Vectra Dynamic Resolve Assignment

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

When an incident is closed, This playbook will prompt the operator to select an outcome from a predefined list, choose detections to triage from associated detection IDs and name list, provide a resolution note, and label the triaged detections. Based on the provided input playbook will resolve the open assignment.

Attribute	Value
Type	Playbook
Solution	Vectra XDR
Source	View on GitHub

Logic App Connectors

This playbook uses 6 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	0
`keyvault`	Managed	1	0
`keyvault_3`	Managed	0	5
`teams`	Managed	1	2
`http`	Built-in	0	5
`workflow`	Built-in	0	5

Action parameters (URLs, paths, function IDs)

`keyvault_3` (Managed)

Action	Method	Endpoint	Other
Get_Access_Token_For_Host_Entity	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Access_Token_For_Account_Entity	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Access_Token_For_Active_Detections	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Access_Token_For_Assignment_Outcomes	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Access_Token_For_Resolve_Assignment	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—

`teams` (Managed)

Action	Method	Endpoint	Other
Post_Message_For_No_Assignment_Outcomes_Found	post	`/beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')}`	—
Post_Message_For_No_Open_Assignment_Found_For_Associated_Account_Entity	post	`/beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')}`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_Request_To_Fetch_Data_For_Associated_Host_Entity	GET	`@{variables('base_url')}/api/@{variables('api_version')}/hosts/@{int(variables('entity_id'))}`	—
HTTP_Request_To_Fetch_Data_Of_Associated_Account_Entity	GET	`@{variables('base_url')}/api/@{variables('api_version')}/accounts/@{int(variables('entity_id'))}`	—
HTTP_Request_To_Fetch_Active_Detections_Associated_With_Entity	GET	`@{variables('base_url')}/api/@{variables('api_version')}/detections`	—
HTTP_Request_To_Fetch_Assignment_Outcomes	GET	`@{variables('base_url')}/api/@{variables('api_version')}/assignment_outcomes`	—
HTTP_Request_To_Resolve_Assignment	PUT	`@{variables('base_url')}/api/@{variables('api_version')}/assignments/@{variables('assignment_id')}/resolve`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
GenerateAccessTokenVectra_3	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra_4	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra_2	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra_5	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`

Additional Documentation

📄 Source: VectraDynamicResolveAssignment/readme.md

Summary

Prerequisites

The Vectra XDR data connector should be configured to create alerts and generate an incident based on entity data in Microsoft Sentinel.
Obtain the Key Vault name and Tenant ID where client credentials are stored using which the access token will be generated.
- Create a Key Vault with a unique name.
- Go to Key Vaults → your Key Vault → Overview and copy Directory ID, which will be used as the tenant ID.
- NOTE: Ensure the Permission model in the Access Configuration of Key Vault is set to 'Vault access policy'.
Obtain Teams GroupId and ChannelId.
- Create a Team with a public channel.
- Click on three dots (...) present on the right side of your newly created teams channel and Get link to the channel.
- Copy the text from the link between /channel and /, decode it using an online URL decoder, and copy it to use as channelId.
- Copy the text of groupId parameter from the link to use as groupId.
Make sure that the VectraGenerateAccessToken playbook is deployed before deploying VectraDynamicResolveAssignment playbook.

Deployment Instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- PlaybookName: Enter the playbook name here.
- KeyVaultName: Name of the Key Vault where secrets are stored.
- tenantId: Tenant ID where the Key Vault is located.
- BaseURL: Enter the base URL of your Vectra account.
- TeamsGroupId: Enter Id of the Teams Group where the adaptive card will be posted.
- TeamsChannelId: Enter Id of the Teams Channel where the adaptive card will be posted.
- GenerateAccessCredPlaybookName: Playbook name which is deployed as part of prerequisites.

Post-Deployment Instructions

a. Authorize Connections

Once deployment is complete, authorize each connection.

Go to your logic app → API connections → Select keyvault connection resource.
Go to General → Edit API connection.
Click Authorize.
Sign in.
Click Save.
Repeat steps for other connections.

b. Add Access Policy in Key Vault

Add access policy for the playbook's managed identity and authorized user to read and write secrets of the Key Vault.

Go to Logic App → your Logic App → Identity → System assigned Managed identity and copy Object (principal) ID.
Go to Key Vaults → your Key Vault → Access policies → Create.
Select all keys & secrets permissions. Click next.
In the principal section, search by copied Object ID. Click next.
Click review + create.
Repeat the above steps 2 to 5 to add access policy for the user account using which connection is authorized.

c. Configurations in Microsoft Sentinel

In Microsoft Sentinel, analytical rule should be configured to trigger an incident based on data ingested from Vectra. Incident should have Entity mapping.
In Microsoft Sentinel, Configure the automation rules to trigger the playbook.
- Go to Microsoft Sentinel → your workspace → Automation.
- Click on Create → Automation rule.
- Provide a name for your rule.
- Select Trigger as When incident is updated.
- In Conditions, select Status Equals 'Closed'.
- In Actions dropdown select Run playbook.
- In the second dropdown, select your deployed playbook.
- Click on Apply.
- Save the Automation rule.

NOTE: If you want to manually run the playbook on a particular incident, follow the below steps:

Go to Microsoft Sentinel → your workspace → Incidents.
Select an incident.
In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.
Click on the Run button beside this playbook.