Host by Severity |
Displays a pie chart of host by severity (Low, Critical, High,
Medium).
Hide Query Show Query #type = "Vectra-Detect" AND (category="HOST SCORING" or category="ACCOUNT SCORING")
| case {
threat <= 50 AND certainty <= 50 | Severity := "LOW";
threat > 50 AND certainty > 50 | Severity := "CRITICAL";
threat > 50 AND certainty <= 50 | Severity := "HIGH";
threat <= 50 AND certainty > 50 | Severity := "MEDIUM";
*}
| Severity=?severity
| groupBy("Severity")
| Pie Chart |
Entities View |
List accounts and hosts with associated score
Hide Query Show Query #type = "Vectra-Detect" | in(category, values=["HOST SCORING", "ACCOUNT SCORING"])
| case {
threat <= 50 AND certainty <= 50 | Severity := "LOW";
threat > 50 AND certainty > 50 | Severity := "CRITICAL";
threat > 50 AND certainty <= 50 | Severity := "HIGH";
threat <= 50 AND certainty > 50 | Severity := "MEDIUM";
*}
| Severity=?severity
| case {
host_name | Entity := host_name;
account_uid | Entity := account_uid;
* }
| "Host IP" := rename(host_ip)| "Vectra URL" := rename(href)
| Entity=?entity
| groupBy(Entity, function={tail(1) | "Host IP" := rename(host_ip)| "Vectra URL" := rename(href) | select([@timestamp, Severity, Entity, "Entity Dashboard", "Host IP", threat, certainty, "Vectra URL"])})
| Table |
Detections by category over Time |
Detections by Type over Time
Hide Query Show Query #type = "Vectra-Detect" AND (category="BOTNET ACTIVITY" or category="EXFILTRATION" or category="COMMAND & CONTROL" or category="RECONNAISSANCE" or category="LATERAL MOVEMENT" or category="INFO")
| case {
threat <= 50 AND certainty <= 50 | Severity := "LOW";
threat > 50 AND certainty > 50 | Severity := "CRITICAL";
threat > 50 AND certainty <= 50 | Severity := "HIGH";
threat <= 50 AND certainty > 50 | Severity := "MEDIUM";
*}
|Severity=?severity
| case {
host_name | Entity:= host_name;
account_uid | Entity := account_uid;
* }
|Entity=?entity
|timechart(category)
| Time Chart |
Detections list |
List of detections based on Entity name and severity.
Hide Query Show Query #type = "Vectra-Detect" AND (category="BOTNET ACTIVITY" or category="EXFILTRATION" or category="COMMAND & CONTROL" or category="RECONNAISSANCE" or category="LATERAL MOVEMENT" or category="INFO")
| case {
threat <= 50 AND certainty <= 50 | Severity := "LOW";
threat > 50 AND certainty > 50 | Severity := "CRITICAL";
threat > 50 AND certainty <= 50 | Severity := "HIGH";
threat <= 50 AND certainty > 50 | Severity := "MEDIUM";
*}
| Severity=?severity
| case {
host_name | Entity:= host_name;
account_uid | Entity := account_uid;
* }
| Entity=?entity
| groupBy("detection_id", function={tail(1)| "Detection name" := rename(d_type_vname)| "Vectra URL" := rename(href) | time := rename(vectra_timestamp)
| select([time,triaged,category,Severity,Entity,host_ip,"Detection name",threat,certainty,"Vectra URL"])})
| Table |