Skip to main content

Vectra

This Integration is part of the Vectra Pack.#

Vectra is a detection product that alerts on suspicious network behavior. It can recognize certain known attacks and suspicious interactions on the network level (e.g. Reverse Shell, Port Scans, etc)

Cortex XSOAR supports fetching detections directly from Vectra. These are set to trigger incidents in Cortex XSOAR.

Commands start with !Vectra and can be viewed by clicking Show commands in the Settings/Integrations page.

For additional information check out also the solution brief at Integrating_Cognito_with_Demisto_English.pdf

To set up the integration on Cortex XSOAR:

  1. Go to ‘Settings > Integrations > Servers & Services’
  2. Locate the Vectra integration by searching for ‘Vectra’ using the search box on the top of the page.
  3. Click ‘Add instance’ to create and configure a new integration. You should configure the following Vectra and Cortex XSOAR-specific settings:
    Name : A textual name for the integration instance.
    Server URL : The hostname or IP address of the Vectra application. Make sure the URL is reachable with respect to IP address and port.
    Credentials and Password : The username and password, or toggle to Credentials.
    Fetch incidents : Select whether to automatically create Cortex XSOAR incidents from Vectra offenses.
    If this option is checked, the first batch of offenses pulled as incidents will be the one raised in last 10 minutes of adding the instance.
    Do not validate server certificate : Select to avoid server certification validation. You may want to do this in case Cortex XSOAR cannot validate the integration server certificate (due to missing CA certificate)
    Incident type : Select to which incident type you want to map Vectra offenses.
    Cortex XSOAR engine : If relevant, select the engine that acts as a proxy to the server.
    Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Cortex XSOAR server from accessing the remote networks.

For more information on Cortex XSOAR engines see:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/engines
Require users to enter additional password: Select whether you’d like an additional step where users are required to authenticate themselves with a password.

  1. Press the ‘Test’ button to validate connection.
  2. After completing the test successfully, press the ‘Done’ button.

Commands:

vectra-detections - Detection objects contain all the information related to security events detected on the network.
vectra-health - The health configuration retrieves system health statistics such as subnet counts, traffic bandwidth, headend and sensor information.
vectra-hosts - Host information includes data that correlates the host data to detected security events.
vectra-sensors - The sensors branch retrieves a list of sensors that collect and feed data to the X-series.
vectra-settings - The settings information includes S-series sensor and X-series configurations input by the administrator.
vectra-triage - The rules branch can be used to retrieve a listing of configured Triage rules