Vectra XDR - Upadated vectra solution with new enhancements

[fenil-savani]

Change(s):

• Log Ingestion API support
• Vectra API Version change from v3.3 to v3.4
• Adding 3 new playbooks and 1 analytic rule
• Updating existing playbook and analytic rules as per new version change

Reason for Change(s):

• New enhancements required by customer

Version Updated:

• Yes

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[v-shukore]

Hi @fenil-savani, could you please resolve the KQL validation failures. Thanks!

[fenil-savani]

Hi @fenil-savani, could you please resolve the KQL validation failures. Thanks!

Yes, I am looking into the failures.

[fenil-savani]

Hi @v-shukore,
I have resolved all kql validation fails.

[v-shukore]

Hi @fenil-savani, could you please check this check is failing due to this error? Thank you.

[fenil-savani]

Hi @fenil-savani, could you please check this check is failing due to this error? Thank you.

Hi, @v-shukore
I have added techniques and tactics.

[v-shukore]

Hi @fenil-savani, please remove the newly created ZIP file and include your changes in the existing file, "VectraXDR320.zip". Also, use the existing URL for website run from package https://aka.ms/sentinel-VectraXDR320-functionapp in the azuredeploy file. Going forward, kindly consolidate all changes in the existing file. Thank you!

[fenil-savani]

Hi @fenil-savani, please remove the newly created ZIP file and include your changes in the existing file, "VectraXDR320.zip". Also, use the existing URL for website run from package https://aka.ms/sentinel-VectraXDR320-functionapp in the azuredeploy file. Going forward, kindly consolidate all changes in the existing file. Thank you!

Hi @v-shukore ,
Since these are significant changes, we must isolate them in a separate version to prevent any impact on existing customers and ensure no failure in function execution.

[fenil-savani]

Hi @v-shukore,
Any updates on this PR?

[v-shukore]

Hi @fenil-savani, could you please create a shortlink and update the azuredeploy file to reference the "website runs from the package"? Thanks!

[fenil-savani]

Hi @fenil-savani, could you please create a shortlink and update the azuredeploy file to reference the "website runs from the package"? Thanks!

Hi @v-shukore,
It's already updated with reference of new zip VectraXDR330.zip

[v-shukore]

Hi @fenil-savani, yes, you have created and updated the shortlink "https://aka.ms/sentinel-VectraXDR330-functionapp" but when we click and open this URL, it does not point to or download the latest zip file you created. Thanks!

[dhwanishah-crest]

Hi @v-shukore,
This PR introduces updates related to the Log Ingestion API. We are transitioning from the HTTP Data Collector API to the Log Ingestion API. The new API requires a Data Collection Rule (DCR), Data Collection Endpoint (DCE), and a predefined table schema, all of which are provisioned through an ARM template.
Updating the existing ZIP file would cause current customer integrations to fail. To maintain backward compatibility and prevent disruptions for existing customers, we need to create a new ZIP package.
So, you would require to map the new zip with the updated like in ARM template.

[v-shukore]

Hi @dhwanishah-crest, as mentioned in #13034 (comment), could you please update the short link so that it works and points to the latest zip file you created? Thanks!

[v-shukore]

Hi @fenil-savani, could you please share screenshots of the running data connector along with the invocation logs? Additionally, please provide running playbooks images which you have updated. Thank you.

[fenil-savani]

Hi @v-shukore
here providing data connector images

Playbook Run images