Vectra RUX Playbooks for Microsoft Sentinel CCF

Introduction

The Vectra AI playbooks for Microsoft Sentinel deliver automated, intelligence-driven response workflows that help security teams rapidly investigate and remediate threats detected across network, identity, and cloud environments. Each playbook is implemented as an Azure Logic App and is purpose-built to streamline a specific stage of the detection-to-response lifecycle.

The playbooks are independent of the ingestion connector architecture and function the same way whether detections are ingested using the legacy Function App connector or the CCF connector.

Before You Begin

Complete all prerequisites before deploying any playbooks. If the Key Vault access policies are not correctly configured before deployment, the playbooks will fail to authenticate, generate tokens, or retrieve secrets.

Key Vault Access Policies

Before deploying any Vectra SOAR playbooks, you must configure Key Vault access policies for two principals: the Vectra App Registration and the deployment user account.

For the Vectra App Registration:

1. Open the Azure Portal and navigate to your Key Vault.

2. Under Settings, select Access configuration and confirm the Permission model is set to Vault access policy.

3. Select Access policies and click Create.

4. Under Permissions, select All for both Key permissions and Secret permissions.

5. Search for the App Registration name used during deployment (e.g., Vectra-XDR-V2), select it, and proceed through Next → Review and create → Create.

For the deployment user:

Repeat the same steps, searching for the user account (e.g., [email protected]) instead of the App Registration. The deployment user requires access to create, update, and validate secrets during setup.

Verification: Navigate to Key Vault → Access policies and confirm both the Vectra App Registration and the user account appear with All Key and All Secret permissions.

Teams Configuration

Several playbooks use Microsoft Teams Adaptive Cards for interactive analyst input. Retrieve the following values before deployment.

Use a dedicated Team and channel for SOC automation (e.g., SOC-Automation / Vectra-SOAR) to keep automated messages separate from analyst discussions.

Note: TeamsGroupId and TeamsChannelId are optional parameters for playbooks that support both comment and Teams input methods. If omitted, the playbook exits gracefully when no structured comment is found rather than posting a Teams card.

Sentinel Automation Permissions

Microsoft Sentinel requires explicit permission to execute Logic Apps through Automation Rules.

1. Open Microsoft Sentinel and navigate to Configuration → Automation.

2. Select Configure permissions.

3. Select the resource group containing the deployed playbooks.

4. Select Apply.

Azure Tenant ID

The Azure Tenant ID is a required parameter when deploying playbooks.

1. Sign in to the Azure portal.

2. Navigate to Microsoft Entra ID (use the search box if not visible on the home screen).

3. Find the Tenant ID in the Basic information section of the Overview screen.

4. Copy the Tenant ID using the copy icon. Store it alongside the other values in the Configuration Workbook App worksheet.

Pre-Deployment Checklist

Use this checklist to confirm all prerequisites are in place before beginning playbook installation.

Installation

Deployment Overview

Playbook deployment follows a two-phase process. Complete all prerequisites once before beginning, then repeat the per-playbook steps for each playbook you deploy.

Phase 1 — One-time setup (complete before first deployment):

1. Complete all prerequisites in the Before You Begin section

2. Verify all items in the Pre-Deployment Checklist

Phase 2 — Per-playbook installation (repeat for each playbook):

1. Install the playbook from the Playbook templates tab

2. Authorize API connections

3. Grant managed identity access to Key Vault

4. Grant Sentinel Contributor role (required by some playbooks)

5. Create Automation Rules (recommended for some playbooks)

Important: Deploy VectraGenerateAccessToken before any other playbook. All dependent playbooks call it for API authentication and will fail if it is not present.

Installing a Playbook

All playbooks follow the same installation flow.

1. Open the Azure Portal and navigate to Microsoft Sentinel.

2. Select your Sentinel workspace and navigate to Configuration → Automation.

3. Open the Playbook templates tab.

4. Use the Source filter and select Vectra XDR.

5. Select the desired playbook template and click Create playbook.

6. In the Parameters tab, provide all required values (refer to the Configuration Workbook Playbook worksheet).

7. Review configuration details and click Create.

8. Wait for deployment to complete, then proceed to authorize API connections and configure Key Vault access for the Logic App.

Standard Parameters

Most playbooks share the following base parameters. Playbook-specific parameters are listed in each playbook section.

Authorizing API Connections

After deployment, all API connections used by the playbook must be authorized before the playbook can run.

1. Open the deployed Logic App.

2. Navigate to Development Tools → API Connections.

3. Open each connection listed and select Edit API Connection.

4. Select Authorize, sign in with valid Azure credentials, and click Save.

5. Repeat for all connections.

Note: The MicrosoftSentinel connection uses Managed Service Identity and does not require manual authorization steps.

Azure File Storage (PCAP playbook only): The Azurefile connection requires a Storage Account Access Key rather than OAuth authorization.

1. Navigate to your Storage Account → Security + Networking → Access keys.

2. Click Show keys and copy either key1 or key2.

3. Open the Edit API Connection for the Azurefile connection and paste the key into the Azure Storage Account Access Key field.

4. Click Save.

Configuring Key Vault Access for Logic Apps

Each Logic App uses a system-assigned managed identity to retrieve secrets from Key Vault at runtime. Configure this after deployment for every playbook.

1. Open the Logic App and navigate to Settings → Identity.

2. Copy the Object (principal) ID.

3. Open Azure Key Vault and navigate to Settings → Access Policies.

4. Click Create, select All for both Key permissions and Secret permissions, and click Next.

5. Paste the Object ID into the Principal search, select the Logic App identity, and proceed through Next → Review and create → Create.

Granting Sentinel Contributor Role

Some playbooks make modifications to Sentinel incidents and require the Microsoft Sentinel Contributor role to do so. This is an optional step that only applies to the playbooks listed below.

1. Open Log Analytics Workspaces and select your workspace.

2. Select Access control (IAM) and click Add role assignment.

3. Search for Microsoft Sentinel Contributor, select it, and click Next.

4. Under Members, select Managed identity and click Select members.

5. Search for the playbook by name. If multiple results appear, confirm the correct one by matching the associated resource group.

6. Select the playbook identity and proceed through Review + assign.

The following playbooks require Sentinel Contributor:

• VectraIncidentTimelineUpdate

Creating Automation Rules

Some playbooks are designed to run automatically through Sentinel Automation Rules. While running them manually from an incident is always supported, the playbooks listed below are most effective when attached to automation rules so they trigger without analyst intervention.

To create an Automation Rule:

1. In Microsoft Sentinel, navigate to Configuration → Automation.

2. Select Create → Automation rule.

3. Configure the trigger condition (e.g., incident created, incident updated, status changed).

4. Under Actions, select Run playbook and choose the target playbook.

5. Save the rule.

The following playbooks work best with automation triggers:

Playbooks

Vectra Generate Access Token

This playbook is mandatory and must be deployed before all others.

The Vectra Generate Access Token playbook is the foundational authentication component. It securely generates and refreshes OAuth access tokens and stores them in Azure Key Vault. All other Vectra playbooks call this playbook to obtain tokens for Vectra API authentication.

Important: Do not rename this playbook. All dependent playbooks reference it by its default name and will fail if the name is changed.

Required API connections to authorize:

• Keyvault-VectraGenerateAccessToken

Vectra Close Detections

Allows analysts to close one or more detections associated with a Vectra entity, specifying a closure reason of Remediated or Benign. The playbook first checks the incident Activity Log for structured comments; if none are found, it prompts the analyst via a Microsoft Teams Adaptive Card.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraCloseDetections

• Keyvault-VectraCloseDetections

• Teams-VectraCloseDetections

Method 1 — Incident comment (not recommended):

Add a structured comment to the incident before running the playbook. The playbook reads it and closes the detections automatically. Small formatting mistakes will cause the playbook to fail.

Line breaks are mandatory. Accepted reasons: Benign or Remediated.

Method 2 — Teams Adaptive Card (recommended):

If no valid comment is found, the playbook posts a Teams card with the following fields:

Note: If the incident contains a valid tag: comment, the Teams card will not appear. Delete all tag: comments and re-run to re-enable the Teams input path.

Vectra Open Closed Detections

Allows analysts to reopen one or more previously closed detections associated with a Vectra entity. Follows the same comment-or-Teams input pattern as Vectra Close Detections.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraOpenClosedDetections

• Keyvault-VectraOpenClosedDetections

• Teams-VectraOpenClosedDetections

Method 1 — Incident comment (not recommended):

Method 2 — Teams Adaptive Card (recommended):

Note: If the incident contains a valid tag: comment, the Teams card will not appear. Delete all tag: comments and re-run to re-enable the Teams input path.

Vectra Set Detection Status

Automatically updates the investigation status of all detections associated with a Vectra entity based on the current state of the Sentinel incident. This playbook has no Teams card and no comment input method — it operates entirely automatically based on the incident.

Required API connections to authorize:

• MicrosoftSentinel-VectraSetDetectionStatus

• Keyvault-VectraSetDetectionStatus

How it works:

The playbook reads the current Sentinel incident status and acts accordingly:

Recommended automation rules:

Vectra Add Note To Entity

Allows analysts to add a note directly to a Vectra entity from within a Sentinel incident. Supports structured comment input or a Teams Adaptive Card fallback. Basic markdown is supported in the note text.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraAddNoteToEntity

• Keyvault-VectraAddNoteToEntity

• Teams-VectraAddNoteToEntity

Method 1 — Incident comment (not recommended):

Only the text inside the brackets is added to the Vectra entity. Basic markdown (**bold**, *italic*, [link](url)) is supported, but some styles may not render correctly when using the comment method.

Method 2 — Teams Adaptive Card (recommended):

If no valid comment is found, the playbook posts a Teams card displaying the Entity ID, Entity Type, and a free-text field for the note. Markdown is fully supported via the Teams input path.

Note: If the incident contains a valid tag: comment, the Teams card will not appear. Delete all tag: comments and re-run to re-enable the Teams input path.

Vectra Add Note To Detections

Allows analysts to add a note to all detections associated with a Vectra entity from within a Sentinel incident. The playbook iterates over each detection ID linked to the entity and adds the note to each one individually. Follows the same comment-or-Teams input pattern as Vectra Add Note To Entity.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraAddNoteToDetections

• Keyvault-VectraAddNoteToDetections

• Teams-VectraAddNoteToDetections

Method 1 — Incident comment (not recommended):

Method 2 — Teams Adaptive Card (recommended):

If no valid comment is found, the playbook posts a Teams card with a free-text note input. The note is then applied to every detection associated with the entity.

Note: If the incident contains a valid tag: comment, the Teams card will not appear. Delete all tag: comments and re-run to re-enable the Teams input path.

Vectra Add Tag To Entity

Allows analysts to assign one or more tags to a Vectra entity from a Sentinel incident. Supports a single tag via incident comment or multiple tags via Teams Adaptive Card.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraAddTagToEntity

• Keyvault-VectraAddTagToEntity

• Teams-VectraAddTagToEntity

Method 1 — Incident comment (single tag only, not recommended):

Only one tag is supported via comment. Multiple tags in comments will not work.

Method 2 — Teams Adaptive Card (recommended, supports multiple tags):

If no valid comment is found, the playbook posts a Teams card. Enter one or more comma-separated tags:

Tags may include spaces and must not be enclosed in brackets.

Note: If the incident contains a valid tag: comment, the Teams card will not appear. Delete all tag: comments and re-run to re-enable the Teams input path.

Vectra Add Tag To Detections

Allows analysts to add one or more tags to all detections associated with a Vectra entity. The playbook fetches existing tags for each detection and merges the new tags, preserving any tags already applied. Follows the same comment-or-Teams input pattern as Vectra Add Tag To Entity.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraAddTagToDetections

• Keyvault-VectraAddTagToDetections

• Teams-VectraAddTagToDetections

Method 1 — Incident comment (single tag only, not recommended):

Method 2 — Teams Adaptive Card (recommended, supports multiple tags):

Enter comma-separated tags in the Teams card. The tags are merged with any existing tags on each detection — existing tags are not overwritten.

Note: If the incident contains a valid tag: comment, the Teams card will not appear. Delete all tag: comments and re-run to re-enable the Teams input path.

Vectra Add Tag To Entity Selected Detections

Allows analysts to add one or more tags to specific detections selected from the entity's detection list. Input is collected exclusively via Microsoft Teams — there is no comment-based input method.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraAddTagToEntitySelectedDetections

• Keyvault-VectraAddTagToEntitySelectedDetections

• Teams-VectraAddTagToEntitySelectedDetections

Teams Adaptive Card workflow:

When triggered, the playbook posts a card with the following fields:

After submission, the specified tags are applied to the selected detections only.

Tag input format:

Vectra Add Tag To Entity All Detections

Allows analysts to add one or more tags to every detection associated with a Vectra entity, including active, fixed, and inactive detections. Input is collected exclusively via Microsoft Teams — there is no comment-based input method.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraAddTagToEntityAllDetections

• Keyvault-VectraAddTagToEntityAllDetections

• Teams-VectraAddTagToEntityAllDetections

Teams Adaptive Card workflow:

When triggered, the playbook posts a card displaying Entity ID, Entity Type, and a free-text tag input field. All tags are applied to every detection tied to the entity upon submission.

Tag input format:

Vectra Assign Static User To Entity

Automatically assigns a predefined Vectra User ID to the entity associated with a Sentinel incident. Useful when a single SOC owner is responsible for all entity triage or when automated, non-interactive assignment is required for Vectra operational metrics.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraAssignStaticUserToEntity

• Keyvault-VectraAssignStaticUserToEntity

Retrieving the Vectra User ID:

Use the id field from the response (e.g., 39) as the UserId parameter.

Recommended automation rule: Trigger when incident status changes from New → Active.

Important: Use either Vectra Assign Static User To Entity or Vectra Assign Dynamic User To Entity in automation rules — not both. Running both simultaneously may create conflicting assignments.

Vectra Assign Dynamic User To Entity

Allows an analyst to select a Vectra user from a Teams Adaptive Card dropdown and assign that user to the entity associated with a Sentinel incident. The dropdown is populated dynamically from the Vectra user list at runtime.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraAssignDynamicUserToEntity

• Keyvault-VectraAssignDynamicUserToEntity

• Teams-VectraAssignDynamicUserToEntity

Teams Adaptive Card workflow:

The card displays Entity ID, Entity Type, and a dropdown of available Vectra users (ID + Email + Role). The operator selects the appropriate user and submits. The selected user is immediately reflected as the Assigned User in Vectra.

Recommended automation rule: Trigger when incident status changes from New → Active.

Important: Use either Vectra Assign Static User To Entity or Vectra Assign Dynamic User To Entity in automation rules — not both.

Vectra Static Assign Member To Group

Assigns one or more members to a specific Vectra XDR group. This playbook is not launched from a Sentinel incident — it is designed for standalone use, run directly from Logic Apps or via a manual trigger.

Additional parameters:

Required API connections to authorize:

• Keyvault-VectraStaticAssignMemberToGroup

• Teams-VectraStaticAssignMemberToGroup

Customization required:

This playbook must be cloned and customized for each Vectra group:

1. Clone the playbook.

2. Open it in the Logic App Designer.

3. Locate the Initialize Group ID variable and replace the placeholder with the actual numeric Group ID.

4. Save and re-authorize the cloned playbook.

To retrieve Group IDs:

Recommended naming convention: VectraAssignTo-GroupName (e.g., VectraAssignTo-SafeUsers).

Teams Adaptive Card workflow:

The card prompts the operator to provide the Group ID (unless pre-configured via cloning) and one or more member values. Ensure member values match the format expected by the group type — for example, IP addresses for IP-type groups.

Vectra Dynamic Assign Member To Group

Enables operators to search, filter, select, and assign members to Vectra groups interactively through a multi-step Teams Adaptive Card workflow. Ideal for environments with many groups where static hard-coded assignment is impractical.

Additional parameters:

Required API connections to authorize:

• Keyvault-VectraDynamicAssignMemberToGroup

• Teams-VectraDynamicAssignMemberToGroup

Teams Adaptive Card workflow — three steps:

Step 1 — Filter groups:

Step 2 — Select group:

The playbook queries Vectra and returns a filtered list of matching groups. The operator selects the desired group from the dropdown.

Step 3 — Provide member:

Enter the member value to assign (e.g., an IP address, domain name, or username). The playbook has no syntax validation — ensure the value matches the format required for that group type.

Vectra Incident Timeline Update

Ensures the Microsoft Sentinel incident timeline always reflects the most accurate, current, and deduplicated set of Vectra alerts associated with an entity. When triggered, the playbook retrieves the latest detections and entity scoring alerts, merges them into the incident timeline, and removes or relocates duplicate entries so only the latest unique Vectra alerts appear.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraIncidentTimelineUpdate

• AzureMonitorLogs-VectraIncidentTimelineUpdate

How it works:

The playbook performs three operations:

1. Retrieves the latest Vectra detections and entity scoring alerts via Azure Monitor Logs.

2. Compares them against the current incident timeline.

3. Adds new unique alerts to the incident timeline and removes duplicate or outdated entries. Older versions of alerts are moved to the Entity Timeline but removed from the main Incident Timeline.

The result is a clean, non-duplicated, analyst-friendly incident timeline.

Recommended automation rule: Trigger when a new alert is added to the incident.

Vectra Download Pcap File To Storage

Allows analysts to retrieve PCAP files for specific Vectra detections directly from the Vectra platform and upload them to an Azure Storage Account for investigation and evidence collection.

Additional parameters:

Required API connections to authorize:

• MicrosoftSentinel-VectraDownloadPcapFileToStorage

• Keyvault-VectraDownloadPcapFileToStorage

• Teams-VectraDownloadPcapFileToStorage

• Azurefile-VectraDownloadPcapFileToStorage (requires Storage Account Access Key — see Authorizing API Connections)

Teams Adaptive Card workflow:

When triggered, the playbook posts a Teams card prompting the analyst to provide one or more detection IDs. Upon submission:

1. The playbook requests the PCAP file(s) from the Vectra API.

2. Each PCAP is downloaded and uploaded to the default Azure Storage file share.

3. Files are stored with a consistent naming structure for retrieval.

Best practices:

• Confirm that detections have PCAPs available in Vectra before triggering the playbook.

• Ensure Storage Account access policies are configured for the Logic App managed identity (Storage Blob Data Contributor).

• Use a private Teams channel for sensitive evidence workflows.

• Align PCAP retention with your organization's forensics and compliance requirements.

Troubleshooting