Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Repackage - Vectra XDR , Dataminr Pulse

This commit is contained in:
v-rusraut 2024-05-03 14:38:59 +05:30
Родитель 9f09a2af06
Коммит 5b9b4359d8
6 изменённых файлов: 65 добавлений и 64 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
Solutions/Vectra XDR/Analytic Rules/DetectXDR_detections.yaml
Просмотреть файл

@ -1,6 +1,6 @@
id: 065c0a50-3080-4f9a-acca-1fe6fbf63205
name: Vectra Detection Alerts
version: 1.0.0
version: 1.0.1
kind: Scheduled
description: This analytic rule is looking for new attacker behaviors observed by the Vectra Platform. The intent is to create entries in the SecurityAlert table for every new detection attached to an entity monitored by the Vectra Platform
status: Available
@ -34,7 +34,7 @@ incidentConfiguration:
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
lookbackDuration: PT5H
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []

2
Solutions/Vectra XDR/Data/Solution_VectraXDR.json
Просмотреть файл

@ -21,7 +21,7 @@
"Workbooks/VectraXDR.json"
],
"BasePath": "C:\\Users\\xxx\\Documents\\GitHub\\Azure-Sentinel\\Solutions\\Vectra XDR",
"Version": "3.1.0",
"Version": "3.1.1",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false

Двоичные данные
Solutions/Vectra XDR/Package/3.1.1.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

2
Solutions/Vectra XDR/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AIVectraDetect.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nVectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit www.vectra.ai.\n\n The Vectra XDR App for Microsoft Sentinel contains:\n Data Connector to ingest events generated by Vectra XDR (through OMS agent).\n Workbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AIVectraDetect.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nVectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit www.vectra.ai.\n\n The Vectra XDR App for Microsoft Sentinel contains:\n Data Connector to ingest events generated by Vectra XDR (through OMS agent).\n Workbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",

118
Solutions/Vectra XDR/Package/mainTemplate.json
Просмотреть файл

@ -41,7 +41,7 @@
"email": "tme@vetcra.ai",
"_email": "[variables('email')]",
"_solutionName": "Vectra XDR",
"_solutionVersion": "3.1.0",
"_solutionVersion": "3.1.1",
"solutionId": "vectraaiinc.vectra-xdr-for-microsoft-sentinel",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "VectraXDR",
@ -89,11 +89,11 @@
"parserContentId5": "VectraLockdown-Parser"
},
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.0",
"analyticRuleVersion1": "1.0.1",
"_analyticRulecontentId1": "065c0a50-3080-4f9a-acca-1fe6fbf63205",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '065c0a50-3080-4f9a-acca-1fe6fbf63205')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('065c0a50-3080-4f9a-acca-1fe6fbf63205')))]",
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','065c0a50-3080-4f9a-acca-1fe6fbf63205','-', '1.0.0')))]"
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','065c0a50-3080-4f9a-acca-1fe6fbf63205','-', '1.0.1')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.0",
@ -121,7 +121,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "Vectra XDR data connector with template version 3.1.0",
"description": "Vectra XDR data connector with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@ -624,7 +624,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "VectraDetections Data Parser with template version 3.1.0",
"description": "VectraDetections Data Parser with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@ -638,7 +638,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraDetections",
"displayName": "VectraDetections",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraDetections",
"query": "let VectraDetections_view = view () { \n Detections_Data_CL\n | extend \n EventVendor=\"VectraDetections\",\n EventProduct=\"VectraDetections\",\n ID = column_ifexists('id_d', ''),\n [\"Detection Category\"] = column_ifexists('Category', ''),\n [\"Is Triaged\"] = column_ifexists('triaged_b', ''),\n [\"Detection Name\"] = column_ifexists('detection_type_s', ''),\n [\"D Type Vname\"] = column_ifexists('d_type_vname_s', ''),\n [\"Detection ID\"] = column_ifexists('detection_id_d', ''),\n [\"Vectra Pivot\"] = column_ifexists('detection_href_s', ''),\n [\"Entity ID\"] = toint(column_ifexists('entity_id_d', '')),\n URL = column_ifexists('url_s', ''),\n [\"Entity UID\"] = column_ifexists('entity_uid_s', ''),\n [\"Last Updated\"] = column_ifexists('event_timestamp_t', ''),\n [\"Details\"] = column_ifexists('detail_s', ''),\n Severity = column_ifexists('Severity', ''),\n [\"Source IP\"] = column_ifexists('src_ip_s', ''),\n [\"Detection Details\"] = column_ifexists('d_detection_details_s', ''),\n [\"Normal Domains\"] = column_ifexists('normal_domains_s', ''),\n [\"Is Targeting Key Asset\"] = column_ifexists('is_targeting_key_asset_s', ''),\n [\"Source Host\"] = column_ifexists('src_host_s', ''),\n Summary = column_ifexists('summary_s', ''),\n [\"Grouped Details\"] = column_ifexists('grouped_details_s', '')\n | extend \n [\"Vectra Pivot\"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], \"&pivot=Vectra-Sentinel-1.0.0\"), ['Vectra Pivot']),\n URL = case(isnotempty(URL), strcat(URL, \"?pivot=Vectra-Sentinel-1.0.0\"), URL)\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Detection Category\"],\n [\"Is Triaged\"],\n [\"Detection Name\"],\n [\"D Type Vname\"],\n [\"Detection ID\"],\n [\"Vectra Pivot\"],\n [\"Entity ID\"],\n URL,\n [\"Entity UID\"],\n [\"Last Updated\"],\n [\"Details\"],\n Severity,\n [\"Source IP\"],\n [\"Detection Details\"],\n [\"Normal Domains\"],\n [\"Is Targeting Key Asset\"],\n [\"Source Host\"],\n Summary,\n [\"Grouped Details\"]\n};\nVectraDetections_view\n",
@ -660,7 +660,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraDetections')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraDetections')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@ -690,7 +690,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject1').parserContentId1]",
"contentKind": "Parser",
"displayName": "Parser for VectraDetections",
"displayName": "VectraDetections",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]",
"version": "[variables('parserObject1').parserVersion1]"
@ -703,7 +703,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraDetections",
"displayName": "VectraDetections",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraDetections",
"query": "let VectraDetections_view = view () { \n Detections_Data_CL\n | extend \n EventVendor=\"VectraDetections\",\n EventProduct=\"VectraDetections\",\n ID = column_ifexists('id_d', ''),\n [\"Detection Category\"] = column_ifexists('Category', ''),\n [\"Is Triaged\"] = column_ifexists('triaged_b', ''),\n [\"Detection Name\"] = column_ifexists('detection_type_s', ''),\n [\"D Type Vname\"] = column_ifexists('d_type_vname_s', ''),\n [\"Detection ID\"] = column_ifexists('detection_id_d', ''),\n [\"Vectra Pivot\"] = column_ifexists('detection_href_s', ''),\n [\"Entity ID\"] = toint(column_ifexists('entity_id_d', '')),\n URL = column_ifexists('url_s', ''),\n [\"Entity UID\"] = column_ifexists('entity_uid_s', ''),\n [\"Last Updated\"] = column_ifexists('event_timestamp_t', ''),\n [\"Details\"] = column_ifexists('detail_s', ''),\n Severity = column_ifexists('Severity', ''),\n [\"Source IP\"] = column_ifexists('src_ip_s', ''),\n [\"Detection Details\"] = column_ifexists('d_detection_details_s', ''),\n [\"Normal Domains\"] = column_ifexists('normal_domains_s', ''),\n [\"Is Targeting Key Asset\"] = column_ifexists('is_targeting_key_asset_s', ''),\n [\"Source Host\"] = column_ifexists('src_host_s', ''),\n Summary = column_ifexists('summary_s', ''),\n [\"Grouped Details\"] = column_ifexists('grouped_details_s', '')\n | extend \n [\"Vectra Pivot\"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], \"&pivot=Vectra-Sentinel-1.0.0\"), ['Vectra Pivot']),\n URL = case(isnotempty(URL), strcat(URL, \"?pivot=Vectra-Sentinel-1.0.0\"), URL)\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Detection Category\"],\n [\"Is Triaged\"],\n [\"Detection Name\"],\n [\"D Type Vname\"],\n [\"Detection ID\"],\n [\"Vectra Pivot\"],\n [\"Entity ID\"],\n URL,\n [\"Entity UID\"],\n [\"Last Updated\"],\n [\"Details\"],\n Severity,\n [\"Source IP\"],\n [\"Detection Details\"],\n [\"Normal Domains\"],\n [\"Is Targeting Key Asset\"],\n [\"Source Host\"],\n Summary,\n [\"Grouped Details\"]\n};\nVectraDetections_view\n",
@ -726,7 +726,7 @@
"[variables('parserObject1')._parserId1]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraDetections')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraDetections')]",
"contentId": "[variables('parserObject1').parserContentId1]",
"kind": "Parser",
"version": "[variables('parserObject1').parserVersion1]",
@ -756,7 +756,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "VectraAudits Data Parser with template version 3.1.0",
"description": "VectraAudits Data Parser with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@ -770,7 +770,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraAudits",
"displayName": "VectraAudits",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraAudits",
"query": "let VectraAudits_view = view () { \n Audits_Data_CL\n | extend \n EventVendor=\"VectraAudits\",\n EventProduct=\"VectraAudits\",\n ID = column_ifexists('id_d', ''),\n [\"User ID\"] = column_ifexists('user_id_d', ''),\n Username = column_ifexists('username_s', ''),\n [\"User Type\"] = column_ifexists('user_type_s', ''),\n [\"User Role\"] = column_ifexists('user_role_s', ''),\n Version = column_ifexists('version_s', ''),\n [\"Source IP\"] = column_ifexists('source_ip_s', ''),\n [\"Event Timestamp\"] = column_ifexists('event_timestamp_t', ''),\n Message = column_ifexists('Message', ''),\n Status = column_ifexists('result_status_s', ''),\n [\"Event Data\"] = column_ifexists('event_data_s', ''),\n [\"Event Object\"] = column_ifexists('event_object_s', ''),\n [\"Event Action\"] = column_ifexists('event_action_s', ''),\n [\"API Client ID\"] = column_ifexists('api_client_id_g', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n ['User ID'],\n Username,\n ['User Type'],\n [\"User Role\"],\n Version,\n ['Source IP'],\n ['Event Timestamp'],\n Message,\n Status,\n [\"Event Data\"],\n ['Event Object'],\n ['Event Action'],\n ['API Client ID']\n};\nVectraAudits_view\n",
@ -792,7 +792,7 @@
"[variables('parserObject2')._parserId2]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraAudits')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraAudits')]",
"contentId": "[variables('parserObject2').parserContentId2]",
"kind": "Parser",
"version": "[variables('parserObject2').parserVersion2]",
@ -822,7 +822,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject2').parserContentId2]",
"contentKind": "Parser",
"displayName": "Parser for VectraAudits",
"displayName": "VectraAudits",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]",
"version": "[variables('parserObject2').parserVersion2]"
@ -835,7 +835,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraAudits",
"displayName": "VectraAudits",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraAudits",
"query": "let VectraAudits_view = view () { \n Audits_Data_CL\n | extend \n EventVendor=\"VectraAudits\",\n EventProduct=\"VectraAudits\",\n ID = column_ifexists('id_d', ''),\n [\"User ID\"] = column_ifexists('user_id_d', ''),\n Username = column_ifexists('username_s', ''),\n [\"User Type\"] = column_ifexists('user_type_s', ''),\n [\"User Role\"] = column_ifexists('user_role_s', ''),\n Version = column_ifexists('version_s', ''),\n [\"Source IP\"] = column_ifexists('source_ip_s', ''),\n [\"Event Timestamp\"] = column_ifexists('event_timestamp_t', ''),\n Message = column_ifexists('Message', ''),\n Status = column_ifexists('result_status_s', ''),\n [\"Event Data\"] = column_ifexists('event_data_s', ''),\n [\"Event Object\"] = column_ifexists('event_object_s', ''),\n [\"Event Action\"] = column_ifexists('event_action_s', ''),\n [\"API Client ID\"] = column_ifexists('api_client_id_g', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n ['User ID'],\n Username,\n ['User Type'],\n [\"User Role\"],\n Version,\n ['Source IP'],\n ['Event Timestamp'],\n Message,\n Status,\n [\"Event Data\"],\n ['Event Object'],\n ['Event Action'],\n ['API Client ID']\n};\nVectraAudits_view\n",
@ -858,7 +858,7 @@
"[variables('parserObject2')._parserId2]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraAudits')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraAudits')]",
"contentId": "[variables('parserObject2').parserContentId2]",
"kind": "Parser",
"version": "[variables('parserObject2').parserVersion2]",
@ -888,7 +888,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "VectraEntityScoring Data Parser with template version 3.1.0",
"description": "VectraEntityScoring Data Parser with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@ -902,7 +902,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraEntityScoring",
"displayName": "VectraEntityScoring",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraEntityScoring",
"query": "let VectraEntityScoring_view = view () { \n Entity_Scoring_Data_CL\n | extend \n EventVendor=\"VectraEntityScoring\",\n EventProduct=\"VectraEntityScoring\",\n ID = column_ifexists('id_d', ''),\n [\"Entity ID\"] = column_ifexists('entity_id_d', ''),\n [\"Active Detection Types\"] = column_ifexists('active_detection_types_s', ''),\n [\"Breadth Contrib\"] = column_ifexists('breadth_contrib_d', ''),\n Category = column_ifexists('Category', ''),\n Importance = column_ifexists('importance_d', ''),\n Type = column_ifexists('type_s', ''),\n [\"Last Updated\"] = column_ifexists('event_timestamp_t', ''),\n [\"Is Prioritized\"] = column_ifexists('is_prioritized_b', ''),\n [\"Last Detection ID\"] = column_ifexists('last_detection_id_d', ''),\n [\"Last Detection Type\"] = column_ifexists('last_detection_type_s', ''),\n [\"Last Detection URL\"] = column_ifexists('last_detection_url_s', ''),\n [\"Last Detection\"] = column_ifexists('last_detection_s', ''),\n Name = column_ifexists('name_s', ''),\n Severity = column_ifexists('severity_s', ''),\n [\"Urgency Score\"] = column_ifexists('urgency_score_d', ''),\n [\"Vectra Pivot\"] = column_ifexists('url_s', ''),\n Velocity = column_ifexists('velocity_contrib_d', ''),\n [\"Attack Rating\"] = column_ifexists('attack_rating_d', '')\n | extend [\"Vectra Pivot\"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], \"?pivot=Vectra-Sentinel-1.0.0\"), ['Vectra Pivot'])\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Entity ID\"],\n Name,\n Importance,\n Type,\n [\"Is Prioritized\"],\n Severity,\n [\"Urgency Score\"],\n [\"Vectra Pivot\"],\n Category,\n [\"Last Detection URL\"],\n [\"Last Detection Type\"],\n [\"Last Detection ID\"],\n [\"Last Detection\"],\n [\"Active Detection Types\"],\n [\"Last Updated\"],\n [\"Breadth Contrib\"],\n Velocity,\n [\"Attack Rating\"]\n};\nVectraEntityScoring_view\n",
@ -924,7 +924,7 @@
"[variables('parserObject3')._parserId3]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraEntityScoring')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraEntityScoring')]",
"contentId": "[variables('parserObject3').parserContentId3]",
"kind": "Parser",
"version": "[variables('parserObject3').parserVersion3]",
@ -954,7 +954,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject3').parserContentId3]",
"contentKind": "Parser",
"displayName": "Parser for VectraEntityScoring",
"displayName": "VectraEntityScoring",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]",
"version": "[variables('parserObject3').parserVersion3]"
@ -967,7 +967,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraEntityScoring",
"displayName": "VectraEntityScoring",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraEntityScoring",
"query": "let VectraEntityScoring_view = view () { \n Entity_Scoring_Data_CL\n | extend \n EventVendor=\"VectraEntityScoring\",\n EventProduct=\"VectraEntityScoring\",\n ID = column_ifexists('id_d', ''),\n [\"Entity ID\"] = column_ifexists('entity_id_d', ''),\n [\"Active Detection Types\"] = column_ifexists('active_detection_types_s', ''),\n [\"Breadth Contrib\"] = column_ifexists('breadth_contrib_d', ''),\n Category = column_ifexists('Category', ''),\n Importance = column_ifexists('importance_d', ''),\n Type = column_ifexists('type_s', ''),\n [\"Last Updated\"] = column_ifexists('event_timestamp_t', ''),\n [\"Is Prioritized\"] = column_ifexists('is_prioritized_b', ''),\n [\"Last Detection ID\"] = column_ifexists('last_detection_id_d', ''),\n [\"Last Detection Type\"] = column_ifexists('last_detection_type_s', ''),\n [\"Last Detection URL\"] = column_ifexists('last_detection_url_s', ''),\n [\"Last Detection\"] = column_ifexists('last_detection_s', ''),\n Name = column_ifexists('name_s', ''),\n Severity = column_ifexists('severity_s', ''),\n [\"Urgency Score\"] = column_ifexists('urgency_score_d', ''),\n [\"Vectra Pivot\"] = column_ifexists('url_s', ''),\n Velocity = column_ifexists('velocity_contrib_d', ''),\n [\"Attack Rating\"] = column_ifexists('attack_rating_d', '')\n | extend [\"Vectra Pivot\"] = case(isnotempty(['Vectra Pivot']), strcat(['Vectra Pivot'], \"?pivot=Vectra-Sentinel-1.0.0\"), ['Vectra Pivot'])\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Entity ID\"],\n Name,\n Importance,\n Type,\n [\"Is Prioritized\"],\n Severity,\n [\"Urgency Score\"],\n [\"Vectra Pivot\"],\n Category,\n [\"Last Detection URL\"],\n [\"Last Detection Type\"],\n [\"Last Detection ID\"],\n [\"Last Detection\"],\n [\"Active Detection Types\"],\n [\"Last Updated\"],\n [\"Breadth Contrib\"],\n Velocity,\n [\"Attack Rating\"]\n};\nVectraEntityScoring_view\n",
@ -990,7 +990,7 @@
"[variables('parserObject3')._parserId3]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraEntityScoring')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraEntityScoring')]",
"contentId": "[variables('parserObject3').parserContentId3]",
"kind": "Parser",
"version": "[variables('parserObject3').parserVersion3]",
@ -1020,7 +1020,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "VectraHealth Data Parser with template version 3.1.0",
"description": "VectraHealth Data Parser with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject4').parserVersion4]",
@ -1034,7 +1034,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraHealth",
"displayName": "VectraHealth",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraHealth",
"query": "let VectraHealth_view = view () { \n Health_Data_CL\n | extend\n EventVendor=\"VectraHealth\",\n EventProduct=\"VectraHealth\",\n ['Last Updated'] = column_ifexists('system_version_last_update_s', ''),\n ['CPU Usage - User (%)'] = column_ifexists('cpu_user_percent_d', ''),\n ['CPU Usage - System (%)'] = column_ifexists('cpu_system_percent_d', ''),\n ['CPU Usage - Idle (%)'] = column_ifexists('cpu_idle_percent_d', ''),\n ['Disk Utilization (%)'] = column_ifexists('disk_disk_utilization_usage_percent_d', ''),\n ['Memory Utilization (%)'] = column_ifexists('memory_usage_percent_d', ''),\n ['Power Status'] = column_ifexists('power_status_s', ''),\n ['Power Error'] = column_ifexists('power_error_s', ''),\n Network = column_ifexists('network_s', ''),\n Sensors = column_ifexists('sensors_s', ''),\n Connectivity_Sensors = column_ifexists('connectivity_sensors_s', ''),\n System_Version_Last_Update = column_ifexists('system_version_last_update_s', ''),\n Trafficdrop_Sensors = column_ifexists('trafficdrop_sensors_s', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n System_Version_Last_Update,\n ['Last Updated'],\n ['CPU Usage - User (%)'],\n ['CPU Usage - System (%)'],\n ['CPU Usage - Idle (%)'],\n ['Disk Utilization (%)'],\n ['Memory Utilization (%)'],\n ['Power Status'],\n ['Power Error'],\n Network,\n Sensors,\n Connectivity_Sensors,\n Trafficdrop_Sensors\n};\nVectraHealth_view()\n",
@ -1056,7 +1056,7 @@
"[variables('parserObject4')._parserId4]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraHealth')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraHealth')]",
"contentId": "[variables('parserObject4').parserContentId4]",
"kind": "Parser",
"version": "[variables('parserObject4').parserVersion4]",
@ -1086,7 +1086,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject4').parserContentId4]",
"contentKind": "Parser",
"displayName": "Parser for VectraHealth",
"displayName": "VectraHealth",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]",
"version": "[variables('parserObject4').parserVersion4]"
@ -1099,7 +1099,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraHealth",
"displayName": "VectraHealth",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraHealth",
"query": "let VectraHealth_view = view () { \n Health_Data_CL\n | extend\n EventVendor=\"VectraHealth\",\n EventProduct=\"VectraHealth\",\n ['Last Updated'] = column_ifexists('system_version_last_update_s', ''),\n ['CPU Usage - User (%)'] = column_ifexists('cpu_user_percent_d', ''),\n ['CPU Usage - System (%)'] = column_ifexists('cpu_system_percent_d', ''),\n ['CPU Usage - Idle (%)'] = column_ifexists('cpu_idle_percent_d', ''),\n ['Disk Utilization (%)'] = column_ifexists('disk_disk_utilization_usage_percent_d', ''),\n ['Memory Utilization (%)'] = column_ifexists('memory_usage_percent_d', ''),\n ['Power Status'] = column_ifexists('power_status_s', ''),\n ['Power Error'] = column_ifexists('power_error_s', ''),\n Network = column_ifexists('network_s', ''),\n Sensors = column_ifexists('sensors_s', ''),\n Connectivity_Sensors = column_ifexists('connectivity_sensors_s', ''),\n System_Version_Last_Update = column_ifexists('system_version_last_update_s', ''),\n Trafficdrop_Sensors = column_ifexists('trafficdrop_sensors_s', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n System_Version_Last_Update,\n ['Last Updated'],\n ['CPU Usage - User (%)'],\n ['CPU Usage - System (%)'],\n ['CPU Usage - Idle (%)'],\n ['Disk Utilization (%)'],\n ['Memory Utilization (%)'],\n ['Power Status'],\n ['Power Error'],\n Network,\n Sensors,\n Connectivity_Sensors,\n Trafficdrop_Sensors\n};\nVectraHealth_view()\n",
@ -1122,7 +1122,7 @@
"[variables('parserObject4')._parserId4]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraHealth')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraHealth')]",
"contentId": "[variables('parserObject4').parserContentId4]",
"kind": "Parser",
"version": "[variables('parserObject4').parserVersion4]",
@ -1152,7 +1152,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "VectraLockdown Data Parser with template version 3.1.0",
"description": "VectraLockdown Data Parser with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject5').parserVersion5]",
@ -1166,7 +1166,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraLockdown",
"displayName": "VectraLockdown",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraLockdown",
"query": "let VectraLockdown_view = view () { \n Lockdown_Data_CL\n | extend\n EventVendor=\"VectraLockdown\",\n EventProduct=\"VectraLockdown\",\n ID = column_ifexists('id_d', ''),\n [\"Entity ID\"] = column_ifexists('entity_id_d', ''),\n [\"Entity Name\"] = column_ifexists('entity_name_s', ''),\n [\"Entity Type\"] = column_ifexists('entity_type_s ', ''),\n Type = column_ifexists('type_s', ''),\n [\"Locked Date\"] = column_ifexists('lock_event_timestamp_t', ''),\n [\"Unlock Date\"] = column_ifexists('unlock_event_timestamp_t', ''),\n [\"Locked By\"] = column_ifexists('locked_by_s', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Entity ID\"],\n [\"Entity Name\"],\n [\"Entity Type\"],\n Type,\n [\"Locked Date\"],\n [\"Unlock Date\"],\n [\"Locked By\"]\n};\nVectraLockdown_view()\n",
@ -1188,7 +1188,7 @@
"[variables('parserObject5')._parserId5]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraLockdown')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraLockdown')]",
"contentId": "[variables('parserObject5').parserContentId5]",
"kind": "Parser",
"version": "[variables('parserObject5').parserVersion5]",
@ -1218,7 +1218,7 @@
"contentSchemaVersion": "3.0.0",
"contentId": "[variables('parserObject5').parserContentId5]",
"contentKind": "Parser",
"displayName": "Parser for VectraLockdown",
"displayName": "VectraLockdown",
"contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
"id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]",
"version": "[variables('parserObject5').parserVersion5]"
@ -1231,7 +1231,7 @@
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "Parser for VectraLockdown",
"displayName": "VectraLockdown",
"category": "Microsoft Sentinel Parser",
"functionAlias": "VectraLockdown",
"query": "let VectraLockdown_view = view () { \n Lockdown_Data_CL\n | extend\n EventVendor=\"VectraLockdown\",\n EventProduct=\"VectraLockdown\",\n ID = column_ifexists('id_d', ''),\n [\"Entity ID\"] = column_ifexists('entity_id_d', ''),\n [\"Entity Name\"] = column_ifexists('entity_name_s', ''),\n [\"Entity Type\"] = column_ifexists('entity_type_s ', ''),\n Type = column_ifexists('type_s', ''),\n [\"Locked Date\"] = column_ifexists('lock_event_timestamp_t', ''),\n [\"Unlock Date\"] = column_ifexists('unlock_event_timestamp_t', ''),\n [\"Locked By\"] = column_ifexists('locked_by_s', '')\n | project\n TimeGenerated,\n EventVendor,\n EventProduct,\n ID,\n [\"Entity ID\"],\n [\"Entity Name\"],\n [\"Entity Type\"],\n Type,\n [\"Locked Date\"],\n [\"Unlock Date\"],\n [\"Locked By\"]\n};\nVectraLockdown_view()\n",
@ -1254,7 +1254,7 @@
"[variables('parserObject5')._parserId5]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Parser for VectraLockdown')]",
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VectraLockdown')]",
"contentId": "[variables('parserObject5').parserContentId5]",
"kind": "Parser",
"version": "[variables('parserObject5').parserVersion5]",
@ -1284,7 +1284,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "DetectXDR_detections_AnalyticalRules Analytics Rule with template version 3.1.0",
"description": "DetectXDR_detections_AnalyticalRules Analytics Rule with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@ -1294,7 +1294,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -1333,26 +1333,26 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"Summary": "Summary",
"triaged": "triaged"
"triaged": "triaged",
"Summary": "Summary"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Vectra AI {{detection}} detected",
"alertDescriptionFormat": "Detection category: {{category}}\nDetails: {{Details}} \n",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "url_detection"
}
]
],
"alertDisplayNameFormat": "Vectra AI {{detection}} detected",
"alertDescriptionFormat": "Detection category: {{category}}\nDetails: {{Details}} \n"
},
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"lookbackDuration": "5h",
"matchingMethod": "AllEntities",
"enabled": false,
"lookbackDuration": "PT5H",
"reopenClosedIncident": false,
"enabled": false
"matchingMethod": "AllEntities"
}
}
}
@ -1408,7 +1408,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "DetectXDR_Prioritized_Entities_AnalyticalRules Analytics Rule with template version 3.1.0",
"description": "DetectXDR_Prioritized_Entities_AnalyticalRules Analytics Rule with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@ -1418,7 +1418,7 @@
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
@ -1457,16 +1457,14 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
"detections": "detections",
"Entity_type": "Type",
"Entity_importance": "Importance",
"Breadth": "breadth",
"Velocity": "Velocity",
"Attack_Rating": "attack_rating"
"Entity_type": "Type",
"Attack_Rating": "attack_rating",
"Entity_importance": "Importance",
"detections": "detections",
"Velocity": "Velocity"
},
"alertDetailsOverride": {
"alertDisplayNameFormat": "Priority Incident - {{Name}} with Urgency Score of {{Urgency Score}} ",
"alertDescriptionFormat": "Entity {{Name}} has been prioritized by the Vectra AI prioritization algorithm with an urgency score of {{Urgency Score}}.\nAttack rating is {{Attack Rating}}.",
"alertDynamicProperties": [
{
"alertProperty": "ConfidenceLevel",
@ -1476,15 +1474,17 @@
"alertProperty": "AlertLink",
"value": "url"
}
]
],
"alertDisplayNameFormat": "Priority Incident - {{Name}} with Urgency Score of {{Urgency Score}} ",
"alertDescriptionFormat": "Entity {{Name}} has been prioritized by the Vectra AI prioritization algorithm with an urgency score of {{Urgency Score}}.\nAttack rating is {{Attack Rating}}."
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "7d",
"matchingMethod": "AllEntities",
"reopenClosedIncident": true,
"enabled": true
"matchingMethod": "AllEntities"
}
}
}
@ -1540,7 +1540,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"description": "VectraXDR Workbook with template version 3.1.0",
"description": "VectraXDR Workbook with template version 3.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@ -1640,12 +1640,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
"version": "3.1.0",
"version": "3.1.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Vectra XDR",
"publisherDisplayName": "Vectra Support",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit <a href=\"http://www.vectra.ai\">www.vectra.ai</a>.</p>\n<p>The Vectra XDR App for Microsoft Sentinel contains:\nData Connector to ingest events generated by Vectra XDR (through OMS agent).\nWorkbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 5, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20XDR/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit <a href=\"http://www.vectra.ai\">www.vectra.ai</a>.</p>\n<p>The Vectra XDR App for Microsoft Sentinel contains:\nData Connector to ingest events generated by Vectra XDR (through OMS agent).\nWorkbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health</p>\n<p><strong>Data Connectors:</strong> 1, <strong>Parsers:</strong> 5, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 2</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",

3
Solutions/Vectra XDR/ReleaseNotes.md
Просмотреть файл

@ -1,6 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|----------------------------------------------------------------|
| 3.1.0 | 04-01-2024 | Included **Parser** files in yaml format |
| 3.1.1 | 03-04-2024 | Repackaged for parser issue fix on reinstall |
| 3.1.0 | 04-01-2024 | Included **Parser** files in yaml format |
| 3.0.2 | 04-10-2023 | Enhanced **Data Connector** logic to post data into Sentinel |
| 3.0.1 | 21-08-2023 | **Workbook** metadata issue resolved |
| 3.0.0 | 03-08-2023 | Initial Solution Release |