Azure Sentinel SIEM integration (RUX)
Deploy the Microsoft Sentinel integration for Vectra Respond UX (package v3.3.0), including ingestion, workbooks, analytics rules, and playbooks.
This article only applies to customers using Vectra's Respond UX. If you are using the Quadrant UX please see the Sending Vectra Detect Events to Microsoft Sentinel. If you are unsure of which UX you are using, please see Vectra Analyst User Experiences (Respond vs Quadrant).
New Version Available
November 2025 - Package Version 3.3.0
The following documentation pertains to the Vectra integration for Azure Sentinel package version 3.3.0.
What's New in v3.3.0
This release introduces significant upgrades across compatibility, configuration, and data ingestion The following sections summarize key enhancements and updates introduced in this version.
Version 3.3.0 introduces a breaking change due to Microsoft's transition from the HTTP Data Collector API to the Log Ingestion API. This new API requires new tables, making in-place upgrades from v3.2.x not possible.
Why can't I upgrade in place?
Microsoft does not offer a native migration path from HTTP Data Collector to Log Ingestion API without data loss. Upgrading would require exporting and re-ingesting all pre-existing data into new tables. A future release will include tooling to migrate from v3.2.x to the Log Ingestion API without data loss.
Organizations with the following may choose to deploy v3.3.0 to a new workspace alongside their existing deployment:
Limited historical logs/incidents, OR
Internal Sentinel expertise to modify dashboards, analytics rules, and KQL queries to reference multiple workspaces and tables
This approach requires significant customization and is not supported by our team. We recommend waiting for the next release unless there is an urgent need.
Data Ingestion Enhancements
Upgraded Python Runtime: Moved the Function App from Python 3.9 → 3.12 to improve performance, security, and long-term platform compatibility.
**Vectra API v3.4 Integration: **Enhanced the connector to use Vectra API v3.4, enabling richer detection data, expanded entity information, and more accurate data structures.
Schema Improvements: Updated the data schema to improve ingestion performance, accuracy, and consistency across all Vectra detection and entity types.
**Optional Exclusion of grouped_details: **Added a configuration filter that allows customers to exclude grouped_details from Detection records. This option is designed for environments with high log volume or those encountering “message too large” errors, helping reduce payload size and improve ingestion reliability.
Azure & Authentication Enhancements
Azure HRN / GUID Support: Added support for Azure Human Readable Names (HRN) and GUID-based identifiers to deliver clearer resource context and improve SOC analyst workflows.
**Managed Identity Support: **Introduced the option to authenticate using Azure Managed Identities, enabling secure, passwordless deployments without storing credentials.
**Key Vault Integration Improvements: **Streamlined Key Vault access with Client ID + Secret authentication for more reliable credential retrieval and simpler configuration.
Assignment Handling Optimization: Migrated assignment information directly into the primary data stream, reducing the need for supplemental API calls and improving overall ingestion performance.
**Microsoft Sentinel Log Ingestion API Support: **Enabled full ingestion of Vectra detections and entities through the Log Ingestion API, delivering higher throughput, greater reliability, and more scalable deployments.
Playbook Enhancements
Close Detections and Entities: Introduced playbooks that allow analysts to close one or multiple detections or entities directly from Sentinel, streamlining investigation workflows.
**Reopen Closed Detections: **Added a playbook that allows analysts to reopen previously closed detections for continued investigation.
**PCAP Retrieval Playbook: **Created a playbook that downloads PCAP files from Vectra and stores them in an Azure Storage Account for deeper forensic analysis.
**Defender Alert Enrichment: **Implemented a playbook that inserts Microsoft Defender alerts into Sentinel incident timelines to improve cross-tool correlation and investigation context.
Additional Enhancements
Workbook: Aligned all Microsoft Sentinel workbooks with Log Ingestion API data to ensure accurate dashboards, improved visualizations, and consistent formatting across all views.
**Parser: **Refreshed all log parsers to support the Log Ingestion API, ensuring accurate mapping and normalization of Vectra detection and entity data.
Analytics Rules: Modernized analytics rules to consume Log Ingestion API data, increasing rule stability, improving detection quality, and enabling broader coverage.
Implementation Resources
Several resources are available to assist with implementation and training. The individual resources are available for download or viewing can be found to on the right-side of this page.
Microsoft Sentinel for Vectra XDR - Integration Guide.pdf This contains the implementation steps for New or Upgrade scenarios
Microsoft Sentinel for Vectra XDR - Workbooks.pdf This contains the implementation steps for deploying dashboard visualizations
Microsoft Sentinel for Vectra XDR - Analytics Rules.pdf This contains the implementation steps for deploying analytics rules for incident creation
Microsoft Sentinel for Vectra XDR - Playbooks.pdf This contains the implementation steps for deploying the various logic apps (Playbooks) for automation
Microsoft Sentinel for Vectra XDR - Configuration Workbook Template v330.xlsx This is the configuration template that should be used for implementing this integration
Microsoft Sentinel for Vectra XDR - Alert When Function App Fails v330.json This is the JSON template for creating the monitor alert rule
Training Videos: These videos are for based on package version 3.2.0 but are still relevant. These should be used as guidance but always refer to the published documentation for current and detailed implementation steps.
Last updated
Was this helpful?