Vectra Update Incident Based on Tag And Notify

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook runs hourly to identify entities with Medium severity incidents, checks for user-defined tags in Vectra, and if found, upgrades the incident severity to High, adds a comment, and sends a notification to a specified MS Teams channel.

Attribute	Value
Type	Playbook
Solution	Vectra XDR
Source	View on GitHub

Logic App Connectors

This playbook uses 8 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuremonitorlogs`	Managed	1	1
`azuresentinel`	Managed	1	0
`azuresentinel_1`	Managed	0	2
`keyvault`	Managed	1	0
`keyvault_3`	Managed	0	2
`teams`	Managed	1	1
`http`	Built-in	0	2
`workflow`	Built-in	0	2

Action parameters (URLs, paths, function IDs)

`azuremonitorlogs` (Managed)

Action	Method	Endpoint	Other
Run_Query_And_List_Incidents_V2_(Preview)	post	`/queryDataV2`	—

`azuresentinel_1` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)	post	`/Incidents/Comment`	—
Update_Incident_Severity_To_High	put	`/Incidents`	—

`keyvault_3` (Managed)

Action	Method	Endpoint	Other
Get_Vectra_Access_Token_For_Account	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—
Get_Vectra_Access_Token_For_Host	get	`/secrets/@{encodeURIComponent('Vectra-Access-Token')}/value`	—

`teams` (Managed)

Action	Method	Endpoint	Other
Sent_Notification_Message_To_MS_Teams	post	`/beta/teams/conversation/message/poster/Flow bot/location/@{encodeURIComponent('Channel')}`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_Request_To_Fetch_Associated_Account_Entity_Data	GET	`@{variables('base_url')}/api/@{variables('api_version')}/entities`	—
HTTP_Request_To_Fetch_Host_Entity_Data	GET	`@{variables('base_url')}/api/@{variables('api_version')}/entities`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
GenerateAccessTokenVectra_2	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`
GenerateAccessTokenVectra	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('GenerateAccessCredPlaybookName')))]` triggerName=`manual`

Additional Documentation

📄 Source: VectraUpdateIncidentBasedOnTagAndNotify/readme.md

Summary

Prerequisites

The Vectra XDR data connector should be configured to create alerts and generate an incident based on entity data in Microsoft Sentinel.
Obtain Key Vault name and Tenant ID where client credentials are stored using which access token will be generated.
- Create a Key Vault with a unique name.
- Go to Key Vaults → your Key Vault → Overview and copy Directory ID, which will be used as the tenant ID.
- NOTE: Ensure the Permission model in the Access Configuration of Key Vault is set to 'Vault access policy'.
User must have a Microsoft Teams account.
Ensure the VectraGenerateAccessToken playbook is deployed before deploying VectraUpdateIncidentBasedOnTagAndNotify playbook.

Deployment Instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- PlaybookName: Enter the playbook name here.
- KeyVaultName: Enter Name of the Key Vault where secrets are stored.
- TenantId: Enter Tenant ID where the Key Vault is located.
- BaseURL: Enter the base URL of your Vectra account.
- Tags: Enter a tag through which incident will be updated.
- TeamsGroupId: Enter Id of the Teams Group where the adaptive card will be posted.
- TeamsChannelId: Enter Id of the Teams Channel where the adaptive card will be posted.
- IncidentComment: Enter comment you want to add in incident which will be updated based on tag.
- WorkspaceName: Enter name of the log analytics workspace where incidents are available using generated using analytic rule.
- GenerateAccessCredPlaybookName: Enter Playbook name which is deployed as part of prerequisites.

Post-Deployment Instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

Go to your logic app → API connections → Select keyvault connection resource.
Go to General → Edit API connection.
Click Authorize.
Sign in.
Click Save.
Repeat steps for other connections.

b. Add Access Policy in Key Vault

Add access policy for the playbook's managed identity and authorized user to read and write secrets of the Key Vault.

Go to Logic App → your Logic App → Identity → System assigned Managed identity and copy Object (principal) ID.
Go to Key Vaults → your Key Vault → Access policies → Create.
Select all keys & secrets permissions. Click Next.
In the principal section, search by copied Object ID. Click Next.
Click Review + Create.
Repeat steps 2 to 5 to add access policy for the user account used to authorize the connection.

c. Assign Role to add comment in incident

Assign role to this playbook.

Go to Log Analytics Workspace → your workspace → Access Control → Add.
Add role assignment.
Assignment type: Job function roles.
Role: Microsoft Sentinel Contributor.
Members: select managed identity for assigned access to and add your logic app as member.
Click on Review + Assign.

d. Configurations in Microsoft Sentinel

In Microsoft Sentinel, the below analytical rules should be configured to trigger an incident:
- Vectra Create Incident Based On Tag For Entity Type Account.
- Vectra Create Incident Based On Tag For Entity Type Host.
- Vectra Priority Account Incidents.
- Vectra Priority Host Incidents.