Vectra Mark Detections As Fixed

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook will mark active detection as fixed associated with an entity based on choice of user provided over MS Teams. Also it adds a pre-defined but user customizable comment to an incident and also adds a pre-defined but user customizable note to Vectra Entity.

Attribute	Value
Type	Playbook
Solution	Vectra XDR
Source	View on GitHub

Logic App Connectors

This playbook uses 5 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	1
`keyvault`	Managed	1	3
`teams`	Managed	1	0
`http`	Built-in	0	3
`workflow`	Built-in	0	3

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_Comment_To_Incident_(V3)	post	`/Incidents/Comment`	—

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_Access_Token_For_Active_Detections	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Access_Token_For_Add_Note_To_Vectra_Entity	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Access_Token_For_Mark_Detections_As_Fixed	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_Request_To_Fetch_Active_Detections_For_Entity	GET	`@{variables('base_url')}/api/@{variables('api_version')}/detections`	—
HTTP_Request_To_Add_Note_To_Vectra_Entity	POST	`@{variables('base_url')}/api/@{variables('api_version')}/entities/@{variables('entity_id')}/notes`	—
HTTP_Request_To_Mark_Detections_As_Fixed_For_Associated_Entity	PATCH	`@{variables('base_url')}/api/@{variables('api_version')}/detections`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
GenerateAccessTokenVectra_2	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra_3	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`

Additional Documentation

📄 Source: VectraMarkDetectionsAsFixed/readme.md

Summary

This playbook will mark all active detection as fixed associated with an entity. Also it adds a pre-defined but user customizable comment to an incident and also adds a pre-defined but user customizable note to Vectra Entity.

Prerequisites

The Vectra XDR data connector should be configured to create alerts and generate an incident based on entity data in Microsoft Sentinel.
Obtain the key vault name and tenantId where client credentials are stored using which access token will be generated.
- Create a Key Vault with a unique name.
- Go to Keyvaults → your Key Vault → Overview and copy DirectoryID which will be used as tenantId.
- NOTE: Ensure the Permission model in the Access Configuration of Key Vault is set to 'Vault access policy'.
Ensure that the VectraGenerateAccessToken playbook is deployed before deploying VectraMarkDetectionsAsFixed playbook.

Deployment Instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- PlaybookName: Enter the playbook name here.
- KeyVaultName: Name of the Key Vault where secrets are stored.
- TenantId: Tenant ID where the Key Vault is located.
- BaseURL: Enter the base URL of your Vectra account.
- IncidentComment: All Active Detections associated with an Entity has been fixed successfully.
- EntityNote: All Active Detections associated with an Entity has been fixed successfully..
- GenerateAccessCredPlaybookName: Playbook name which is deployed as part of prerequisites.

Post-Deployment Instructions

a. Authorize Connections

Once deployment is complete, authorize each connection.

Go to your logic app → API connections → Select keyvault connection resource.
Go to General → Edit API connection.
Click Authorize.
Sign in.
Click Save.
Repeat steps for other connections.

b. Add Access Policy in Key Vault

Add access policy for the playbook's managed identity and authorized user to read and write secrets of the Key Vault.

Go to logic app → your Logic App → identity → System assigned Managed identity and copy Object (principal) ID.
Go to key vaults → your Key Vault → Access policies → create.
Select all keys & secrets permissions. Click next.
In the principal section, search by copied Object ID. Click next.
Click review + create.
Repeat the above steps 2 to 5 to add access policy for the user account using which connection is authorized.

c. Assign Role to Add Comment in Incident

Assign a role to this playbook.

Go to Log Analytics Workspace → your workspace → Access Control → Add.
Add role assignment.
Assignment type: Job function roles.
Role: Microsoft Sentinel Contributor.
Members: Select managed identity for assigned access to and add your logic app as a member.
Click on review+assign.

d. Configurations in Microsoft Sentinel

In Microsoft Sentinel, an analytical rule should be configured to trigger an incident based on data ingested from Vectra. The incident should have Entity mapping.
To manually run the playbook on a particular incident, follow the below steps: a. Go to Microsoft Sentinel → your workspace → Incidents. b. Select an incident. c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option. d. Click on the Run button beside this playbook.