": "developer"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Vectra AI Detect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "tier": "Partner",
- "email": "support@vectra.ai",
- "link": "https://www.vectra.ai/support"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "contentKind": "DataConnector",
- "displayName": "[Deprecated] Vectra AI Detect via AMA",
- "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
- "id": "[variables('_dataConnectorcontentProductId2')]",
- "version": "[variables('dataConnectorVersion2')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId2')]"
- ],
- "location": "[parameters('workspace-location')]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
- "contentId": "[variables('_dataConnectorContentId2')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Vectra AI Detect",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Vectra AI"
- },
- "support": {
- "name": "Vectra AI",
- "tier": "Partner",
- "email": "support@vectra.ai",
- "link": "https://www.vectra.ai/support"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "[Deprecated] Vectra AI Detect via AMA",
- "publisher": "Vectra AI",
- "descriptionMarkdown": "The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "AIVectraDetect",
- "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (AIVectraDetect)",
- "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CommonSecurityLog\n |where DeviceVendor =~ 'Vectra Networks' \n |where DeviceProduct=~ 'X Series'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "All logs",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| sort by TimeGenerated \n"
- },
- {
- "description": "Host Count by Severity",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| extend status = case(FlexNumber1>=50 and FlexNumber2<50, \"High\", FlexNumber1>=50 and FlexNumber2>=50, \"Critical\", FlexNumber1<50 and FlexNumber2>=50, \"Medium\", FlexNumber1>0 and FlexNumber1<50 and FlexNumber2>0 and FlexNumber2<50,\"Low\", \"Other\")\n| where status != \"Other\"\n| summarize Count = count() by status"
- },
- {
- "description": "List of worst offenders",
- "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID == \"hsc\"\n| extend src = coalesce(SourceHostName, SourceIP)\n| summarize arg_max(TimeGenerated, *) by src\n| sort by FlexNumber1 desc, FlexNumber2 desc\n| limit 10\n| project row_number(), src, SourceIP, FlexNumber1 , FlexNumber2, TimeGenerated\n| project-rename Sr_No = Column1, Source = src, Source_IP = SourceIP, Threat = FlexNumber1, Certainty = FlexNumber2, Latest_Detection = TimeGenerated"
- },
- {
- "description": "Top 10 Detection Types",
- "query": "CommonSecurityLog\r\n| extend ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"), tostring(ExternalID), \"\")\r\n| where DeviceVendor == \"Vectra Networks\" and DeviceEventClassID !in (\"health\", \"audit\", \"campaigns\", \"hsc\", \"asc\") and isnotnull(ExternalID)\r\n| summarize Count = count() by DeviceEventClassID\r\n| top 10 by Count desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "read": true,
- "write": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
- },
- {
- "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
- }
- ]
- },
- "instructionSteps": [
- {
- "instructions": [
- {
- "parameters": {
- "title": "1. Kindly follow the steps to configure the data connector",
- "instructionSteps": [
- {
- "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
- "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
- },
- {
- "title": "Step B. Forward AI Vectra Detect logs to Syslog agent in CEF format",
- "description": "Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI."
- },
- {
- "title": "Step C. Validate connection",
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- "type": "InstructionStepsGroup"
- }
- ]
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "2. Secure your machine "
- }
- ],
- "id": "[variables('_uiConfigId2')]"
- }
- }
- },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
@@ -858,7 +110,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AIVectraDetectWorkbook Workbook with template version 3.0.1",
+ "description": "AIVectraDetectWorkbook Workbook with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -949,7 +201,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Account-by-Severity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Account-by-Severity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -977,22 +229,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1004,6 +244,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Account",
@@ -1028,34 +277,34 @@
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "The account {{saccount}} has a threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n",
"alertDisplayNameFormat": "Vectra AI Detect - Account {{saccount}} reaches {{level}} severity",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "The account {{saccount}} has a threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n"
+ "alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "AllEntities",
"reopenClosedIncident": true,
- "lookbackDuration": "7d",
"enabled": true,
- "matchingMethod": "AllEntities"
- },
- "createIncident": true
+ "lookbackDuration": "7d"
+ }
}
}
},
@@ -1109,7 +358,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Account-Detections_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Account-Detections_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1137,22 +386,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1164,6 +401,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Account",
@@ -1183,31 +429,31 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackType": "Activity",
- "AttackCategory": "Category"
+ "AttackCategory": "Category",
+ "AttackType": "Activity"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "Entity is an account. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n",
"alertDisplayNameFormat": "Vectra AI - {{Activity}} Detected",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "Entity is an account. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n"
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -1261,7 +507,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-HighSeverityDetection-by-Tactics_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-HighSeverityDetection-by-Tactics_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1289,22 +535,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1316,6 +550,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Host",
@@ -1344,40 +587,40 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackType": "Activity",
- "AttackCategory": "Category"
+ "AttackCategory": "Category",
+ "AttackType": "Activity"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.",
"alertDisplayNameFormat": "Vectra AI Detect - {{Activity}} detected",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}."
+ "alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "AllEntities",
"reopenClosedIncident": true,
- "lookbackDuration": "7d",
"enabled": true,
- "matchingMethod": "AllEntities"
- },
- "createIncident": true
+ "lookbackDuration": "7d"
+ }
}
}
},
@@ -1431,7 +674,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Host-by-Severity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Host-by-Severity_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1459,22 +702,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1486,6 +717,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Host",
@@ -1506,34 +746,34 @@
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "The host {{SourceHostName}} has a Threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n",
"alertDisplayNameFormat": "Vectra AI Detect - Host {{SourceHostName}} reaches {{level}} severity",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "The host {{SourceHostName}} has a Threat score of {{threat_score}} and a\ncertainty of {{certainty_score}}\n"
+ "alertSeverityColumnName": "Severity"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "AllEntities",
"reopenClosedIncident": true,
- "lookbackDuration": "7d",
"enabled": true,
- "matchingMethod": "AllEntities"
- },
- "createIncident": true
+ "lookbackDuration": "7d"
+ }
}
}
},
@@ -1587,7 +827,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Host-Detections_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Host-Detections_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1615,22 +855,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1642,6 +870,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Host",
@@ -1657,31 +894,31 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackType": "Activity",
- "AttackCategory": "Category"
+ "AttackCategory": "Category",
+ "AttackType": "Activity"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "Entity is a host. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n",
"alertDisplayNameFormat": "Vectra AI - {{Activity}} Detected",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "Entity is a host. Category is {{Category}}. Threat score is {{threat_score}} and certainty score is {{certainty_score}}.\n"
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -1735,7 +972,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-NewCampaign_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-NewCampaign_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1763,28 +1000,20 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
"LateralMovement",
"CommandAndControl"
],
+ "techniques": [
+ "T1021",
+ "T1071"
+ ],
"entityMappings": [
{
"entityType": "DNS",
@@ -1797,36 +1026,36 @@
}
],
"customDetails": {
- "CampaignSourceHost": "SourceHostName",
+ "CampaignName": "Activity",
"CampaignReason": "reason",
- "CampaignName": "Activity"
+ "CampaignSourceHost": "SourceHostName"
},
"alertDetailsOverride": {
- "alertDisplayNameFormat": "Vectra AI - New Campaign Detected",
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
}
],
- "alertDescriptionFormat": "A new campaign named {{Activity}} has been detected (reason is {{reason}})\n"
+ "alertDescriptionFormat": "A new campaign named {{Activity}} has been detected (reason is {{reason}})\n",
+ "alertDisplayNameFormat": "Vectra AI - New Campaign Detected"
},
"incidentConfiguration": {
+ "createIncident": true,
"groupingConfiguration": {
+ "matchingMethod": "AllEntities",
"reopenClosedIncident": true,
- "lookbackDuration": "7d",
"enabled": true,
- "matchingMethod": "AllEntities"
- },
- "createIncident": true
+ "lookbackDuration": "7d"
+ }
}
}
},
@@ -1880,7 +1109,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "VectraDetect-Suspected-Behavior-by-Tactics_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "description": "VectraDetect-Suspected-Behavior-by-Tactics_AnalyticalRules Analytics Rule with template version 3.0.2",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1908,22 +1137,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetect"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "AIVectraDetectAma"
- },
- {
- "dataTypes": [
- "CommonSecurityLog"
- ],
- "connectorId": "CefAma"
+ ]
}
],
"tactics": [
@@ -1935,6 +1152,15 @@
"Exfiltration",
"Impact"
],
+ "techniques": [
+ "T1003",
+ "T1087",
+ "T1021",
+ "T1119",
+ "T1071",
+ "T1041",
+ "T1499"
+ ],
"entityMappings": [
{
"entityType": "Host",
@@ -1963,31 +1189,31 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AttackType": "Activity",
- "AttackCategory": "Category"
+ "AttackCategory": "Category",
+ "AttackType": "Activity"
},
"alertDetailsOverride": {
"alertDynamicProperties": [
{
- "value": "vectra_URL",
- "alertProperty": "AlertLink"
+ "alertProperty": "AlertLink",
+ "value": "vectra_URL"
},
{
- "value": "DeviceProduct",
- "alertProperty": "ProductName"
+ "alertProperty": "ProductName",
+ "value": "DeviceProduct"
},
{
- "value": "DeviceVendor",
- "alertProperty": "ProviderName"
+ "alertProperty": "ProviderName",
+ "value": "DeviceVendor"
},
{
- "value": "certainty_score",
- "alertProperty": "ConfidenceScore"
+ "alertProperty": "ConfidenceScore",
+ "value": "certainty_score"
}
],
+ "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}.",
"alertDisplayNameFormat": "Vectra AI Detect - {{Activity}} detected",
- "alertSeverityColumnName": "Severity",
- "alertDescriptionFormat": "Source entity is {{source_entity}} and category is {{Category}}. Threat score is {{threat_score}}."
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -2037,12 +1263,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.1",
+ "version": "3.0.2",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Vectra AI Detect",
"publisherDisplayName": "Vectra AI",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Vectra AI Detect solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.
\nData Connectors: 2, Workbooks: 1, Analytic Rules: 7
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Vectra AI Detect solution for Microsoft Sentinel enables you to ingest Vectra AI logs into Microsoft Sentinel, using the Common Event Format (CEF) for Security Monitoring.
\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.
\nNOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.
\nWorkbooks: 1, Analytic Rules: 7
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2065,16 +1291,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]",