Vectra Decorate Incident Based On Tag
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook will add pre-defined or user customizable comment to an incident generated based on tags and add pre-defined or user customizable note to associated Vectra Entity.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Vectra XDR |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 5 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 1 |
keyvault |
Managed | 1 | 0 |
keyvault_3 |
Managed | 0 | 1 |
http |
Built-in | 0 | 1 |
workflow |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_Comment_To_Incident_(V3) | post | /Incidents/Comment |
— |
keyvault_3 (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Access_Token | get | /secrets/@{encodeURIComponent('Vectra-Access-Token')}/value |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP_Request_To_Add_Note_To_Vectra_Entity | POST | @{variables('base_url')}/api/@{variables('api_version')}/entities/@{int(variables('entity_id'))}/notes |
— |
workflow (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| GenerateAccessTokenVectra | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]triggerName= manual |
Additional Documentation
Summary
This playbook will add pre-defined or user customizable comment to an incident generated based on tags and add pre-defined or user customizable note to associated Vectra Entity.
Prerequisites
- The Vectra XDR data connector should be configured to create alerts and generate an incident based on entity data in Microsoft Sentinel.
- Obtain keyvault name and tenantId where client credentials are stored using which access token will be generated.
- Create a Key Vault with unique name
- Go to Keyvaults → your keyvault → Overview and copy DirectoryID which will be used as tenantId
- NOTE: Ensure the Permission model in the Access Configuration of Key Vault is set to 'Vault access policy'.
- Make sure that VectraGenerateAccessToken playbook is deployed before deploying VectraDecorateIncidentBasedOnTag playbook.
Deployment instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- PlaybookName: Enter the playbook name here.
- KeyVaultName: Name of keyvault where secrets are stored.
- TenantId: TenantId where keyvault is located.
- BaseURL: Enter baseurl of your Vectra account.
- IncidentComment: Enter comment you want to add in incident create based on tag.
- EntityNote: Enter a note you want to add in Vectra Entity.
- GenerateAccessCredPlaybookName: Playbook name which is deployed as part of prerequisites.
Post-Deployment instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Go to your logic app → API connections → Select keyvault connection resource.
- Go to General → Edit API connection.
- Click Authorize.
- Sign in.
- Click Save.
- Repeat steps for other connections.
b. Assign Role to add a comment in the incident
After authorizing each connection, assign a role to this playbook.
- Go to Log Analytics Workspace → your workspace → Access Control → Add
- Add role assignment
- Assignment type: Job function roles
- Role: Microsoft Sentinel Contributor
- Members: select managed identity for "assigned access to" and add your logic app as a member.
- Click on review+assign
c. Add Access policy in Keyvault
Add access policy for the playbook's managed identity and authorized user to read, and write secrets of key vault.
- Go to logic app → your Logic App → identity → System assigned Managed identity and copy Object (principal) ID.
- Go to keyvaults → your keyvault → Access policies → create.
- Select all keys & secrets permissions. Click next.
- In the principal section, search by copied object ID. Click next.
- Click review + create.
- Repeat the above step 2 to 5 to add access policy for the user account using which connection is authorized.
d. Configurations in Microsoft Sentinel
- In Microsoft sentinel, below analytical rules should be configured to trigger an incident.
- Vectra Create Incident Based On Tag For Entity Type Account
- Vectra Create Incident Based On Tag For Entity Type Host
- In Microsoft Sentinel, Configure the automation rules to trigger the playbook.
- Go to Microsoft Sentinel → your workspace → Automation
- Click on Create → Automation rule
- Provide a name for your rule
- In the Analytic rule name condition, select the analytic rule that you have created.
- In Actions dropdown select Run playbook
- In the second dropdown select your deployed playbook
- Click on Apply
- Save the Automation rule.
NOTE: If you want to manually run the playbook on a particular incident follow the below steps:
- Go to Microsoft Sentinel → your workspace → Incidents
- Select an incident.
- In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.
- click on the Run button beside this playbook.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊