Added new playbooks, workbook and migrated from function app based data connector to CCF Data connector#14508
Open
niralishah-crest wants to merge 1 commit into
Open
Added new playbooks, workbook and migrated from function app based data connector to CCF Data connector#14508niralishah-crest wants to merge 1 commit into
niralishah-crest wants to merge 1 commit into
Conversation
…ta connector to CCF Data connector
v-atulyadav
added
Solution
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR migrates the Vectra XDR solution from an Azure Function-based connector to a Codeless Connector Framework (CCF) connector, while also updating solution content (playbooks/workbooks/parsers/analytic rules) to support a detection-based workflow.
Changes:
- Added CCF connector assets (connector definition, polling config, DCR, and custom tables).
- Added/updated parsers and new analytic rules to work with the new schema.
- Reworked packaged UI/parameters and removed several legacy playbook READMEs.
Reviewed changes
Copilot reviewed 42 out of 66 changed files in this pull request and generated 21 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Vectra XDR/_backup_old_connectors/VectraCCFConnector.bak/VectraRUX_Table_Lockdown.json | Backup copy of old table resource definition (may impact validation if shipped). |
| Solutions/Vectra XDR/_backup_old_connectors/VectraCCFConnector.bak/VectraRUX_Table_Entities.json | Backup copy of old table resource definition (may impact validation if shipped). |
| Solutions/Vectra XDR/_backup_old_connectors/VectraCCFConnector.bak/VectraRUX_Table_Detections.json | Backup copy of old table resource definition (may impact validation if shipped). |
| Solutions/Vectra XDR/_backup_old_connectors/VectraCCFConnector.bak/VectraRUX_PollingConfig.json | Backup polling config for legacy connector (string template expressions appear malformed). |
| Solutions/Vectra XDR/_backup_old_connectors/VectraCCFConnector.bak/VectraRUX_DCR.json | Backup DCR definition for legacy connector (contains transformKql). |
| Solutions/Vectra XDR/_backup_old_connectors/VectraCCFConnector.bak/VectraRUX_ConnectorDefinition.json | Backup connector definition describing CCF connector UI and queries. |
| Solutions/Vectra XDR/Playbooks/VectraUpdateIncidentBasedOnTagAndNotify/README.md | Removed legacy playbook documentation. |
| Solutions/Vectra XDR/Playbooks/VectraStaticResolveAssignment/README.md | Removed legacy playbook documentation. |
| Solutions/Vectra XDR/Playbooks/VectraSetDetectionStatus/README.md | Added/updated playbook documentation for detection-status workflow. |
| Solutions/Vectra XDR/Playbooks/VectraOperateOnEntitySourceIP/README.md | Removed legacy playbook documentation. |
| Solutions/Vectra XDR/Playbooks/VectraMarkDetectionsAsFixed/README.md | Removed legacy playbook documentation. |
| Solutions/Vectra XDR/Playbooks/VectraDynamicResolveAssignment/README.md | Removed legacy playbook documentation. |
| Solutions/Vectra XDR/Playbooks/VectraDetectionTimelineLink/azuredeploy.json | Added new playbook ARM template to comment with pivot + workbook link. |
| Solutions/Vectra XDR/Playbooks/VectraDecorateIncidentBasedOnTagAndNotify/README.md | Removed legacy playbook documentation. |
| Solutions/Vectra XDR/Playbooks/VectraDecorateIncidentBasedOnTag/README.md | Removed legacy playbook documentation. |
| Solutions/Vectra XDR/Playbooks/VectraAddTagToDetections/README.md | Added/updated playbook documentation for tagging detections. |
| Solutions/Vectra XDR/Playbooks/VectraAddNoteToDetections/README.md | Added/updated playbook documentation for adding notes to detections. |
| Solutions/Vectra XDR/Parsers/VectraRUXDetections.yaml | Added new parser function for detections. |
| Solutions/Vectra XDR/Parsers/VectraLockdown.yaml | Updated lockdown parser to union old/new table names. |
| Solutions/Vectra XDR/Parsers/VectraEntities.yaml | Added new entities parser supporting old/new table names. |
| Solutions/Vectra XDR/Parsers/VectraDetectionsCombined.yaml | Added combined parser bridging Function + CCF schemas. |
| Solutions/Vectra XDR/Package/testParameters.json | Modified packaged parameters used for deploy-time testing. |
| Solutions/Vectra XDR/Package/createUiDefinition.json | Modified packaged UI definition content/sections. |
| Solutions/Vectra XDR/Data/Solution_VectraXDR.json | Updated solution manifest: workbooks, playbooks, connector reference, version/basepath. |
| Solutions/Vectra XDR/Data Connectors/VectraUpdatedCCFConnector/VectraRUX_Table_Lockdown.json | Added new CCF custom table schema for lockdown. |
| Solutions/Vectra XDR/Data Connectors/VectraUpdatedCCFConnector/VectraRUX_Table_Entities.json | Added new CCF custom table schema for entities. |
| Solutions/Vectra XDR/Data Connectors/VectraUpdatedCCFConnector/VectraRUX_Table_Detections.json | Added new CCF custom table schema for detections. |
| Solutions/Vectra XDR/Data Connectors/VectraUpdatedCCFConnector/VectraRUX_PollingConfig.json | Added new CCF polling configuration (template expressions currently malformed). |
| Solutions/Vectra XDR/Data Connectors/VectraUpdatedCCFConnector/VectraRUX_DCR.json | Added new DCR including ingestion-time transforms into LA. |
| Solutions/Vectra XDR/Analytic Rules/Vectra_RUX_Incident_Detection_Host.yaml | Added new scheduled analytic rule for escalated/unresolved host detection. |
| Solutions/Vectra XDR/Analytic Rules/Vectra_RUX_Incident_Detection_Account.yaml | Added new scheduled analytic rule for escalated/unresolved account detection. |
Comment on lines
+3
to
+4
| "condition": "[[equals(parameters('selectedStream')[0], 'detections')]", | ||
| "name": "[[concat('parameters('workspace')', '/Microsoft.SecurityInsights/', uniqueString(concat('VectraDetectionsPoller', parameters('alias'))))]", |
| "TokenEndpointHeaders": { | ||
| "Accept": "application/json", | ||
| "Content-Type": "application/x-www-form-urlencoded", | ||
| "Authorization": "[[concat('Basic ', base64(concat(parameters('clientId'), ':', parameters('clientSecret'))))]", |
| "clv2ws1" | ||
| ], | ||
| "outputStream": "Custom-Detections_Data_CCF_CL", | ||
| "transformKql": "source | extend threat = real(null) , certainty = real(null) | extend entity_type = ['type'] , TimeGenerated = iff(isnull(['event_timestamp']), now(), todatetime(['event_timestamp'])) , id = todouble(id) , detection_id = todouble(detection_id) , entity_id = todouble(entity_id) , src_host_id = tolong(src_host['id']) , src_host_ip = tostring(src_host['ip']) , src_host_name = tostring(src_host['name']) , src_host_url = tostring(src_host['url']) , src_host_certainty = toreal(src_host['certainty']) , src_host_threat = toreal(src_host['threat']) , src_host_is_key_asset = tobool(src_host['is_key_asset']) , src_host_groups = src_host['groups'] , src_account_id = tolong(src_account['id']) , src_account_name = tostring(src_account['name']) , src_account_url = tostring(src_account['url']) , src_account_groups = src_account['groups'] , dst_host_id = tolong(dst_host['id']) , dst_host_ip = tostring(dst_host['ip']) , dst_host_name = tostring(dst_host['name']) , dst_host_url = tostring(dst_host['url']) , dst_host_session_luid = tostring(dst_host['session_luid']) , dst_host_groups = dst_host['groups'] , dst_account_id = tolong(dst_account['id']) , dst_account_name = tostring(dst_account['name']) , dst_account_uid = tostring(dst_account['uid']) , dst_account_url = tostring(dst_account['url']) , dst_account_groups = dst_account['groups'] , dst_domain_dns = tostring(dst_domain['dns']) , dst_domain_domain = tostring(dst_domain['domain']) , dst_domain_external_target = tostring(dst_domain['external_target']) , src_external_host_ip = tostring(src_external_host['ip']) , src_external_host_name = tostring(src_external_host['name']) , data_source_sensor_id = tostring(data_source['sensor_id']) , data_source_sensor_name = tostring(data_source['sensor_name']) , data_source_type = tostring(data_source['type']) , filters_filtered_by_ai = tobool(filters['filtered_by_ai']) , filters_filtered_by_rule = tobool(filters['filtered_by_rule']) , filters_filtered_by_user = tobool(filters['filtered_by_user']) , filters_is_custom_model = tobool(filters['is_custom_model']) , filters_triaged = tobool(filters['triaged']) , assignment_id = tolong(assignment['id']) , assignment_assigned_by = assignment['assigned_by'] , assignment_assigned_by_id = tolong(assignment['assigned_by']['id']) , assignment_assigned_by_username = tostring(assignment['assigned_by']['username']) , assignment_assigned_to = assignment['assigned_to'] , assignment_assigned_to_id = tolong(assignment['assigned_to']['id']) , assignment_assigned_to_username = tostring(assignment['assigned_to']['username']) , assignment_date_assigned = todatetime(assignment['date_assigned']) , is_targeting_key_asset = tostring(is_targeting_key_asset) , src_ip = tostring(src_host['ip']) | project TimeGenerated , id , detection_id , change_type , event_timestamp , event_type , category , threat , certainty , severity , d_type_vname , triaged , detail , d_detection_details , detection_href , detection_type , entity_id , entity_uid , entity_name , entity_type , url , mitre , is_prioritized , is_targeting_key_asset , unresolved_priority , investigation_status , reason , src_host , src_host_id , src_host_ip , src_ip , src_host_name , src_host_url , src_host_certainty , src_host_threat , src_host_is_key_asset , src_host_groups , src_account , src_account_id , src_account_name , src_account_url , src_account_groups , dst_host , dst_host_id , dst_host_ip , dst_host_name , dst_host_url , dst_host_session_luid , dst_host_groups , dst_account , dst_account_id , dst_account_name , dst_account_uid , dst_account_url , dst_account_groups , dst_domain , dst_domain_dns , dst_domain_domain , dst_domain_external_target , src_external_host , src_external_host_ip , src_external_host_name , data_source , data_source_sensor_id , data_source_sensor_name , data_source_type , filters , filters_filtered_by_ai , filters_filtered_by_rule , filters_filtered_by_user , filters_is_custom_model , filters_triaged , assignment , assignment_id , assignment_assigned_by , assignment_assigned_by_id , assignment_assigned_by_username , assignment_assigned_to , assignment_assigned_to_id , assignment_assigned_to_username , assignment_date_assigned , summary , grouped_details , tags , normal_domains , external_reference_id , process_context_data" |
| "clv2ws1" | ||
| ], | ||
| "outputStream": "Custom-Lockdown_Data_CCF_CL", | ||
| "transformKql": "source | extend TimeGenerated = iff(isnull(['lock_event_timestamp']), now(), todatetime(['lock_event_timestamp'])) , id = todouble(id) , entity_id = todouble(entity_id) , entity_type = ['type'] | project TimeGenerated , id , lock_event_timestamp , locked_by , unlock_event_timestamp , entity_id , entity_name , entity_type" |
| "clv2ws1" | ||
| ], | ||
| "outputStream": "Custom-Entities_Data_CCF_CL", | ||
| "transformKql": "source | extend TimeGenerated = iff(isnull(last_modified_timestamp), now(), todatetime(last_modified_timestamp)) , entity_type = ['type'] , id = todouble(id) , assignment_id = todouble(assignment['id']) , assignment_assigned_by = assignment['assigned_by'] , assignment_assigned_by_id = todouble(assignment['assigned_by']['id']) , assignment_assigned_by_username = tostring(assignment['assigned_by']['username']) , assignment_date_assigned = todatetime(assignment['date_assigned']) , assignment_assigned_to = assignment['assigned_to'] , assignment_assigned_to_id = todouble(assignment['assigned_to']['id']) , assignment_assigned_to_username = tostring(assignment['assigned_to']['username']) | project TimeGenerated , id , name , breadth_contrib , importance , entity_type , is_prioritized , severity , urgency_score , velocity_contrib , detection_set , last_detection_timestamp , last_modified_timestamp , notes , attack_rating , privilege_level , privilege_category , attack_profile , sensors , state , tags , url , host_type , account_type , ip , assignment , assignment_id , assignment_assigned_by , assignment_assigned_by_id , assignment_assigned_by_username , assignment_date_assigned , assignment_assigned_to , assignment_assigned_to_id , assignment_assigned_to_username" |
Comment on lines
106
to
+107
| "type": "Microsoft.Common.Section", | ||
| "label": "Vectra XDR", | ||
| "label": null, |
Comment on lines
112
to
+113
| "options": { | ||
| "text": "This workbook provides visualization of Audit, Detections, Entity Scoring, Lockdown and Health data." | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "name": "analytics", | ||
| "label": "Analytics", | ||
| "subLabel": { | ||
| "preValidation": "Configure the analytics", | ||
| "postValidation": "Done" | ||
| }, | ||
| "bladeTitle": "Analytics", | ||
| "elements": [ | ||
| { | ||
| "name": "analytics-text", | ||
| "type": "Microsoft.Common.TextBlock", | ||
| "options": { | ||
| "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." | ||
| } | ||
| }, | ||
| { | ||
| "name": "analytics-link", | ||
| "type": "Microsoft.Common.TextBlock", | ||
| "options": { | ||
| "link": { | ||
| "label": "Learn more", | ||
| "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "name": "analytic1", | ||
| "type": "Microsoft.Common.Section", | ||
| "label": "Vectra Create Incident Based on Tag for Accounts", | ||
| "elements": [ | ||
| { | ||
| "name": "analytic1-text", | ||
| "type": "Microsoft.Common.TextBlock", | ||
| "options": { | ||
| "text": "Create an incident when the account entity presents a specific tag. If the tag is present, an incident should be created and marked with highest priority." | ||
| "text": null |
Comment on lines
24
to
27
| "workbook1-name": { | ||
| "type": "string", | ||
| "defaultValue": "Vectra XDR", | ||
| "defaultValue": null, | ||
| "minLength": 1, |
| "isWizard": false, | ||
| "basics": { | ||
| "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AIVectraDetect.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nVectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit www.vectra.ai.\n\n The Vectra XDR App for Microsoft Sentinel contains:\n Data Connector to ingest events generated by Vectra XDR (through OMS agent).\n Workbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 1, **Analytic Rules:** 7, **Playbooks:** 20\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", | ||
| "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/AIVectraDetect.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Vectra%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nVectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. Vectra AI's cloud-native platform - powered by our patented Attack Signal Intelligence- provide security teams with unified threat visibility, context and control across public cloud, SaaS, identity and data center networks in a prioritized feed. Vectra AI-driven Attack Signal IntelligenceTM, empowers SOC analysts to rapidly prioritize, investigate and respond to the most urgent cyber-attacks in their hybrid cloud environment. Organizations worldwide rely on Vectra AI's cloud-native platform and MDR services to see and stop attacks from becoming breaches. The Vectra AI App enables the security operations team to consume the industry's richest threat signals spanning public cloud, SaaS, identity and data center networks inside of Microsoft Sentinel. For more information, visit www.vectra.ai.\n\n The Vectra XDR App for Microsoft Sentinel contains:\n Data Connector to ingest events generated by Vectra XDR (through OMS agent).\n Workbook: Dynamic dashboard view of Entities, Detections, Lockdown, Audit and, Health\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", |
Comment on lines
+3
to
+4
| "condition": "[[equals(parameters('selectedStream')[0], 'detections')]", | ||
| "name": "[[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', uniqueString(concat('VectraDetectionsPoller', parameters('alias'))))]", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: