Microsoft Sentinel SIEM Codeless Connector Framework (RUX)

Overview

The Vectra AI RUX connector for Microsoft Sentinel ingests Security Operations data (detection, entity, and lockdown telemetry) from the Vectra AI platform using the Microsoft Sentinel Codeless Connector Framework (CCF).

The connector is built on the Vectra AI RUX API and is intended to replace the legacy Function App–based connector. It does not require an Azure Function App, virtual machine, or customer-managed compute for ingestion. Data polling, transformation, and ingestion are handled natively by Microsoft Sentinel through CCF and Data Collection Rules (DCRs).

The solution package includes:

• Data Connector

• Parsers

• Custom Log Analytics tables

• Workbook template

• Analytics rule templates

• Playbooks / Logic Apps

Architecture

Vectra AI Platform
        │
        │ < HTTPS polling via Microsoft Sentinel CCF >
        │
Microsoft Sentinel / Log Analytics Workspace
        │
        ├── Custom Tables
        │   ├── Detections_Data_CCF_CL
        │   ├── Entities_Data_CCF_CL
        │   └── Lockdown_Data_CCF_CL
        │
        ├── Parsers
        │   ├── VectraRUXDetections
        │   ├── VectraEntities
        │   └── VectraLockdown
        │
        ├── Workbook Template
        │   └── VectraRUXSecurityDashboard
        │
        ├── Analytics Rule Templates
        │   ├── Account incident rule
        │   └── Host incident rule
        │
        └── Playbooks / Logic Apps

Connector Components

Deployment

The connector supports two deployment modes depending on certification status.

Preview Deployment

During preview, customers deploy the solution using Deploy a custom template in Azure using a JSON ARM template provided by Vectra. The ARM template includes the full Microsoft Sentinel package: Data Connector, Parsers, Custom Log Analytics tables, Workbook template, Analytics rule templates, and Playbooks / Logic Apps.

After deployment, customers configure the connector from the Microsoft Sentinel Data connectors page, enable desired analytics rules, the security workbook, and configure playbooks as needed.

Content Hub Deployment

After certification, deployment will be performed through Microsoft Sentinel Content Hub. Customers will install the Vectra AI RUX solution from Content Hub, then configure the connector, enable analytics rule templates, save the workbook template if desired, and configure playbooks.

Data Connector

The connector polls the Vectra AI API using OAuth2 client credentials. Each connection requires a connection alias, Vectra API base URL, Client ID, Client Secret, and the selected data stream.

A Data Stream is an individual ingestion pipeline within the connector that retrieves a specific category of data from the Vectra AI API and writes it into a corresponding Log Analytics table. Each stream operates independently and defines the API endpoint being queried, the polling interval, the checkpoint or synchronization method, the target Log Analytics table, and the associated parser and transformation logic.

The three data streams within the Security Operations integration are:

Note: The previous Log Ingestion API (package version 3.3.0) uses table names without CCF (example: Detections_Data_CL). These tables are joined when populating the workbook to provide a better experience during the migration period after deploying this CCF version of the integration.

Detections Stream

The detections stream uses an event-based checkpointing model built around the Vectra /events/detections API endpoint. Each detection event in Vectra is assigned a serialized event ID. As new events occur, the ID increments monotonically.

After each successful polling cycle, events are ingested into Detections_Data_CCF_CL and the highest processed event ID is stored as the checkpoint. The next polling cycle resumes from that checkpoint, ensuring the connector always continues from the exact point where the previous ingestion cycle ended.

Because the checkpoint is ID-based rather than time-based:

• Poll timing does not affect data continuity

• Connector restarts do not cause gaps

• Temporary outages do not lose events

• Clock drift issues are avoided

Even if the connector does not poll again for several minutes, hours, or days, the next poll will continue from the last processed detection event ID.

Detection Polling Example

Determining the Detections Starting Checkpoint Seed Value

When the connector is initially configured, a starting event ID must be provided. The connector requests all events occurring after that ID. The recommended approach depends on the deployment type.

Greenfield Deployments — An API call to the Vectra platform is required to determine the seed value:

Copy the returned next_checkpoint value into the detections starting checkpoint field.

Migration Deployments — When a previous integration exists, the most recent event retrieved from Vectra is available via KQL:

Note: This query intentionally references the old table name Detections_Data_CL, as the previous integration has already populated data to a known point and the new connector should pick up from there.

Entities Stream

The entities stream uses time-based polling. The connector polls the Vectra entities endpoint every 10 minutes and retrieves entities modified since the previous polling window, using current_time - 10 minutes as the value for last_modified_timestamp_gte.

Example:

The entities stream continuously captures entity score changes, priority changes, assignment changes, state changes, tag updates, and entity metadata changes. Both host and account entities are included automatically.

Because the entities stream is time-window based, it does not maintain a serialized checkpoint and data continuity depends on successful polling intervals. Small overlap windows help reduce the chance of missed updates. This model is appropriate because entities represent continuously changing state (cumulative) rather than immutable event records.

Lockdown Stream

The lockdown stream uses a snapshot polling model. Every 5 minutes, the connector queries the current lockdown state from the Vectra API. If active lockdown records are returned, they are ingested into Lockdown_Data_CCF_CL.

The lockdown stream does not maintain a checkpoint because the API represents current state rather than historical events.

Important behavior: There is intentionally no post-processing deduplication for lockdown records. If an entity remains locked down for an extended period of time, the same lockdown record will be retrieved and ingested during every polling interval while the lockdown remains active.

This behavior is intentional. Repeated ingestion provides an operational audit trail showing that the entity remained continuously locked down throughout the observed period, and also allows operators to identify situations where a lockdown was manually removed, temporarily disappeared, or reinstated later. Because the stream represents observed state over time rather than unique events, duplicate records are expected behavior.

When evaluating current lockdown state, filter to recent records:

To analyze historical lockdown continuity, query the full table without deduplication.

Parsers

Use the included parsers for workbooks, analytics rules, hunting, and operational queries rather than querying the raw tables directly.

Recommended:

Deduplication Guidance

Detection records may contain multiple updates for the same detection ID. Use arg_max() to evaluate the latest known state:

Installation & Configuration

Installing the Connector

Preview Installation

1. Open the Azure portal.

2. Search for Deploy a custom template.

3. Select Build your own template in the editor.

4. Paste or upload the provided Vectra AI RUX ARM template.

5. Select the subscription, resource group, and Sentinel workspace.

6. Deploy the template.

7. Open Microsoft Sentinel and navigate to Data connectors.

8. Open the Vectra RUX Security Data Connector.

9. Add one connection per data stream: Detections, Entities, Lockdown.

Content Hub Installation

1. Open Microsoft Sentinel.

2. Navigate to the desired workspace and select Content Hub.

3. Search for the Vectra RUX solution and select Install.

4. Configure the connector from Data connectors.

5. Enable analytics rule templates.

6. Save the workbook template if required.

7. Configure playbooks and automation rules as needed.

Connector Configuration

Create a separate Vectra API client for each data stream:

Important: To avoid OAuth2 API rate limiting, stagger connection creation by at least one minute when adding multiple streams.

Verifying Data Flow

After 10–15 minutes, verify ingestion using the following queries.

Raw table verification:

Parser validation:

Monitoring Connector Health

Microsoft Sentinel connector health information is written to the SentinelHealth table when auditing and health monitoring is enabled for the workspace.

Note: The CCF-based connector does not use Azure Function Apps and therefore does not generate Function App telemetry or Application Insights exceptions. Connector health should be monitored using Microsoft Sentinel's native connector health capabilities rather than Azure Monitor Function App alerts.

Enabling Health Monitoring

1. Open Microsoft Sentinel in the Azure portal.

2. Select your workspace and navigate to Configuration → Settings → Settings.

3. Select Auditing and health monitoring.

4. Select one of the following options:

For most deployments, selecting Enable is recommended. Microsoft Sentinel automatically creates the required diagnostic settings and begins sending health telemetry to the Log Analytics workspace.

The SentinelHealth table supports monitoring for Data connectors, Analytics rules, Automation rules, and Playbooks / Logic Apps.

Note: The SentinelHealth table is created automatically after the first health event is generated. This can take up to 30 minutes.

Verify ingestion using:

Recommended Connector Health Query

Returns the latest health state for the Vectra connector streams, filtered to failures only. This query is suitable for ad-hoc troubleshooting:

No results means there are no errors. Comment out the Status != "Success" line to review successful events as well.

Recommended Health Monitoring Alert Rule

The recommended monitoring approach for the CCF connector is a Scheduled Analytics Rule in Microsoft Sentinel.

Microsoft also provides the Data collection health monitoring workbook through Content Hub, which visualizes connector ingestion trends, anomalies, and connector health state over time. Install it from: Microsoft Sentinel → Content Hub → Data collection health monitoring.

Workbook

The solution includes the VectraRUXSecurityDashboard workbook template. This pre-built workbook provides visibility into entity scoring and prioritization, detection activity, escalated and prioritized detections, MITRE ATT&CK mappings, data source classification, lockdown state, entity-to-detection drilldowns, and deep links into Vectra.

Workbook Tabs & Filters

The workbook includes filters for time range, prioritized status, entity type, data source type, detection category, detection behavior, MITRE technique, and lockdown status. Supported data source categories include AWS, Azure, Entra ID/M365, and Network.

Opening and Saving the Workbook

To view the workbook:

1. Open Microsoft Sentinel and navigate to Workbooks.

2. Select the Templates tab.

3. Search for VectraRUXSecurityDashboard.

4. Select the workbook and choose View template.

To save the workbook to My workbooks:

1. Open the workbook from Templates.

2. Select Save.

3. Choose the subscription, resource group, and region.

4. Save the workbook.

Analytics Rules

The solution includes two Scheduled analytics rule templates — both rules should be enabled. These analytic rules create incidents for any detection that is prioritized (unresolved_priority = true) or has been manually escalated, regardless of priority. Two separate rules are required to ensure accurate entity mapping within Sentinel: hosts map to hostname, accounts map to username.

Rule Logic & Queries

Trigger condition — An incident is created when either condition is true:

Shared rule configuration:

Host Rule Query:

Account Rule Query:

Entity Mapping:

Custom Alert Details — Each alert includes the following details extracted from Vectra: Detection ID, Detection Name, Detection Category, Entity ID, Entity UID, Entity URL, Entity Type, Tags, Assigned To, Investigation Status, External Reference, and MITRE Techniques.

Enabling Analytics Rules

1. Open Microsoft Sentinel and navigate to Analytics.

2. Select Rule templates.

3. Search for Vectra RUX.

4. Select each Vectra RUX rule template.

5. Select Create rule, review the configuration, and enable the rule.

Playbooks

The Vectra AI RUX solution includes 16 Microsoft Sentinel playbooks implemented as Azure Logic Apps. These playbooks extend Sentinel's SOAR capabilities, allowing analysts and automation workflows to interact directly with the Vectra AI platform for detection triage, entity management, assignment workflows, tagging, timeline synchronization, and PCAP evidence collection. The playbooks are connector-agnostic and work whether detections are ingested via the CCF connector or the legacy Function App connector.

Playbook Categories

Included Playbooks

Best Practices & Operations

Operational best practices for the Vectra RUX integration with Microsoft Sentinel CCF are covered in the Vectra RUX Best Practices for Microsoft Sentinel guide. That document includes recommendations for data queries, parser usage, analytics rule configuration, connector operations, and SOC workflow guidance — including how to use automation rules and playbooks across the full incident lifecycle to accurately capture Vectra's MTTI and MTTR metrics.

Appendix: Data Schema

Detections_Data_CCF_CL

Entities_Data_CCF_CL

Lockdown_Data_CCF_CL