Vectra XDR: Log Ingestion API Migration and Enhanced API v3.4 Support with New Playbook Capabilities

What Changed

Vectra XDR solution updated to version 3.3.0 with migration from legacy Log Analytics ingestion to Azure Monitor Log Ingestion API. API version upgraded from v3.3 to v3.4 for enhanced data collection. Added three new playbooks and updated existing analytics rules.

Security Impact (Visibility & Fidelity)

The migration eliminates dependency on legacy workspace keys, replacing SharedKey authentication with Azure client credentials and DCR-based ingestion. Government cloud environments now supported through proper scope handling in Key Vault operations.

Enhanced retry logic addresses rate limiting scenarios with proper backoff mechanisms. The API v3.4 upgrade provides improved data fidelity and additional detection context for security operations.

New Playbooks Added

VectaDownloadPcapFileToStorage: Downloads PCAP files for network forensics analysis
VectraCloseDetections: Automates detection closure workflows
VectraOpenClosedDetections: Manages detection state transitions

Analytic Rules (5 updated)

Updated entity tagging rules for account and host entities, including new Defender alert evidence correlation. Existing priority scoring rules updated for API v3.4 compatibility.

Affected Files

Solutions/Vectra XDR/Data Connectors/VectraDataConnector/SharedCode/sentinel.py
Solutions/Vectra XDR/Data Connectors/VectraDataConnector/SharedCode/collector.py
Solutions/Vectra XDR/Data Connectors/VectraDataConnector/SharedCode/keyvault_secrets_management.py
Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Account_Entity.yaml
Solutions/Vectra XDR/Analytic Rules/Create_Incident_Based_On_Tag_For_Host_Entity.yaml
Solutions/Vectra XDR/Analytic Rules/Defender_Alert_Evidence.yaml
Solutions/Vectra XDR/Analytic Rules/Priority_Account.yaml
Solutions/Vectra XDR/Analytic Rules/Priority_Host.yaml
Solutions/Vectra XDR/Parsers/VectraAudits.yaml
Solutions/Vectra XDR/Parsers/VectraDetections.yaml
Solutions/Vectra XDR/Parsers/VectraEntityScoring.yaml
Solutions/Vectra XDR/Parsers/VectraHealth.yaml
Solutions/Vectra XDR/Parsers/VectraLockdown.yaml
Solutions/Vectra XDR/Playbooks/VectaDownloadPcapFileToStorage/azuredeploy.json
Solutions/Vectra XDR/Playbooks/VectraCloseDetections/azuredeploy.json
Solutions/Vectra XDR/Playbooks/VectraOpenClosedDetections/azuredeploy.json
(packaging artefacts: mainTemplate.json, createUiDefinition.json, SolutionMetadata.json)

What Changed#

Security Impact (Visibility & Fidelity)#

New Playbooks Added#

Analytic Rules (5 updated)#

Affected Files#

What Changed

Security Impact (Visibility & Fidelity)

New Playbooks Added

Analytic Rules (5 updated)

Affected Files