Vectra is a detection product that alerts on suspicious network behavior. It can recognize certain known attacks and suspicious interactions on the network level (e.g. Reverse Shell, Port Scans, etc)
Cortex XSOAR supports fetching detections directly from Vectra. These are set to trigger incidents in Cortex XSOAR.
Commands start with !Vectra and can be viewed by clicking Show commands in the Settings/Integrations page.
For additional information check out also the solution brief at Integrating_Cognito_with_Demisto_English.pdf
To set up the integration on Cortex XSOAR:
- Go to ‘Settings > Integrations > Servers & Services’
- Locate the Vectra integration by searching for ‘Vectra’ using the search box on the top of the page.
Click ‘Add instance’ to create and configure a new integration. You should configure the following Vectra and Cortex XSOAR-specific settings:
Name : A textual name for the integration instance.
Server URL : The hostname or IP address of the Vectra application. Make sure the URL is reachable with respect to IP address and port.
Credentials and Password : The username and password, or toggle to Credentials.
Fetch incidents : Select whether to automatically create Cortex XSOAR incidents from Vectra offenses.
If this option is checked, the first batch of offenses pulled as incidents will be the one raised in last 10 minutes of adding the instance.
Do not validate server certificate : Select to avoid server certification validation. You may want to do this in case Cortex XSOAR cannot validate the integration server certificate (due to missing CA certificate)
Incident type : Select to which incident type you want to map Vectra offenses.
Cortex XSOAR engine : If relevant, select the engine that acts as a proxy to the server.
Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Cortex XSOAR server from accessing the remote networks.
For more information on Cortex XSOAR engines see:
Require users to enter additional password: Select whether you’d like an additional step where users are required to authenticate themselves with a password.
Press the ‘Test’ button to validate connection.
- After completing the test successfully, press the ‘Done’ button.