Vectra Add Tag To Entity All Detections

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook enables user to add tags to all detections associated with a Vectra Entity. Tags can be fetched from comments of the associated incident else if no comments found, users can provide comments via MS Teams.

Attribute	Value
Type	Playbook
Solution	Vectra XDR
Source	View on GitHub

Logic App Connectors

This playbook uses 5 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	0
`keyvault`	Managed	1	3
`teams`	Managed	1	0
`http`	Built-in	0	3
`workflow`	Built-in	0	3

Action parameters (URLs, paths, function IDs)

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_Access_Token_For_Adding_Tags_To_Each_Detection	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Access_Token_For_Fetching_Tags	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Access_Token_For_Detections_Data	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_Request_To_Add_Tags_To_Detection_Associated_With_Vectra_Entity	PATCH	`@{variables('base_url')}/api/@{variables('api_version')}/tagging/detection/@{items('For_Each_Loop_To_Add_Tag_To_Detection')}`	—
HTTP_Request_To_Fetch_Detection_Tags	GET	`@{variables('base_url')}/api/@{variables('api_version')}/tagging/detection/@{items('For_Each_Loop_To_Add_Tag_To_Detection')}`	—
HTTP_Request_To_Fetch_Detections_Data_Associated_With_Entity	GET	`@{variables('base_url')}/api/@{variables('api_version')}/detections`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
GenerateAccessTokenVectra	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra_3	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra_2	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`

Additional Documentation

📄 Source: VectraAddTagToEntityAllDetections/readme.md

Summary

This playbook enables users to add tags to all detections associated with a Vectra Entity. Tags can be fetched from comments of the associated incident or, if no comments are found, it prompts the user for tags input via Microsoft Teams.

Prerequisites

Obtain Key Vault name and Tenant ID where client credentials are stored using which access token will be generated.
- Create a Key Vault with a unique name.
- Go to Key Vaults → your Key Vault → Overview and copy Directory ID, which will be used as the tenant ID.
- NOTE: Ensure the Permission model in the Access Configuration of Key Vault is set to 'Vault access policy'.
Obtain Teams GroupId and ChannelId.
- Create a Team with a public channel.
- Click on the three dots (...) next to your newly created Teams channel and select Get link to channel.
- Copy the text from the link between /channel and /, decode it using an online URL decoder, and copy it to use as Channel ID.
- Copy the text of the GroupId parameter from the link to use as GroupId.
Ensure the VectraGenerateAccessToken playbook is deployed before deploying VectraAddTagToEntityAllDetections playbook.

Deployment Instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- PlaybookName: Enter the playbook name here.
- KeyVaultName: Name of the Key Vault where secrets are stored.
- TenantId: Tenant ID where the Key Vault is located.
- BaseURL: Enter the base URL of your Vectra account.
- TeamsGroupId: Enter Id of the Teams Group where the adaptive card will be posted.
- TeamsChannelId: Enter Id of the Teams Channel where the adaptive card will be posted.
- GenerateAccessCredPlaybookName: Playbook name which is deployed as part of prerequisites.

Post-Deployment Instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

Go to your logic app → API connections → Select keyvault connection resource.
Go to General → Edit API connection.
Click Authorize.
Sign in.
Click Save.
Repeat steps for other connections.

b. Add Access Policy in Key Vault

Add access policy for the playbook's managed identity and authorized user to read and write secrets of the Key Vault.

Go to Logic App → your Logic App → Identity → System assigned Managed identity and copy Object (principal) ID.
Go to Key Vaults → your Key Vault → Access policies → Create.
Select all keys & secrets permissions. Click Next.
In the principal section, search by copied Object ID. Click Next.
Click Review + Create.
Repeat steps 2 to 5 to add access policy for the user account used to authorize the connection.

c. Configurations in Microsoft Sentinel

In Microsoft Sentinel, the analytical rule should be configured to trigger an incident based on data ingested from Vectra. Incident should have Entity mapping.
To manually run the playbook on a particular incident, follow the steps below:
- Go to Microsoft Sentinel → your workspace → Incidents.
- Select an incident.
- In the right pane, click on Actions, and from the dropdown select the Run Playbook option.
- Click on the Run button beside this playbook.

d. Note

In Microsoft Sentinel Incident, the comment should be in following structure only to be able to extract values from it.
- tag_dets: [tag_value] (Do not use quotes for tag value)
- tag_dets: {tag_value} (Do not use quotes for tag value)
- Single tag value is supported from the comment. For multiple tag values, use adaptive card option insted.