Merge pull request #2329 from danymello/vectraAI-Detect-Analytics

Vectra AI - Analytics Templates for Detect
2021-06-14 08:02:39 -07:00 · 2021-06-14 08:02:39 -07:00 · e9f5449abe
--- a/Detections/VectraAI/VectraDetect-Account-Critical.yaml
+++ b/Detections/VectraAI/VectraDetect-Account-Critical.yaml
@ -0,0 +1,50 @@
+id: a5ee1c65-f27c-44fd-a65e-e0ac2f6404fc
+name: Vectra AI Detect - Account in the Critical Quadrant
+description: |
+  'Identifies multiple Detections coming from the same account which caused a move into the Detect critical quadrant. 
+  The threat and certainty scores for the account are greater than 50 (range is 1-100 for threat and certainty). If required, variables in the query can be adjusted to a different threshold. 
+  This means that Vectra AI has detected malicous behaviors accross multiple phases of the Kill Chain and it requires immediate investigation.'
+severity: High
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+  - Collection
+  - CommandAndControl
+  - Exfiltration
+  - Impact
+relevantTechniques:
+query: |
+  let threat_score_min = 50;
+  let certainty_score_min = 50;
+  let upn_has_prefix = ":";
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID == "asc"
+  | extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
+  | extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" ) 
+  | extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | project-rename score_decreases = DeviceCustomString3
+  | where threat_score >= threat_score_min and certainty_score >= certainty_score_min
+  //keep only the event with the highest threat score per Host
+  | summarize arg_max(threat_score, *) by saccount
+  | project saccount, upn, type, threat_score, certainty_score, vectra_URL
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: upn
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Account-High.yaml
+++ b/Detections/VectraAI/VectraDetect-Account-High.yaml
@ -0,0 +1,49 @@
+id: 1bfa4ccd-aab8-4d46-8814-3e244f60a1c3
+name: Vectra AI Detect - Account in the High Quadrant
+description: |
+  'Identifies multiple Detections coming from the same account which caused a move into the Detect High quadrant. 
+  To meet this requirement, the threat score must be in 50-100 range and the certainty score between in 0-50 range (range is 1-100 for threat and certainty). If required, variables in the query can be adjusted to a different threshold. '
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+  - Collection
+  - CommandAndControl
+  - Exfiltration
+  - Impact
+relevantTechniques:
+query: |
+  let threat_score_min = 50;
+  let certainty_score_max = 50;
+  let upn_has_prefix = ":";
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID == "asc"
+  | extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
+  | extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" ) 
+  | extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | project-rename score_decreases = DeviceCustomString3
+  | where threat_score >= threat_score_min and certainty_score <= certainty_score_max
+  //keep only the event with the highest threat score per Host
+  | summarize arg_max(threat_score, *) by saccount
+  | project saccount, upn, type, threat_score, certainty_score, vectra_URL
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: upn
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Account-Low.yaml
+++ b/Detections/VectraAI/VectraDetect-Account-Low.yaml
@ -0,0 +1,49 @@
+id: fc70b5d8-2d76-4475-ae0c-a0bce8205366
+name: Vectra AI Detect - Account in the Low Quadrant
+description: |
+  'Identifies multiple Detections coming from the same account which caused a move into the Detect Low quadrant. 
+  To meet this requirement, the threat score must be in 0-50 range and the certainty score between in 0-50 range (range is 1-100 for threat and certainty). If required, variables in the query can be adjusted to a different threshold. '
+severity: Low
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+  - Collection
+  - CommandAndControl
+  - Exfiltration
+  - Impact
+relevantTechniques:
+query: |
+  let threat_score_max = 50;
+  let certainty_score_max = 50;
+  let upn_has_prefix = ":";
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID == "asc"
+  | extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
+  | extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" ) 
+  | extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | project-rename score_decreases = DeviceCustomString3
+  | where threat_score < threat_score_max and certainty_score < certainty_score_max
+  //keep only the event with the highest threat score per Host
+  | summarize arg_max(threat_score, *) by saccount
+  | project saccount, upn, type, threat_score, certainty_score, vectra_URL
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: upn
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Account-Medium.yaml
+++ b/Detections/VectraAI/VectraDetect-Account-Medium.yaml
@ -0,0 +1,48 @@
+id: 95dcf6ac-0527-46fc-8a88-f93d7a9fc059
+name: Vectra AI Detect - Account in the Medium Quadrant
+description: |
+  'Identifies multiple Detections coming from the account which casued a move into the Detect Medium quadrant. 
+  To meet this requirement, the threat score must be in 0-50 range and the certainty score between in 50-100 range (range is 1-100 for threat and certainty). If required, variables in the query can be adjusted to a different threshold. '
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+  - Collection
+  - CommandAndControl
+  - Exfiltration
+relevantTechniques:
+query: |
+  let threat_score_max = 50;
+  let certainty_score_min = 50;
+  let upn_has_prefix = ":";
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID == "asc"
+  | extend saccount = extract("saccount=(.+?);", 1, AdditionalExtensions)
+  | extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[0]) ,"network" ) 
+  | extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,":")[1]) , saccount )
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | project-rename score_decreases = DeviceCustomString3
+  | where threat_score < threat_score_max and certainty_score >= certainty_score_min
+  //keep only the event with the highest threat score per Host
+  | summarize arg_max(threat_score, *) by saccount
+  | project saccount, upn, type, threat_score, certainty_score, vectra_URL
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: upn
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Behavior-BotnetActivity.yaml
+++ b/Detections/VectraAI/VectraDetect-Behavior-BotnetActivity.yaml
@ -0,0 +1,40 @@
+id: 3fffc448-7010-4215-bf94-c2fd05dd1810
+name: Vectra Detection - Botnet Activity
+description: |
+  'This query searches for Botnet Activity Detections triggered by one Detect's AI models.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
+  | extend cat = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | where cat == "BOTNET ACTIVITY" 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename triaged = DeviceCustomString5
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | summarize arg_max(threat_score, *) by SourceHostName, detection_name
+  | project  SourceHostName, SourceIP, DestinationIP, DestinationPort, DestinationHostName, detection_name, cat, threat_score, certainty_score, triaged, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Behavior-CommandAndControl.yaml
+++ b/Detections/VectraAI/VectraDetect-Behavior-CommandAndControl.yaml
@ -0,0 +1,40 @@
+id: 697a227e-18cc-4152-b549-7446cb47c051
+name: Vectra Detection - Command & Control
+description: |
+  'This query searches for Command and Control Detections triggered by one of Detect's AI models.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CommandAndControl
+relevantTechniques:
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
+  | extend cat = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | where cat == "COMMAND & CONTROL" 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename triaged = DeviceCustomString5
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | summarize arg_max(threat_score, *) by SourceHostName, detection_name
+  | project  SourceHostName, SourceIP, DestinationIP, DestinationPort, DestinationHostName, detection_name, cat, threat_score, certainty_score, triaged, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Behavior-Exfiltration.yaml
+++ b/Detections/VectraAI/VectraDetect-Behavior-Exfiltration.yaml
@ -0,0 +1,40 @@
+id: 59887a28-1ccd-4f8a-81b8-864e0aada407
+name: Vectra Detection - Exfiltration
+description: |
+  'This query searches for Exfiltration Detections triggered by one of Detect's AI models.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Exfiltration
+relevantTechniques:
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
+  | extend cat = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | where cat == "EXFILTRATION" 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename triaged = DeviceCustomString5
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | summarize arg_max(threat_score, *) by SourceHostName, detection_name
+  | project  SourceHostName, SourceIP, DestinationIP, DestinationPort, DestinationHostName, detection_name, cat, threat_score, certainty_score, triaged, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Behavior-Insights.yaml
+++ b/Detections/VectraAI/VectraDetect-Behavior-Insights.yaml
@ -0,0 +1,40 @@
+id: d378578c-0a89-447d-833a-f4043203df11
+name: Vectra Detection - Insights
+description: |
+  'This query searches for Info Detections triggered by one of the Vectra AI models. 
+  Those are informative, providing security insights, and do not influence the score assigned to the Host.  They provide useful context to a Host or Account for an investigation.
+  Some examples: New role seen for a host (e.g DNS server), novel port (used for the first time from this host), etc.'
+severity: Low
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - LateralMovement
+relevantTechniques:
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
+  | extend cat = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | where cat == "INFO"
+  | project-rename triaged = DeviceCustomString5
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | summarize arg_max(TimeGenerated, *) by SourceHostName, detection_name
+  | project SourceHostName, SourceIP, DestinationIP, DestinationPort, DestinationHostName, detection_name, cat, triaged, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Behavior-LateralMovement.yaml
+++ b/Detections/VectraAI/VectraDetect-Behavior-LateralMovement.yaml
@ -0,0 +1,40 @@
+id: 1a5861fc-dc83-4705-9dec-d7f670a139c0
+name: Vectra Detection - Lateral Movement
+description: |
+  'This query searches for Lateral Movement Detections triggered by one of Detect's AI models.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - LateralMovement
+relevantTechniques:
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
+  | extend cat = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | where cat == "LATERAL MOVEMENT" 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename triaged = DeviceCustomString5
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | summarize arg_max(threat_score, *) by SourceHostName, detection_name
+  | project  SourceHostName, SourceIP, DestinationIP, DestinationPort, DestinationHostName, detection_name, cat, threat_score, certainty_score, triaged, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Behavior-Reconnaissance.yaml
+++ b/Detections/VectraAI/VectraDetect-Behavior-Reconnaissance.yaml
@ -0,0 +1,40 @@
+id: 11b1376f-2ccf-4ebe-8e08-8515343af4fb
+name: Vectra Detection - Reconnaissance/Discovery
+description: |
+  'This query searches for Reconnaissance Detections triggered by one of Detect's AI models.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Discovery
+relevantTechniques:
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" 
+  | extend cat = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | where cat == "RECONNAISSANCE" 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename triaged = DeviceCustomString5
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | summarize arg_max(threat_score, *) by SourceHostName, detection_name
+  | project  SourceHostName, SourceIP, DestinationIP, DestinationPort, DestinationHostName, detection_name, cat, threat_score, certainty_score, triaged, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-HighSeverityDetection-BotnetActivity.yaml
+++ b/Detections/VectraAI/VectraDetect-HighSeverityDetection-BotnetActivity.yaml
@ -0,0 +1,40 @@
+id: a958b9ef-e3a6-4d3b-b359-7c6fe723d5da
+name: Vectra AI Detect - Botnet Activity Detection with High Severity
+description: |
+  'Identifies detections with a threat score superior to 7.0 in the category Botnet Activity. This is consider has a high severity alert and should be investigated. 
+  The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. 
+  The severity_threshold can be adjusted as desired.' 
+severity: High
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+query: |
+  //default threshold is 7 (meaning a threat score of 70)
+  let severity_threshold = 7.0;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" and SourceHostName != ""
+  | extend Category = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | where todecimal(LogSeverity) >= severity_threshold and Category == "BOTNET ACTIVITY" 
+  | summarize arg_max(threat_score, *) by SourceHostName, Activity
+  | sort by TimeGenerated
+  | project SourceHostName, Category, Activity, LogSeverity 
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-HighSeverityDetection-CommandAndControl.yaml
+++ b/Detections/VectraAI/VectraDetect-HighSeverityDetection-CommandAndControl.yaml
@ -0,0 +1,40 @@
+id: 6414c848-ca8a-4fb1-9634-34e6d163f451
+name: Vectra AI Detect - Command and Control Detection with High Severity 
+description: |
+  'Identifies detections with a threat score superior to 7.0 in the category Command and Control. This is consider has a high severity alert and should be investigated. 
+  The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. 
+  The severity_threshold can be adjusted as desired.' 
+severity: High
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CommandAndControl
+relevantTechniques:
+query: |
+  //default threshold is 7 (meaning a threat score of 70)
+  let severity_threshold = 7.0;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" and SourceHostName != ""
+  | extend Category = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | where todecimal(LogSeverity) >= severity_threshold and Category == "COMMAND & CONTROL"
+  | summarize arg_max(threat_score, *) by SourceHostName, Activity
+  | sort by TimeGenerated
+  | project SourceHostName, Category, Activity, LogSeverity 
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-HighSeverityDetection-Exfiltration.yaml
+++ b/Detections/VectraAI/VectraDetect-HighSeverityDetection-Exfiltration.yaml
@ -0,0 +1,40 @@
+id: 7040fea1-c711-4d0c-b87c-c0a9141ed3e7
+name: Vectra AI Detect - Exfiltration Detection with High Severity
+description: |
+  'Identifies detections with a threat score superior to 7.0 in the category Exfiltration. This is consider has a high severity alert and should be investigated. 
+  The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. 
+  The severity_threshold can be adjusted as desired.' 
+severity: High
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Exfiltration
+relevantTechniques:
+query: |
+  //default threshold is 7 (meaning a threat score of 70)
+  let severity_threshold = 7.0;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" and SourceHostName != ""
+  | extend Category = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | where todecimal(LogSeverity) >= severity_threshold and Category == "EXFILTRATION" 
+  | summarize arg_max(threat_score, *) by SourceHostName, Activity
+  | sort by TimeGenerated
+  | project SourceHostName, Category, Activity, LogSeverity 
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-HighSeverityDetection-LateralMovement.yaml
+++ b/Detections/VectraAI/VectraDetect-HighSeverityDetection-LateralMovement.yaml
@ -0,0 +1,40 @@
+id: bef90455-4143-4277-97eb-d25ed0c0240a
+name: Vectra AI Detect - Lateral Movement Detection with High Severity
+description: |
+  'Identifies detections with a threat score superior to 7.0 in the category Lateral Movement. This is consider has a high severity alert and should be investigated. 
+  The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. 
+  The severity_threshold can be adjusted as desired.' 
+severity: High
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - LateralMovement
+relevantTechniques:
+query: |
+  //default threshold is 7 (meaning a threat score of 70)
+  let severity_threshold = 7.0;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" and SourceHostName != ""
+  | extend Category = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | where todecimal(LogSeverity) >= severity_threshold and Category == "LATERAL MOVEMENT"
+  | summarize arg_max(threat_score, *) by SourceHostName, Activity
+  | sort by TimeGenerated
+  | project SourceHostName, Category, Activity, LogSeverity 
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-HighSeverityDetection-Reconnaissance.yaml
+++ b/Detections/VectraAI/VectraDetect-HighSeverityDetection-Reconnaissance.yaml
@ -0,0 +1,40 @@
+id: 6f5ac5ba-799a-4d4a-8c23-cfaa5f75d908
+name: Vectra AI Detect - Reconnaissance/Discovery Detection with High Severity
+description: |
+  'Identifies detections with a threat score superior to 7.0 in the category Reconnaissance/Discovery. This is consider has a high severity alert and should be investigated. 
+  The Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. 
+  The severity_threshold can be adjusted as desired.' 
+severity: High
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Discovery
+relevantTechniques:
+query: |
+  //default threshold is 7 (meaning a threat score of 70)
+  let severity_threshold = 7.0;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID != "campaigns" and DeviceEventClassID != "hsc" and DeviceEventClassID != "audit" and DeviceEventClassID != "health" and DeviceEventClassID != "asc" and SourceHostName != ""
+  | extend Category = extract("cat=(.+?);", 1, AdditionalExtensions) 
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | where todecimal(LogSeverity) >= severity_threshold and Category == "RECONNAISSANCE"
+  | summarize arg_max(threat_score, *) by SourceHostName, Activity
+  | sort by TimeGenerated
+  | project SourceHostName, Category, Activity, LogSeverity 
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Host-Critical.yaml
+++ b/Detections/VectraAI/VectraDetect-Host-Critical.yaml
@ -0,0 +1,50 @@
+id: 8c705e06-6aa4-436a-b92f-0fa3fb248db6
+name: Vectra AI Detect - Host in the Critical Quadrant
+description: |
+  'Identifies multiple Detections coming from the same internal Host which caused a move into Detect's critical quadrant. 
+  The threat and certainty scores for that Host is greater than 50 (range is 1-100 for threat and certainty).  If required, variables in the query can be adjusted to a different threshold. 
+  This means that Vectra AI has detected malicous behaviors accross multiple phases of the Kill Chain and it requires immediate investigation.'
+severity: High
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+  - Collection
+  - CommandAndControl
+  - Exfiltration
+  - Impact
+relevantTechniques:
+query: |
+  let threat_score_min = 50;
+  let certainty_score_min = 50;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID == "hsc"
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | project-rename score_decreases = DeviceCustomString3
+  | where threat_score >= threat_score_min and certainty_score >= certainty_score_min
+  //keep only the event with the highest threat score per Host
+  | summarize arg_max(threat_score, *) by SourceHostName
+  | project SourceHostName, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Host-High.yaml
+++ b/Detections/VectraAI/VectraDetect-Host-High.yaml
@ -0,0 +1,49 @@
+id: 6744c879-2c41-42c0-9709-0ee46a7af9db
+name: Vectra AI Detect - Host in the High Quadrant
+description: |
+  'Identifies multiple Detections coming from the same internal Host which caused a move into Detect's High quadrant. 
+  To meet this requirement, the threat score must be in 50-100 range and the certainty score in the 0-50 range (range is 1-100 for threat and certainty). If required, variables in the query can be adjusted to a different threshold. '
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+  - Collection
+  - CommandAndControl
+  - Exfiltration
+  - Impact
+relevantTechniques:
+query: |
+  let threat_score_min = 50;
+  let certainty_score_max = 50;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID == "hsc"
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | project-rename score_decreases = DeviceCustomString3
+  | where threat_score >= threat_score_min and certainty_score <= certainty_score_max
+  //keep only the event with the highest threat score per Host
+  | summarize arg_max(threat_score, *) by SourceHostName
+  | project SourceHostName, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Host-Low.yaml
+++ b/Detections/VectraAI/VectraDetect-Host-Low.yaml
@ -0,0 +1,49 @@
+id: c7f7cd69-cafe-477d-a775-935504bffa10
+name: Vectra AI Detect - Host in the Low Quadrant
+description: |
+  'Identifies multiple Detections coming from the same internal Host which caused a move into Detect's Low quadrant. 
+  To meet this requirement, the threat score must be in 0-50 range and the certainty score in the 0-50 range (range is 1-100 for threat and certainty). If required, variables in the query can be adjusted to a different threshold. '
+severity: Low
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+  - Collection
+  - CommandAndControl
+  - Exfiltration
+  - Impact
+relevantTechniques:
+query: |
+  let threat_score_max = 50;
+  let certainty_score_max = 50;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID == "hsc"
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | project-rename score_decreases = DeviceCustomString3
+  | where threat_score < threat_score_max and certainty_score < certainty_score_max
+  //keep only the event with the highest threat score per Host
+  | summarize arg_max(threat_score, *) by SourceHostName
+  | project SourceHostName, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-Host-Medium.yaml
+++ b/Detections/VectraAI/VectraDetect-Host-Medium.yaml
@ -0,0 +1,49 @@
+id: 713890f6-e8e4-4e4d-a8d4-336817dcb834
+name: Vectra AI Detect - Host in the Medium Quadrant
+description: |
+  'Identifies multiple Detections comming from the same internal Host which caused a move into Detect's Medium quadrant. 
+  To meet this requirement, the threat score must be in 0-50 range and the certainty score in the 50-100 range (range is 1-100 for threat and certainty). If required, variables in the query can be adjusted to a different threshold. '
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - Discovery
+  - LateralMovement
+  - Collection
+  - CommandAndControl
+  - Exfiltration
+  - Impact
+relevantTechniques:
+query: |
+  let threat_score_max = 50;
+  let certainty_score_min = 50;
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID == "hsc"
+  | project-rename threat_score = FlexNumber1
+  | project-rename certainty_score = FlexNumber2
+  | project-rename vectra_URL = DeviceCustomString4
+  | project-rename detection_name = DeviceEventClassID
+  | project-rename score_decreases = DeviceCustomString3
+  | where threat_score < threat_score_max and certainty_score >= certainty_score_min
+  //keep only the event with the highest certainty score per Host
+  | summarize arg_max(certainty_score, *) by SourceHostName
+  | project SourceHostName, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIP
+version: 1.0.0
--- a/Detections/VectraAI/VectraDetect-NewCampaign.yaml
+++ b/Detections/VectraAI/VectraDetect-NewCampaign.yaml
@ -0,0 +1,32 @@
+id: a34d0338-eda0-42b5-8b93-32aae0d7a501
+name: Vectra AI Detect - New Campaign Detected
+description: |
+  'Identifies when a new Campaign has been detected.  This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AIVectraDetect
+    dataTypes:
+      - CommonSecurityLog
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - LateralMovement
+  - CommandAndControl
+relevantTechniques:
+query: |
+  CommonSecurityLog
+  | where DeviceVendor == "Vectra Networks"
+  | where DeviceProduct == "X Series"
+  | where DeviceEventClassID contains "campaign"
+  | where DeviceAction == "START"
+  | extend reason = extract("reason=(.+?)$", 1, AdditionalExtensions)
+  | project-rename vectra_URL = DeviceCustomString4
+  | project Activity,SourceHostName, reason, vectra_URL
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: SourceHostName
+version: 1.0.0