#type="Vectra-Detect" AND role=* AND user != "null" AND result="failure"
| user=?user
| timechart("user")

#type="Vectra-Detect" AND role=* AND user != "null" AND result="success"
| user=?user
| timechart("user")

#type="Vectra-Detect" AND role=*
| result=?result
| message=?search
| select([@timestamp, user, privilege, result, message])
| "User" := rename(user)
| "Role" := rename(privilege)
| "Result" := rename(result)
| "Activity" := rename(message)

#type="Vectra-Detect" AND role=*
| user=?user
| result=?result
| message=?search
| groupBy(result)

#type = "Vectra-Detect" AND (category="HOST SCORING" or category="ACCOUNT SCORING")
| case {
    threat <= 50 AND certainty <= 50 | Severity := "LOW";
    threat > 50 AND certainty > 50 | Severity := "CRITICAL";
    threat > 50 AND certainty <= 50 | Severity := "HIGH";
    threat <= 50 AND certainty > 50 | Severity := "MEDIUM";
   *}
      | Severity=?severity
      | groupBy("Severity")

#type = "Vectra-Detect" | in(category, values=["HOST SCORING", "ACCOUNT SCORING"])
| case {
    threat <= 50 AND certainty <= 50 | Severity := "LOW";
    threat > 50 AND certainty > 50 | Severity := "CRITICAL";
    threat > 50 AND certainty <= 50 | Severity := "HIGH";
    threat <= 50 AND certainty > 50 | Severity := "MEDIUM";
    *}
| Severity=?severity
| case {
        host_name   | Entity := host_name;
        account_uid | Entity := account_uid;
    * }
| "Host IP" := rename(host_ip)| "Vectra URL" := rename(href)
| Entity=?entity
| groupBy(Entity, function={tail(1) | "Host IP" := rename(host_ip)| "Vectra URL" := rename(href) | select([@timestamp, Severity, Entity, "Entity Dashboard", "Host IP", threat, certainty, "Vectra URL"])})

#type = "Vectra-Detect" AND (category="BOTNET ACTIVITY" or category="EXFILTRATION" or category="COMMAND & CONTROL" or category="RECONNAISSANCE" or category="LATERAL MOVEMENT" or category="INFO")
| case {
    threat <= 50 AND certainty <= 50 | Severity := "LOW";
    threat > 50 AND certainty > 50 | Severity := "CRITICAL";
    threat > 50 AND certainty <= 50 | Severity := "HIGH";
    threat <= 50 AND certainty > 50 | Severity := "MEDIUM";
    *}
|Severity=?severity
| case {
    host_name   | Entity:= host_name;
    account_uid | Entity := account_uid;
    * }
|Entity=?entity
|timechart(category)

#type = "Vectra-Detect" AND (category="BOTNET ACTIVITY" or category="EXFILTRATION" or category="COMMAND & CONTROL" or category="RECONNAISSANCE" or category="LATERAL MOVEMENT" or category="INFO")
| case {
    threat <= 50 AND certainty <= 50 | Severity := "LOW";
    threat > 50 AND certainty > 50 | Severity := "CRITICAL";
    threat > 50 AND certainty <= 50 | Severity := "HIGH";
    threat <= 50 AND certainty > 50 | Severity := "MEDIUM";
    *}
| Severity=?severity
| case {
    host_name   | Entity:= host_name;
    account_uid | Entity := account_uid;
    * }
| Entity=?entity
| groupBy("detection_id", function={tail(1)| "Detection name" := rename(d_type_vname)| "Vectra URL" := rename(href) | time := rename(vectra_timestamp)
| select([time,triaged,category,Severity,Entity,host_ip,"Detection name",threat,certainty,"Vectra URL"])})