> For the complete documentation index, see [llms.txt](https://docs.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vectra.ai/configuration/response/siem/microsoft-sentinel-siem-codeless-connector-framework-rux.md). # Microsoft Sentinel SIEM Codeless Connector Framework (RUX) ## Overview The Vectra AI RUX connector for Microsoft Sentinel ingests Security Operations data (detection, entity, and lockdown telemetry) from the Vectra AI platform using the Microsoft Sentinel Codeless Connector Framework (CCF). The connector is built on the Vectra AI RUX API and is intended to replace the legacy Function App–based connector. It does not require an Azure Function App, virtual machine, or customer-managed compute for ingestion. Data polling, transformation, and ingestion are handled natively by Microsoft Sentinel through CCF and Data Collection Rules (DCRs). The solution package includes: * Data Connector * Parsers * Custom Log Analytics tables * Workbook template * Analytics rule templates * Playbooks / Logic Apps {% hint style="info" %} ### Migration Notice This integration replaces the legacy **Vectra XDR** Microsoft Sentinel integration previously available through Microsoft Sentinel Content Hub. Customers currently running **Vectra XDR package version 3.3.1 or earlier** should consider that integration deprecated and plan to migrate to the **Vectra RUX Security Data Connector (via Codeless Connector Framework)** for Microsoft Sentinel**.** The legacy integration was based on Azure Function Apps and the Microsoft Log Ingestion API, requiring customer-managed Azure resources for data collection and processing. The Vectra RUX Security Data Connector uses the Microsoft Sentinel **Codeless Connector Framework (CCF)** and Data Collection Rules (DCRs), eliminating the need for Azure Function Apps, Application Insights, Storage Accounts, and other customer-managed ingestion infrastructure. Existing deployments of the legacy integration can continue to operate; however, all new development, enhancements, and support efforts are focused on the Vectra RUX Connector. For migration guidance, refer to the **Greenfield vs Migration Deployment** section of this document. {% endhint %} #### Architecture ``` Vectra AI (RUX) Platform │ │ < HTTPS polling via Microsoft Sentinel CCF > │ Microsoft Sentinel / Log Analytics Workspace │ ├── Custom Tables │ ├── Detections_Data_CCF_CL │ ├── Entities_Data_CCF_CL │ └── Lockdown_Data_CCF_CL │ ├── Parsers │ ├── VectraRUXDetections │ ├── VectraDetectionsCombined │ ├── VectraEntities │ └── VectraLockdown │ ├── Workbook Template │ └── VectraRUXSecurityDashboard │ └── VectraRUXTimelineWorkbook │ ├── Analytics Rule Templates │ ├── Account incident rule │ └── Host incident rule │ └── Playbooks / Logic Apps ``` #### Connector Components
ComponentDescription
Data ConnectorRegisters and configures the Vectra RUX connector in Microsoft Sentinel
Data Collection RulesDefine ingestion streams, transformations, and table mappings
Custom TablesStore detections, entities, and lockdown records
ParsersProvide normalized KQL functions for querying Vectra data
Workbook TemplateProvides the Vectra RUX Security Dashboard and the Detection Timeline investigation workbook
Analytics Rule TemplatesProvide incident creation rules for host and account detections
Playbooks / Logic AppsProvide automation actions for enrichment, tagging, notes, assignments, and response workflows
## Deployment The connector supports two deployment modes depending on certification status. #### Preview Deployment During preview, customers deploy the solution using **Deploy a custom template** in Azure using a JSON ARM template provided by Vectra. The ARM template includes the full Microsoft Sentinel package: Data Connector, Parsers, Custom Log Analytics tables, Workbook template, Analytics rule templates, and Playbooks / Logic Apps. After deployment, customers configure the connector from the Microsoft Sentinel **Data connectors** page, enable desired analytics rules, the security workbook, and configure playbooks as needed. #### Content Hub Deployment After certification, deployment will be performed through **Microsoft Sentinel Content Hub**. Customers will install the Vectra RUX solution from Content Hub, then configure the connector, enable analytics rule templates, save the workbook template if desired, and configure playbooks. ## Data Connector The connector polls the Vectra RUX API using OAuth2 client credentials. Each connection requires a connection alias, Vectra API base URL, Client ID, Client Secret, and the selected data stream. A **Data Stream** is an individual ingestion pipeline within the connector that retrieves a specific category of data from the Vectra RUX API and writes it into a corresponding Log Analytics table. Each stream operates independently and defines the API endpoint being queried, the polling interval, the checkpoint or synchronization method, the target Log Analytics table, and the associated parser and transformation logic. The three data streams within the Security Operations integration are:
StreamOfficial TableParserCheckpoint MethodPoll Interval
DetectionsDetections_Data_CCF_CLVectraRUXDetectionsPersistentToken using next_checkpoint5 minutes
EntitiesEntities_Data_CCF_CLVectraEntitiesSliding window using last_modified_timestamp_gte10 minutes
LockdownLockdown_Data_CCF_CLVectraLockdownSnapshot5 minutes
> **Note:** The previous Log Ingestion API (package version 3.3.0) uses table names without *CCF (example: Detections\_Data\_CL). These tables are joined when populating the workbook to provide a better experience during the migration period after deploying this CCF version of the integration.* #### Detections Stream The detections stream uses an event-based checkpointing model built around the Vectra `/events/detections` API endpoint. Each detection event in Vectra is assigned a serialized event ID. As new events occur, the ID increments monotonically. After each successful polling cycle, events are ingested into `Detections_Data_CCF_CL` and the highest processed event ID is stored as the checkpoint. The next polling cycle resumes from that checkpoint, ensuring the connector always continues from the exact point where the previous ingestion cycle ended. Because the checkpoint is ID-based rather than time-based: * Poll timing does not affect data continuity * Connector restarts do not cause gaps * Temporary outages do not lose events * Clock drift issues are avoided Even if the connector does not poll again for several minutes, hours, or days, the next poll will continue from the last processed detection event ID. **Detection Polling Example** ``` Initial checkpoint: 105000 Poll #1: Retrieves events 105001 → 105250 Stores checkpoint 105250 Poll #2: Retrieves events 105251 → 105400 Stores checkpoint 105400 ``` **Determining the Detections Starting Checkpoint Seed Value** When the connector is initially configured, a starting event ID must be provided. The connector requests all events occurring after that ID. The recommended approach depends on the deployment type.
TermMeaning
Greenfield DeploymentNo prior Vectra integration exists in Sentinel
Migration DeploymentA prior Vectra integration already exists and the customer is transitioning to the CCF connector
*Greenfield Deployments* — An API call to the Vectra platform is required to determine the seed value: ``` GET /api/v3.5/events/detections?limit=1&ordering=-id ``` Copy the returned `next_checkpoint` value into the detections starting checkpoint field. *Migration Deployments* — When a previous integration exists, the most recent event retrieved from Vectra is available via KQL: ```kql Detections_Data_CL | summarize checkpoint = max(id) ``` > **Note:** This query intentionally references the old table name `Detections_Data_CL`, as the previous integration has already populated data to a known point and the new connector should pick up from there. #### Entities Stream The entities stream uses time-based polling. The connector polls the Vectra entities endpoint every 10 minutes and retrieves entities modified since the previous polling window, using `current_time - 10 minutes` as the value for `last_modified_timestamp_gte`. **Example:** ``` Current poll time: 14:00 UTC Query parameter: last_modified_timestamp_gte = 13:50 UTC ``` The entities stream continuously captures entity score changes, priority changes, assignment changes, state changes, tag updates, and entity metadata changes. Both host and account entities are included automatically. Because the entities stream is time-window based, it does not maintain a serialized checkpoint and data continuity depends on successful polling intervals. Small overlap windows help reduce the chance of missed updates. This model is appropriate because entities represent continuously changing state (cumulative) rather than immutable event records. #### Lockdown Stream The lockdown stream uses a snapshot polling model. Every 5 minutes, the connector queries the current lockdown state from the Vectra API. If active lockdown records are returned, they are ingested into `Lockdown_Data_CCF_CL`. The lockdown stream does not maintain a checkpoint because the API represents current state rather than historical events. **Important behavior:** There is intentionally no post-processing deduplication for lockdown records. If an entity remains locked down for an extended period of time, the same lockdown record will be retrieved and ingested during every polling interval while the lockdown remains active.
TimeResult
12:00Entity locked down
12:05Same lockdown record ingested
12:10Same lockdown record ingested
12:15Same lockdown record ingested
This behavior is intentional. Repeated ingestion provides an operational audit trail showing that the entity remained continuously locked down throughout the observed period, and also allows operators to identify situations where a lockdown was manually removed, temporarily disappeared, or reinstated later. Because the stream represents observed state over time rather than unique events, duplicate records are expected behavior. When evaluating current lockdown state, filter to recent records: ```kql Lockdown_Data_CCF_CL | where TimeGenerated > ago(15m) ``` To analyze historical lockdown continuity, query the full table without deduplication. #### Parsers Use the included parsers for workbooks, analytics rules, hunting, and operational queries rather than querying the raw tables directly.
ParserSource TablePurpose
VectraRUXDetectionsDetections_Data_CCF_CLNormalized detection data
VectraDetectionsCombinedDetections_Data_CL
Detections_Data_CCF_CL		Normalized detection data combining previous deployments
VectraEntitiesEntities_Data_CCF_CLNormalized entity data
VectraLockdownLockdown_Data_CCF_CLNormalized lockdown data
**Recommended:** ```kql VectraRUXDetections | take 10 ``` **Deduplication Guidance** Detection records may contain multiple updates for the same detection ID. Use `arg_max()` to evaluate the latest known state: ```kql VectraRUXDetections | summarize arg_max(TimeGenerated, *) by ["Detection ID"] ``` ## Installation & Configuration #### Installing the Connector **Preview Installation** 1. Open the Azure portal. 2. Search for **Deploy a custom template**. 3. Select **Build your own template in the editor**. 4. Paste or upload the provided Vectra RUX ARM template. 5. Select the subscription, resource group, and Sentinel workspace. 6. Deploy the template. 7. Open Microsoft Sentinel and navigate to **Data connectors**. 8. Open the **Vectra RUX Security Data Connector**. 9. Add one connection per data stream: Detections, Entities, Lockdown. **Content Hub Installation** 1. Open Microsoft Sentinel. 2. Navigate to the desired workspace and select **Content Hub**. 3. Search for the Vectra RUX solution and select **Install**. 4. Configure the connector from **Data connectors**. 5. Enable analytics rule templates. 6. Save the workbook template if required. 7. Configure playbooks and automation rules as needed. #### Connector Configuration Create a separate Vectra API client for each data stream:
StreamRecommended API Client
DetectionsSentinel-Detections (read-only)
EntitiesSentinel-Entities (read-only)
LockdownSentinel-Lockdown (read-only)
> **Important:** To avoid OAuth2 API rate limiting, stagger connection creation by at least one minute when adding multiple streams. #### Verifying Data Flow After 10–15 minutes, verify ingestion using the following queries. **Raw table verification:** ```kql Detections_Data_CCF_CL | take 10 Entities_Data_CCF_CL | take 10 Lockdown_Data_CCF_CL | take 10 ``` **Parser validation:** ```kql VectraRUXDetections | take 10 VectraDetectionsCombined | take 10 VectraEntities | take 10 VectraLockdown | take 10 ``` #### Monitoring Connector Health Microsoft Sentinel connector health information is written to the `SentinelHealth` table when auditing and health monitoring is enabled for the workspace. > **Note:** The CCF-based connector does not use Azure Function Apps and therefore does not generate Function App telemetry or Application Insights exceptions. Connector health should be monitored using Microsoft Sentinel's native connector health capabilities rather than Azure Monitor Function App alerts. **Enabling Health Monitoring** 1. Open Microsoft Sentinel in the Azure portal. 2. Select your workspace and navigate to **Configuration → Settings → Settings**. 3. Select **Auditing and health monitoring**. 4. Select one of the following options:
OptionDescription
EnableEnables auditing and health monitoring for all supported Sentinel resource types
Configure diagnostic settingsAllows granular selection of monitored resource categories and destinations
For most deployments, selecting **Enable** is recommended. Microsoft Sentinel automatically creates the required diagnostic settings and begins sending health telemetry to the Log Analytics workspace. The `SentinelHealth` table supports monitoring for Data connectors, Analytics rules, Automation rules, and Playbooks / Logic Apps. > **Note:** The `SentinelHealth` table is created automatically after the first health event is generated. This can take up to 30 minutes. Verify ingestion using: ```kql SentinelHealth | take 20 ``` **Recommended Connector Health Query** Returns the latest health state for the Vectra connector streams, filtered to failures only. This query is suitable for ad-hoc troubleshooting: ```kql SentinelHealth | where TimeGenerated > ago(24h) | where SentinelResourceType == "Data connector" | extend DestinationTable = tostring(ExtendedProperties.DestinationTable) | extend StreamName = tostring(ExtendedProperties.StreamName) | where DestinationTable in ( "Detections_Data_CCF_CL", "Entities_Data_CCF_CL", "Lockdown_Data_CCF_CL" ) or StreamName has_any ( "Detections_Data_CCF_CL", "Entities_Data_CCF_CL", "Lockdown_Data_CCF_CL" ) | summarize arg_max(TimeGenerated, *) by DestinationTable | project TimeGenerated, SentinelResourceName, DestinationTable, StreamName, Status, Description, Reason | where Status != "Success" | order by TimeGenerated desc ``` No results means there are no errors. Comment out the `Status != "Success"` line to review successful events as well. **Recommended Health Monitoring Alert Rule** The recommended monitoring approach for the CCF connector is a Scheduled Analytics Rule in Microsoft Sentinel. | Setting | Recommended Value | | ----------------- | ----------------- | | Rule Type | Scheduled | | Query Frequency | 15 minutes | | Query Period | 30 minutes | | Trigger Threshold | Greater than 0 | | Severity | Medium | | Incident Creation | Enabled | ```kql SentinelHealth | where TimeGenerated > ago(30m) | where SentinelResourceType == "Data connector" | extend DestinationTable = tostring(ExtendedProperties.DestinationTable) | where DestinationTable in ( "Detections_Data_CCF_CL", "Entities_Data_CCF_CL", "Lockdown_Data_CCF_CL" ) | where Status != "Success" ``` Microsoft also provides the **Data collection health monitoring** workbook through Content Hub, which visualizes connector ingestion trends, anomalies, and connector health state over time. Install it from: **Microsoft Sentinel → Content Hub → Data collection health monitoring**. ## Workbooks #### VectraRUXSecurityDashboard The solution includes the **VectraRUXSecurityDashboard** workbook template. This pre-built workbook provides visibility into entity scoring and prioritization, detection activity, escalated and prioritized detections, MITRE ATT\&CK mappings, data source classification, lockdown state, entity-to-detection drilldowns, and deep links into Vectra. #### Workbook Tabs & Filters
TabDescription
EntityEntity priority, urgency, scoring, assignment, and drilldown views
DetectionsDetection investigation, category counts, MITRE filtering, and selected detection details
LockdownLockdown status by entity, lock timestamp, unlock timestamp, and locking user
The workbook includes filters for time range, prioritized status, entity type, data source type, detection category, detection behavior, MITRE technique, and lockdown status. Supported data source categories include AWS, Azure, Entra ID/M365, and Network. #### Detection Timeline Workbook The solution also includes the **VectraDetectionTimeline** workbook, a SOC-focused investigation workbook that shows the full event lifecycle of an individual Vectra detection — from initial creation through every evidence addition (`append`), context change (`adjust`), investigation status update, and eventual closure. The workbook is designed to be used alongside the Vectra RUX Security Dashboard. Once an incident is opened in Sentinel, analysts use the Detection Timeline to trace the complete history of the underlying detection and review how evidence evolved over time.
PanelDescription
Detection SummaryPivot table showing all detections in the selected time range. Columns include entity, category, priority, first seen, latest update, event counts, assignment, and a direct Vectra link. Click any row to scope all lower panels to that detection.
Full TimelineChronological event log across all change types for the selected detection.
New DetectionDetails for the initial detection event, including source/destination host and account names, destination domain, and expandable summary and detail views.
Evidence AppendsDetails for each subsequent evidence addition, with the same field set as the New Detection panel.
Context AdjustmentsRecords of context-only changes such as tag updates, assignment changes, and external reference updates.
Investigation StatusLog of investigation status transitions.
State / CloseState and closure events with closure reason.
TriageTriage activity records.
Linked IncidentsSentinel incidents linked to the selected detection (visible when a Detection ID is selected).
**Filters:** Time Range, Detection ID (text or click-to-set), Entity ID, and Change Type (multi-select; applies to Detection Summary and Full Timeline panels). **Integration with VectraRUX-DetectionTimeline-Link playbook** — A companion playbook automatically posts a comment on each new Sentinel incident containing the detection ID and a direct link to the Detection Timeline workbook, allowing analysts to navigate into the pre-filtered view without manual lookup. #### Opening and Saving the Workbook **To view the workbook:** 1. Open Microsoft Sentinel and navigate to **Workbooks**. 2. Select the **Templates** tab. 3. Search for `VectraRUXSecurityDashboard or VectraRUXTimelineWorkbook` 4. Select the workbook and choose **View template**. **To save the workbook to My workbooks:** 1. Open the workbook from Templates. 2. Select **Save**. 3. Choose the subscription, resource group, and region. 4. Save the workbook. ## Analytics Rules The solution includes two Scheduled analytics rule templates — both rules should be enabled. These analytic rules create incidents for any detection that is prioritized (`unresolved_priority = true`) or has been manually escalated, regardless of priority. Two separate rules are required to ensure accurate entity mapping within Sentinel: hosts map to hostname, accounts map to username.
Rule TemplatePurpose
Vectra RUX - Create Incident for Escalated Host Detection or Unresolved Priority HostCreates incidents for host detections that are escalated or unresolved priority
Vectra RUX - Create Incident for Escalated Account Detection or Unresolved Priority AccountCreates incidents for account detections that are escalated or unresolved priority
#### Rule Logic & Queries **Trigger condition** — An incident is created when either condition is true: ``` Investigation Status == "escalated" OR Unresolved Priority == true ``` **Shared rule configuration:** | Setting | Value | | -------------------------- | -------------------- | | Rule type | Scheduled | | Enabled by default | No | | Severity | High | | Query frequency | 10 minutes | | Query period | 10 minutes | | Trigger operator | Greater than | | Trigger threshold | 0 | | Event grouping | One alert per result | | Incident creation | Enabled | | Incident grouping lookback | 7 days | | Reopen closed incidents | False | **Host Rule Query:** ```kql VectraRUXDetections | where ["Entity Type"] == "host" | summarize arg_max(TimeGenerated, *) by ["Detection ID"] | where ["Investigation Status"] == "escalated" or ["Unresolved Priority"] == true | extend detection_name = ["D Type Vname"], detection_category = ["Detection Category"], entity_url = replace_string(replace_string(URL, "api/v3.4/", ""), "api/v3.5/", ""), mitre_techniques = tostring(Mitre), detection_tags = tostring(Tags), assigned_to = ["Assigned To"], entity_name = ["Entity Name"], entity_uid = ["Entity UID"], entity_id = ["Entity ID"], detection_id = ["Detection ID"], external_reference = ["External Reference"], investigation_status = ["Investigation Status"], entity_type = ["Entity Type"] ``` **Account Rule Query:** ```kql VectraRUXDetections | where ["Entity Type"] == "account" | summarize arg_max(TimeGenerated, *) by ["Detection ID"] | where ["Investigation Status"] == "escalated" or ["Unresolved Priority"] == true | extend detection_name = ["D Type Vname"], detection_category = ["Detection Category"], entity_url = replace_string(replace_string(URL, "api/v3.4/", ""), "api/v3.5/", ""), mitre_techniques = tostring(Mitre), detection_tags = tostring(Tags), assigned_to = ["Assigned To"], entity_name = ["Entity Name"], entity_uid = ["Entity UID"], entity_id = ["Entity ID"], detection_id = ["Detection ID"], external_reference = ["External Reference"], investigation_status = ["Investigation Status"], entity_type = ["Entity Type"] ``` **Entity Mapping:**
RuleSentinel Entity TypeMapping
Host ruleHostHostName → entity_name
Account ruleAccountName → entity_name, UPNSuffix → entity_uid
**Custom Alert Details** — Each alert includes the following details extracted from Vectra: Detection ID, Detection Name, Detection Category, Entity ID, Entity UID, Entity URL, Entity Type, Tags, Assigned To, Investigation Status, External Reference, and MITRE Techniques. #### Enabling Analytics Rules 1. Open Microsoft Sentinel and navigate to **Analytics**. 2. Select **Rule templates**. 3. Search for `Vectra RUX`. 4. Select each Vectra RUX rule template. 5. Select **Create rule**, review the configuration, and enable the rule. ## Playbooks The Vectra RUX solution includes several Microsoft Sentinel playbooks implemented as Azure Logic Apps. These playbooks extend Sentinel's SOAR capabilities, allowing analysts and automation workflows to interact directly with the Vectra AI platform for detection triage, entity management, assignment workflows, tagging, timeline synchronization, and PCAP evidence collection. The playbooks are connector-agnostic and work whether detections are ingested via the CCF connector or the legacy Function App connector. **Playbook Categories**
CategoryPurpose
AuthenticationGenerate and manage OAuth tokens
Detection OperationsClose, reopen, remediate, and tag detections
Entity OperationsAdd notes, tags, assignments, and group membership
Incident EnrichmentDecorate incidents and synchronize timelines
Assignment and TriageAssign ownership and resolve Vectra assignments
NotificationsSend Teams notifications and escalation prompts
Evidence CollectionDownload PCAP files
ExtensibilityProvide starter workflows for customization
**Included Playbooks**
PlaybookPurpose
VectraGenerateAccessTokenGenerates OAuth access tokens for dependent playbooks
VectraCloseDetectionsCloses one or more detections with a specified closure reason
VectraOpenClosedDetectionsReopens previously closed detections
VectraSetDetectionStatusAcknowledges or closes detections based on Sentinel incident status
VectraAddNoteToEntityAdds notes to Vectra entities
VectraAddNoteToDetectionsAdds notes to individual Vectra detections
VectraAddTagToEntityAdds tags to Vectra entities
VectraAddTagToDetectionsAdds tags to individual Vectra detections
VectraAddTagToSelectedDetectionsAdds tags to analyst-selected detections
VectraAddTagToEntityAllDetectionsAdds tags to all detections associated with an entity
VectraAssignDynamicUserToEntityAllows analysts to dynamically select and assign a Vectra user
VectraAssignStaticUserToEntityAssigns a predefined Vectra user to an entity
VectraStaticAssignMemberToGroupAdds entities to a predefined group
VectraDynamicAssignMemberToGroupAllows dynamic group selection and entity assignment
VectraIncidentTimelineUpdateSynchronizes and deduplicates Sentinel incident timeline data
VectraDownloadPcapFileToStorageRetrieves PCAP evidence from Vectra to Azure Storage
Complete documention for each playbook is provided in the Vectra RUX Playbooks for Microsoft Sentinel guide. That document includes the deployment, usage, and automation instuctions for each playbook. ## Best Practices & Operations Operational best practices for the Vectra RUX integration with Microsoft Sentinel CCF are covered in the Vectra RUX Best Practices for Microsoft Sentinel guide. That document includes recommendations for data queries, parser usage, analytics rule configuration, connector operations, and SOC workflow guidance — including how to use automation rules and playbooks across the full incident lifecycle to accurately capture Vectra's MTTI and MTTR metrics. ## Appendix: Data Schema #### Detections\_Data\_CCF\_CL
ColumnTypeDescription
TimeGenerateddatetimeTime the record was ingested or derived from the detection event timestamp
TypestringAzure Log Analytics table type
TenantIdstringAzure tenant identifier
_ResourceIdstringAzure resource identifier
idrealAutoincrementing event ID used for checkpointing
detection_idrealVectra detection ID
change_typestringDetection event change type
event_timestampdatetimeTimestamp of the detection event in Vectra
event_typestringVectra event type
categorystringDetection category
threatrealThreat score
certaintyrealCertainty score
severityrealSeverity score
d_type_vnamestringHuman-readable detection type name
triagedboolWhether the detection has been triaged
detaildynamicRaw detection detail payload
d_detection_detailsdynamicDetection details object
detection_hrefstringDirect link to the detection
detection_typestringInternal detection type identifier
entity_idrealAssociated entity ID
entity_uidstringAssociated entity unique identifier
entity_namestringAssociated entity name
entity_typestringAssociated entity type
urlstringDirect link to associated entity
mitredynamicMITRE ATT&CK mappings
is_prioritizedboolWhether the detection is prioritized
is_targeting_key_assetstringWhether the detection targets a key asset
unresolved_priorityboolWhether the detection is an unresolved priority
investigation_statusstringVectra investigation status
reasonstringReason or status context
src_hostdynamicSource host object
src_host_idlongSource host ID
src_host_ipstringSource host IP address
src_ipstringSource IP alias
src_host_namestringSource host name
src_host_urlstringSource host URL
src_host_certaintyrealSource host certainty score
src_host_threatrealSource host threat score
src_host_is_key_assetboolWhether source host is a key asset
src_host_groupsdynamicSource host group memberships
src_accountdynamicSource account object
src_account_idlongSource account ID
src_account_namestringSource account name
src_account_urlstringSource account URL
src_account_groupsdynamicSource account group memberships
dst_hostdynamicDestination host object
dst_host_idlongDestination host ID
dst_host_ipstringDestination host IP address
dst_host_namestringDestination host name
dst_host_urlstringDestination host URL
dst_host_session_luidstringDestination host session LUID
dst_host_groupsdynamicDestination host group memberships
dst_accountdynamicDestination account object
dst_account_idlongDestination account ID
dst_account_namestringDestination account name
dst_account_uidstringDestination account UID
dst_account_urlstringDestination account URL
dst_account_groupsdynamicDestination account group memberships
dst_domaindynamicDestination domain object
dst_domain_dnsstringDestination domain DNS value
dst_domain_domainstringDestination domain name
dst_domain_external_targetstringDestination external target
src_external_hostdynamicExternal source host object
src_external_host_ipstringExternal source host IP
src_external_host_namestringExternal source host name
data_sourcedynamicData source object
data_source_sensor_idstringSensor ID
data_source_sensor_namestringSensor name
data_source_typestringData source type
filtersdynamicFilter metadata
filters_filtered_by_aiboolWhether filtered by AI
filters_filtered_by_ruleboolWhether filtered by rule
filters_filtered_by_userboolWhether filtered by user
filters_is_custom_modelboolWhether custom model filtering applied
filters_triagedboolFilter triage state
assignmentdynamicAssignment object
assignment_idlongAssignment ID
assignment_assigned_bydynamicAssigned-by user object
assignment_assigned_by_idlongAssigned-by user ID
assignment_assigned_by_usernamestringAssigned-by username
assignment_assigned_todynamicAssigned-to user object
assignment_assigned_to_idlongAssigned-to user ID
assignment_assigned_to_usernamestringAssigned-to username
assignment_date_assigneddatetimeAssignment date
summarydynamicDetection summary
grouped_detailsdynamicGrouped detection details
tagsdynamicDetection tags
normal_domainsdynamicNormal domain context
external_reference_idstringExternal ticket or case reference ID
process_context_datadynamicEDR or process context data
#### Entities\_Data\_CCF\_CL
ColumnTypeDescription
TimeGenerateddatetimeTime the record was ingested or derived from last modified timestamp
TypestringAzure Log Analytics table type
TenantIdstringAzure tenant identifier
_ResourceIdstringAzure resource identifier
idrealVectra entity ID
namestringEntity name
breadth_contribrealBreadth contribution to urgency
importancerealEntity importance score
entity_typestringEntity type
is_prioritizedboolWhether the entity is prioritized
severitystringEntity severity
urgency_scorerealUrgency score
velocity_contribrealVelocity contribution
detection_setdynamicAssociated detection set
last_detection_timestampdatetimeTimestamp of latest detection
last_modified_timestampdatetimeLast entity modification timestamp
notesdynamicEntity notes
attack_ratingrealAttack rating
privilege_levelrealPrivilege level
privilege_categorystringPrivilege category
attack_profilestringAttack profile
sensorsdynamicAssociated sensors
statestringEntity state
tagsdynamicEntity tags
urlstringEntity URL
host_typedynamicHost type details
account_typedynamicAccount type details
ipstringIP address
assignmentdynamicRaw assignment object
assignment_idrealAssignment ID
assignment_assigned_bydynamicAssigned-by user object
assignment_assigned_by_idrealAssigned-by user ID
assignment_assigned_by_usernamestringAssigned-by username
assignment_date_assigneddatetimeAssignment date
assignment_assigned_todynamicAssigned-to user object
assignment_assigned_to_idrealAssigned-to user ID
assignment_assigned_to_usernamestringAssigned-to username
#### Lockdown\_Data\_CCF\_CL
ColumnTypeDescription
TimeGenerateddatetimeTime the record was ingested or derived from lock event timestamp
TypestringAzure Log Analytics table type
TenantIdstringAzure tenant identifier
_ResourceIdstringAzure resource identifier
idrealLockdown record ID
lock_event_timestampdatetimeTime lockdown was applied
locked_bystringUser who initiated lockdown
unlock_event_timestampdatetimeTime lockdown expires or was removed
entity_idrealLocked entity ID
entity_namestringLocked entity name
entity_typestringLocked entity type
certaintyrealCertainty score retained for backward compatibility
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vectra.ai/configuration/response/siem/microsoft-sentinel-siem-codeless-connector-framework-rux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.