Skip to main content

Vectra Detect

This Integration is part of the Vectra AI Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This integration allows to create incidents based on Vectra Accounts/Hosts/Detections objects. This integration was integrated and tested with version 7.1 of Vectra Detect

Use cases#

  1. Fetch accounts, hosts and detections from Vectra Detect.
  2. Bi-Directional mirroring for accounts and hosts.
  3. List and describe accounts, hosts, detections, and users.
  4. List, describe, create, and resolve assignments for accounts and hosts.
  5. List, describe, and create assignment outcomes.
  6. List, create, update, and delete notes for accounts, hosts, and detections.
  7. List, create, and remove tags for accounts, hosts, and detections.
  8. List, assign, and unassign members in group.
  9. Mark and unmark detection as fixed.
  10. Mark all detections as fixed for accounts and hosts.
  11. Get detection's PCAP file.
  12. Clean up all incidents in Cortex XSOAR by closing duplicate incidents from Vectra Detect.

Configure Vectra Detect on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Vectra Detect.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Vectra Detect FQDN or IPEnter the FQDN or IP to reach the Vectra Detect API. (e.g. "my-vectra-box.local" or "192.168.1.1")True
    API TokenEnter the API token that can be retrieved from the Vectra UI > My Profile > General (tab) > API Token. You can also use the XSOAR credentials wallet to store it. In that case, the token should be the password.True
    API TokenTrue
    Trust any certificate (not secure)When checked, no SSL certificates check will be done when interacting with the Vectra Detect API. It's insecure. (Default - unchecked)False
    Use system proxy settingsUse the system proxy settings to reach with the Vectra Detect API.False
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timestampThe date or relative timestamp from which to begin fetching entities.

    Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ.

    For example: 01 May 2024, 01 Aug 2024 04:45:33, 2024-07-17T14:05:44Z. (default - 7 days)
    False
    Mirroring DirectionThe mirroring direction in which to mirror the account and host. You can mirror "Incoming" (from Vectra to Cortex XSOAR), "Outgoing" (from Cortex XSOAR to Vectra), or in both directions.False
    Mirror tag for notesThe tag value should be used to mirror the account and host note by adding the same tag in the notes.False
    Entity types to fetchChoose what to fetch - Accounts and/or Hosts and/or Detections. (Default - Accounts,Hosts)False
    TagsOnly Accounts or Hosts that contain any of the tags specified will be fetched.

    Note: For the partial match of the tag, use '*' at the start and end of word (Only a single word is allowed). Ex. *MDR*.
    False
    Detection CategoryFilter the detections belonging to a specified category displayed as part of layout.

    Note: This filter applies on the 'Vectra Account' and 'Vectra Host' incident type.
    False
    Detection TypeFilter the detections belonging to a specified type displayed as part of layout.

    Note: This filter applies on the 'Vectra Account' and 'Vectra Host' incident type.
    Hosts fetch queryOnly "active" Hosts matching this fetch query will be fetched. Will be used only if "Hosts" is selected in the "Entity types to fetch". (default - host.threat:>=50)False
    Accounts fetch queryOnly "active" Accounts matching this fetch query will be fetched. Will be used only if "Accounts" is selected in the "Entity types to fetch". (default - account.threat:>=50)False
    Detections fetch queryOnly "active" Detections matching this fetch query will be fetched. Will be used only if "Detections" is selected in the "Entity types to fetch". (default - detection.threat:>=50 AND detection.certainty:>=50)False
    Max created incidents per fetchThe maximum number of new incidents to create per fetch. This value would be split between selected "Entity types to fetch". If the value is greater than 200, it will be considered as 200. The maximum is 200. (Default - 50)False
    Advanced: Minutes to look back when fetchingUse this parameter to determine how long backward to look in the search for incidents that were created before the last run time and did not match the query when they were created.False
  4. Click Test to validate the URLs, token, and connection.

Configuration for fetching Vectra Account or Vectra Host as a Cortex XSOAR incident#

To fetch Vectra Account or Vectra Host as a Cortex XSOAR incident:

  1. Select Fetches incidents.
  2. Under Classifier, select "Vectra Detect".
  3. Under Incident type, select "N/A".
  4. Under Mapper (incoming), select "Vectra Detect - Incoming Mapper" for default mapping.
  5. Enter connection parameters. (Vectra Detect FQDN or IP, API Token)
  6. Select SSL certificate validation and Proxy if required.
  7. Update "Max created incidents per fetch" & "First fetch timestamp" based on your requirements.
  8. Select the Incident Mirroring Direction:
    1. Incoming - Mirrors changes from the Vectra into the Cortex XSOAR incident.
    2. Outgoing - Mirrors changes from the Cortex XSOAR incident to the Vectra.
    3. Incoming And Outgoing - Mirrors changes both Incoming and Outgoing directions on incidents.
  9. Enter the relevant tag name for mirror notes. Note: This value is mapped to the dbotMirrorTags incident field in Cortex XSOAR, which defines how Cortex XSOAR handles notes when you tag them in the War Room. This is required for mirroring notes from Cortex XSOAR to Vectra.
  10. Provide the filter parameter "Tags”, to filter entities by specific tag/s for fetch type account and host.
  11. Provide the filter parameter "Detection Category” and "Detection Type", to filter detections by the specified category and type for fetch type account and host.

Notes for mirroring:

  • The mirroring is strictly tied to incident types "Vectra Account" and "Vectra Host", as well as the incoming mapper "Vectra Detect - Incoming Mapper". If you want to change or use a custom incident type/mapper, ensure that related changes are also present.
  • The mirroring settings apply only for incidents that are fetched after applying the settings.
  • Any tags removed from the Vectra Account or Vectra Host will not be removed in the Cortex XSOAR incident, as Cortex XSOAR doesn't allow the removal of the tags field via the backend. However, tags removed from the Cortex XSOAR incident UI will be removed from the Vectra Account or Vectra Host.
  • New notes from the Cortex XSOAR incident will be created as notes in the Vectra Account or Vectra Host. Updates to existing notes in the Cortex XSOAR incident will not be reflected in the Vectra Account or Vectra Host.
  • New notes from the Vectra Account or Vectra Host will be created as notes in the Cortex XSOAR incident. Updates to existing notes in the Vectra Account or Vectra Host will create new notes in the Cortex XSOAR incident.
  • If a closed Cortex XSOAR incident is tied to a specific Account or Vectra Host and new detections for that Account or Vectra Host arise or existing detections become active again, the incident will be automatically reopened.
  • When a Cortex XSOAR incident is closed but there are still active detections on the Vectra side, and the Account or Vectra Host is subsequently updated, the corresponding Cortex XSOAR incident for that entity will be reopened.
  • If a Cortex XSOAR incident is reopened and the corresponding entity has an assignment in Vectra, the assignment will be removed from Vectra.
  • If you want to use the mirror mechanism and you're using custom mappers, then the incoming mapper must contain the following fields: dbotMirrorDirection, dbotMirrorId, dbotMirrorInstance, and dbotMirrorTags.
  • To use a custom mapper, you must first duplicate the mapper and update the fields in the copy of the mapper. (Refer to the "Create a custom mapper consisting of the default Vectra Detect - Incoming Mapper" section for more information.)
  • Following new fields are introduced in the response of the incident to enable the mirroring:
    • mirror_direction: This field determines the mirroring direction for the incident. It is a required field for Cortex XSOAR to enable mirroring support.
    • mirror_tags: This field determines what would be the tag needed to mirror the Cortex XSOAR entry out to Vectra. It is a required field for XSOAR to enable mirroring support.
    • mirror_instance: This field determines from which instance the Cortex XSOAR incident was created. It is a required field for Cortex XSOAR to enable mirroring support.

Cleanup Duplicate Incidents#

  • Use the Close All Duplicate XSOAR Incidents - Vectra Detect playbook to clean up duplicate incidents. You can use VectraDetectCloseDuplicateIncidents script individually to clean up duplicate incidents.
  • You can also schedule a job with Close All Duplicate XSOAR Incidents - Vectra Detect playbook in Cortex XSOAR to clean up incidents periodically. Refer to this Cortex XSOAR documentation for more information.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

vectra-search-accounts#


Returns a list of Account objects. All search attributes will be cumulative unless you're using the search_query_only one, in that case, only this one will be taken into account.

Base Command#

vectra-search-accounts

Input#

Argument NameDescriptionRequired
min_idReturns Accounts with an ID greater than or equal to the specified ID.Optional
max_idReturns Accounts with an ID less than or equal to the specified ID.Optional
min_threatReturns Accounts with a threat score greater than or equal to the specified score.Optional
max_threatReturns Accounts with a threat score less than or equal to the specified score.Optional
min_certaintyReturns Accounts with a certainty score greater than or equal to the specified score.Optional
max_certaintyReturns Accounts with a certainty score less than or equal to the specified score.Optional
stateFilters by state ('active', 'inactive'). Possible values are: active, inactive.Optional
search_querySearch query in Lucene query syntax.Optional
search_query_onlyUse specifically this search query. Compared to "search_query" where default arguments are appended.Optional
min_privilege_levelReturns entries with a privilege level greater than or equal to the specified score.Optional
max_privilege_levelReturns entries with a privilege level greater than or equal to the specified score.Optional
privilege_categoryFilters by the privilege category ("low", "medium", "high") provided.Optional
tagsFilters by a tag or a comma-separated list tags.Optional

Context Output#

PathTypeDescription
Vectra.Account.AssigneeStringVectra user account this Account is assigned to
Vectra.Account.AssignedDateStringAssignment date
Vectra.Account.CertaintyScoreNumberAccount certainty score
Vectra.Account.IDNumberAccount ID (unique)
Vectra.Account.LastDetectionTimestampStringLast time a detection linked to this account has been seen
Vectra.Account.PrivilegeLevelNumberAccount privilege level (from 1 to 10)
Vectra.Account.PrivilegeCategoryStringAccount privilege category (Either 'Low', 'Medium' or 'High' - Privilege levels of 1-2 > 'Low', 3-7 > 'Medium', 8-10 > 'High')
Vectra.Account.SeverityStringAccount severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Account.StateStringAccount state ('active', 'inactive')
Vectra.Account.TagsStringAccount tags
Vectra.Account.ThreatScoreNumberAccount threat score
Vectra.Account.TypeStringAccount type ('kerberos' or 'o365')
Vectra.Account.URLStringAccount URL to pivot to Vectra UI
Vectra.Account.NameStringThe username of the account

vectra-search-hosts#


Returns a list of Host objects. All search attributes will be cumulative unless you're using the search_query_only one, in that case, only this one will be taken into account.

Base Command#

vectra-search-hosts

Input#

Argument NameDescriptionRequired
min_idReturns Hosts with an ID greater than or equal to the specified ID.Optional
max_idReturns Hosts with an ID less than or equal to the specified ID.Optional
min_threatReturns Hosts with a threat score greater than or equal to the specified score.Optional
max_threatReturns Hosts with a threat score less than or equal to the specified score.Optional
min_certaintyReturns Hosts with a certainty score greater than or equal to the specified score.Optional
max_certaintyReturns Hosts with a certainty score less than or equal to the specified score.Optional
stateFilters by state ('active', 'inactive'). Possible values are: active, inactive.Optional
search_querySearch query in Lucene query syntax.Optional
search_query_onlyUse specifically this search query. Compared to "search_query" where default arguments are appended.Optional

Context Output#

PathTypeDescription
Vectra.Host.AssigneeStringVectra user account this Host is assigned to
Vectra.Host.AssignedDateStringAssignment date
Vectra.Host.CertaintyScoreNumberHost certainty score
Vectra.Host.HasActiveTrafficBooleanWhether this Host has active traffic
Vectra.Host.HostnameStringHost name
Vectra.Host.IDNumberHost ID (Unique)
Vectra.Host.IPStringHost IP address
Vectra.Host.IsKeyAssetBooleanWhether this Host is seen as a key asset
Vectra.Host.IsTargetingKeyAssetBooleanWhether this Host is targeting a key asset
Vectra.Host.PrivilegeLevelNumberHost privilege level (from 1 to 10)
Vectra.Host.PrivilegeCategoryStringHost privilege category. (Either 'Low', 'Medium' or 'High' - Privilege levels of 1-2 > 'Low', 3-7 > 'Medium', 8-10 > 'High')
Vectra.Host.ProbableOwnerStringHost probable owner
Vectra.Host.SensorLUIDStringSensor LUID that saw this Host
Vectra.Host.SensorNameStringSensor Name that saw this Host
Vectra.Host.SensorStringSensor details that have seen this Host
Vectra.Host.SeverityStringHost severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Host.StateStringHost state ('active', 'inactive')
Vectra.Host.TagsStringHost tags
Vectra.Host.ThreatScoreNumberHost threat score
Vectra.Host.URLStringHost URL to pivot to Vectra UI

vectra-search-detections#


Returns a list of Detection objects. All search attributes will be cumulative unless you're using the search_query_only one, in that case, only this one will be taken into account.

Base Command#

vectra-search-detections

Input#

Argument NameDescriptionRequired
min_idReturns Detections with an ID greater than or equal to the specified ID.Optional
max_idReturns Detections with an ID less than or equal to the specified ID.Optional
min_threatReturns Detections with a threat score greater than or equal to the specified score.Optional
max_threatReturns Detections with a threat score less than or equal to the specified score.Optional
min_certaintyReturns Detections with a certainty score greater than or equal to the specified score.Optional
max_certaintyReturns Detections with a certainty score less than or equal to the specified score.Optional
stateFilters by state ('active', 'inactive'). Possible values are: active, inactive.Optional
search_querySearch query in Lucene query syntax.Optional
search_query_onlyUse specifically this search query. Compared to "search_query" where default arguments are appended.Optional

Context Output#

PathTypeDescription
Vectra.Detection.AssigneeStringVectra user account this detection is assigned to
Vectra.Detection.AssignedDateStringAssignment date
Vectra.Detection.CategoryStringDetection category (Lateral, Exfil, ...)
Vectra.Detection.CertaintyScoreNumberDetection certainty score
Vectra.Detection.DescriptionStringDetection description
Vectra.Detection.DestinationIPsStringDetection destination IPs
Vectra.Detection.DestinationPortsStringDetection destination ports
Vectra.Detection.FirstTimestampStringFirst time this detection has been seen
Vectra.Detection.IDNumberDetection ID (unique)
Vectra.Detection.IsTargetingKeyAssetBooleanWhether this detection is targeting a key asset
Vectra.Detection.LastTimestampStringLast time this detection has been seen
Vectra.Detection.NameStringThe name of the detection. Would be a user defined name if this detection is triaged or the default type name instead
Vectra.Detection.SeverityStringDetection severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Detection.SensorLUIDStringSensor LUID that saw this detection
Vectra.Detection.SensorNameStringSensor name that saw this detection.
Vectra.Detection.SourceAccountIDStringAccount ID relating to this detection
Vectra.Detection.SourceHostIDStringHost ID relating to this detection
Vectra.Detection.SourceIPStringSource IP relating to this detection
Vectra.Detection.StateStringDetection state ('active', 'inactive')
Vectra.Detection.TagsStringDetection tags
Vectra.Detection.ThreatScoreNumberDetection threat score
Vectra.Detection.TriageRuleIDStringTriage rule ID related to this detection
Vectra.Detection.TypeStringDetection type (Brute Force, Port Sweep, ...)
Vectra.Detection.URLStringDetection URL to pivot to Vectra UI

vectra-search-assignments#


Return a list of assignments. By default already resolved assignment are not returned.

Base Command#

vectra-search-assignments

Input#

Argument NameDescriptionRequired
account_idsFilters by accounts IDs.Optional
assignee_idsFilters by assignees IDs.Optional
host_idsFilters by hosts IDs.Optional
outcome_idsFilters by outcomes IDs.Optional
resolvedFilters by resolution state.Optional

Context Output#

PathTypeDescription
Vectra.Assignment.AccountIDNumberAccount ID this assignment is linked to
Vectra.Assignment.AssignedByStringWho lastly assigned this assignment
Vectra.Assignment.AssignedDateStringWhen this assignment was lastly assigned
Vectra.Assignment.AssignedToStringTo who this assignment is assigned
Vectra.Assignment.HostIDStringHost ID this assignment is linked to
Vectra.Assignment.IDNumberAssignment ID (unique)
Vectra.Assignment.IsResolvedBooleanIs this assignment resolved
Vectra.Assignment.OutcomeCategoryStringAssignment Outcome category
Vectra.Assignment.OutcomeTitleStringAssignment Outcome title
Vectra.Assignment.TriagedDetectionsStringList of Detection that have been triaged with the resolution
Vectra.Assignment.TriagedAsStringName of the triage rule if any
Vectra.Assignment.ResolvedByStringWho resolved this assignment
Vectra.Assignment.ResolvedDatestringWhen this assignment was resolved

vectra-search-users#


Returns a list of Vectra Users. All search attributes will be cumulative.

Base Command#

vectra-search-users

Input#

Argument NameDescriptionRequired
usernameFilters by user name.Optional
roleFilters by user role.Optional
typeFilters by type ('Local', 'SAML', ...). Possible values are: local, SAML.Optional
last_login_datetimeFilters for Users that logged in since the given datetime.Optional

Context Output#

PathTypeDescription
Vectra.User.EmailStringUser's email address
Vectra.User.IDNumberUser ID (unique)
Vectra.User.RoleStringUser's role
Vectra.User.TypeStringUser type ('Local', 'SAML', ...)
Vectra.User.UsernameStringUsername
Vectra.User.LastLoginDateStringUser's last login datetime

vectra-search-outcomes#


Returns a list of assignment outcomes.

Base Command#

vectra-search-outcomes

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Vectra.Outcome.IsBuiltInStringIs this Outcome a builtin Outcome
Vectra.Outcome.CategoryStringOutcome's category ('False Positive', 'Benign True Positive', 'Malicious True Positive')
Vectra.Outcome.IDNumberOutcome ID (unique)
Vectra.Outcome.TitleStringOutcome title

vectra-account-describe#


Returns a single Account details

Base Command#

vectra-account-describe

Input#

Argument NameDescriptionRequired
idAccount ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.Account.AssigneeStringVectra user account this Account is assigned to
Vectra.Account.AssignedDateStringAssignment date
Vectra.Account.CertaintyScoreNumberAccount certainty score
Vectra.Account.IDNumberAccount ID (unique)
Vectra.Account.LastDetectionTimestampStringLast time a detection linked to this account has been seen
Vectra.Account.PrivilegeLevelNumberAccount privilege level (from 1 to 10)
Vectra.Account.PrivilegeCategoryStringAccount privilege category (Either 'Low', 'Medium' or 'High' - Privilege levels of 1-2 > 'Low', 3-7 > 'Medium', 8-10 > 'High')
Vectra.Account.SeverityStringAccount severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Account.StateStringAccount state ('active', 'inactive')
Vectra.Account.TagsStringAccount tags
Vectra.Account.ThreatScoreNumberAccount threat score
Vectra.Account.TypeStringAccount type ('kerberos' or 'o365')
Vectra.Account.URLStringAccount URL to pivot to Vectra UI
Vectra.Account.NameStringThe username of the account

vectra-account-add-tags#


Add tags to an Account

Base Command#

vectra-account-add-tags

Input#

Argument NameDescriptionRequired
idAccount ID you want to add tags on.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-account-del-tags#


Delete tags from an Account

Base Command#

vectra-account-del-tags

Input#

Argument NameDescriptionRequired
idAccount ID you want to del tags from.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-account-tag-list#


Returns a list of tags for a specified account.

Base Command#

vectra-account-tag-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the account.Required

Context Output#

PathTypeDescription
Vectra.Account.IDNumberID of the account associated with the tags.
Vectra.Account.TagsStringTags associated to the account.

Command example#

!vectra-account-tag-list id="2"

Context Example#

{
"Vectra.Account": {
"ID": 2,
"Tags": [
"note",
"tag_from_xsoar",
"tag_from_vectra"
]
}
}

Human Readable Output#

List of tags: note, tag_from_xsoar, tag_from_vectra#

vectra-account-note-add#


Add a note to the account.

Base Command#

vectra-account-note-add

Input#

Argument NameDescriptionRequired
account_idSpecify the ID of the account.Required
noteNote to be added in the specified account_id.Required

Context Output#

PathTypeDescription
Vectra.Account.Notes.account_idNumberID of the account associated with the note.
Vectra.Account.Notes.note_idNumberID of the note.
Vectra.Account.Notes.date_createdDateDate when the note was created.
Vectra.Account.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Account.Notes.created_byStringUser who created the note.
Vectra.Account.Notes.modified_byStringUser who last modified the note.
Vectra.Account.Notes.noteStringContent of the note.

Command example#

!vectra-account-note-add account_id="2" note="test note"

Context Example#

{
"Vectra.Account.Notes": {
"date_created": "2024-07-10T07:30:58.574942Z",
"created_by": "xsoar",
"note": "test note",
"note_id": 1959,
"account_id": 2
}
}

Human Readable Output#

The note has been successfully added to the account.#

Returned Note ID: 1959

vectra-account-note-update#


Update a note in the account.

Base Command#

vectra-account-note-update

Input#

Argument NameDescriptionRequired
account_idSpecify the ID of the account.Required
note_idSpecify the ID of the note.

Note: Use the vectra-account-note-list command to get note_id.
Required
noteNote to be updated for the specified note_id.Required

Context Output#

PathTypeDescription
Vectra.Account.Notes.account_idNumberID of the account associated with the note.
Vectra.Account.Notes.note_idNumberID of the note.
Vectra.Account.Notes.date_createdDateDate when the note was created.
Vectra.Account.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Account.Notes.created_byStringUser who created the note.
Vectra.Account.Notes.modified_byStringUser who last modified the note.
Vectra.Account.Notes.noteStringContent of the note.

Command example#

!vectra-account-note-update account_id="2" note_id="1959" note="updated test note"

Context Example#

{
"Vectra.Account.Notes": {
"date_created": "2024-07-10T07:30:58.574942Z",
"date_modified": "2024-07-12T06:42:29.546835Z",
"created_by": "xsoar",
"modified_by": "xsoar",
"note": "updated test note",
"note_id": 1959,
"account_id": 2
}
}

Human Readable Output#

The note has been successfully updated in the account.#

vectra-account-note-remove#


Remove a note from the account.

Base Command#

vectra-account-note-remove

Input#

Argument NameDescriptionRequired
account_idSpecify the ID of the account.Required
note_idSpecify the ID of the note.

Note: Use the vectra-account-note-list command to get note_id.
Required

Context Output#

There is no context output for this command.

Command example#

!vectra-account-note-remove account_id="2" note_id="1959"

Human Readable Output#

The note has been successfully removed from the account.#

vectra-account-note-list#


List all notes of the specific account.

Base Command#

vectra-account-note-list

Input#

Argument NameDescriptionRequired
account_idSpecify the ID of the account.Required

Context Output#

PathTypeDescription
Vectra.Account.Notes.account_idNumberID of the account associated with the note.
Vectra.Account.Notes.note_idNumberID of the note.
Vectra.Account.Notes.date_createdDateDate when the note was created.
Vectra.Account.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Account.Notes.created_byStringUser who created the note.
Vectra.Account.Notes.modified_byStringUser who last modified the note.
Vectra.Account.Notes.noteStringContent of the note.

Command example#

!vectra-account-note-list account_id="2"

Context Example#

{
"Vectra.Account.Notes": [
{
"date_created": "2024-07-10T05:40:31Z",
"date_modified": "2024-07-16T12:56:30Z",
"created_by": "xsoar",
"modified_by": "xsoar",
"note": "updated_note",
"note_id": 1959,
"account_id": 2
},
{
"date_created": "2024-07-08T07:11:49Z",
"created_by": "xsoar",
"note": "Here comes your note TEST",
"note_id": 1906,
"account_id": 2
}
]
}

Human Readable Output#

Notes Table#
Note IDNoteCreated ByCreated DateModified ByModified Date
1959updated_notexsoar2024-07-10T05:40:31Zxsoar2024-07-16T12:56:30Z
1906Here comes your note TESTxsoar2024-07-08T07:11:49Z

vectra-account-markall-detections-asfixed#


Mark active detections as fixed by providing the ID of the account in the argument.

Base Command#

vectra-account-markall-detections-asfixed

Input#

Argument NameDescriptionRequired
account_idProvide an account ID.Required

Context Output#

There is no context output for this command.

Command example#

!vectra-account-markall-detections-asfixed account_id=109

Human Readable Output#

The active detections of the provided account have been successfully marked as fixed.

vectra-host-describe#


Returns a single Host details

Base Command#

vectra-host-describe

Input#

Argument NameDescriptionRequired
idHost ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.Host.AssigneeStringVectra user account this Host is assigned to
Vectra.Host.AssignedDateStringAssignment date
Vectra.Host.CertaintyScoreNumberHost certainty score
Vectra.Host.HasActiveTrafficBooleanWhether this Host has active traffic
Vectra.Host.HostnameStringHost name
Vectra.Host.IDNumberHost ID (Unique)
Vectra.Host.IPStringHost IP address
Vectra.Host.IsKeyAssetBooleanWhether this Host is seen as a key asset
Vectra.Host.IsTargetingKeyAssetBooleanWhether this Host is targeting a key asset
Vectra.Host.PrivilegeLevelNumberHost privilege level (from 1 to 10)
Vectra.Host.PrivilegeCategoryStringHost privilege category. (Either 'Low', 'Medium' or 'High' - Privilege levels of 1-2 > 'Low', 3-7 > 'Medium', 8-10 > 'High')
Vectra.Host.ProbableOwnerStringHost probable owner
Vectra.Host.SensorLUIDStringSensor LUID that saw this Host
Vectra.Host.SensorNameStringSensor Name that saw this Host
Vectra.Host.SensorStringSensor details that have seen this Host
Vectra.Host.SeverityStringHost severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Host.StateStringHost state ('active', 'inactive')
Vectra.Host.TagsStringHost tags
Vectra.Host.ThreatScoreNumberHost threat score
Vectra.Host.URLStringHost URL to pivot to Vectra UI

vectra-host-add-tags#


Add tags to an Host

Base Command#

vectra-host-add-tags

Input#

Argument NameDescriptionRequired
idHost ID you want to add tags on.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-host-del-tags#


Delete tags from an Host

Base Command#

vectra-host-del-tags

Input#

Argument NameDescriptionRequired
idHost ID you want to del tags from.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-host-tag-list#


Returns a list of tags for a specified host.

Base Command#

vectra-host-tag-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the host.Required

Context Output#

PathTypeDescription
Vectra.Host.IDNumberID of the host associated with the tags.
Vectra.Host.TagsStringTags associated to the host.

Command example#

!vectra-host-tag-list id="2"

Context Example#

{
"Vectra.Host": {
"ID": 2,
"Tags": [
"note",
"tag_from_xsoar",
"tag_from_vectra"
]
}
}

Human Readable Output#

List of tags: note, tag_from_xsoar, tag_from_vectra#

vectra-host-note-add#


Add a note to the host.

Base Command#

vectra-host-note-add

Input#

Argument NameDescriptionRequired
host_idSpecify the ID of the host.Required
noteNote to be added in the specified host_id.Required

Context Output#

PathTypeDescription
Vectra.Host.Notes.host_idNumberID of the host associated with the note.
Vectra.Host.Notes.note_idNumberID of the note.
Vectra.Host.Notes.date_createdDateDate when the note was created.
Vectra.Host.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Host.Notes.created_byStringUser who created the note.
Vectra.Host.Notes.modified_byStringUser who last modified the note.
Vectra.Host.Notes.noteStringContent of the note.

Command example#

!vectra-host-note-add host_id="5" note="test note"

Context Example#

{
"Vectra.Host.Notes": {
"date_created": "2024-07-10T07:31:58.574942Z",
"created_by": "xsoar",
"note": "test note",
"note_id": 1960,
"host_id": 5
}
}

Human Readable Output#

The note has been successfully added to the host.#

Returned Note ID: 1960

vectra-host-note-update#


Update a note in the host.

Base Command#

vectra-host-note-update

Input#

Argument NameDescriptionRequired
host_idSpecify the ID of the host.Required
note_idSpecify the ID of the note.

Note: Use the vectra-host-note-list command to get note_id.
Required
noteNote to be updated for the specified note_id.Required

Context Output#

PathTypeDescription
Vectra.Host.Notes.host_idNumberID of the host associated with the note.
Vectra.Host.Notes.note_idNumberID of the note.
Vectra.Host.Notes.date_createdDateDate when the note was created.
Vectra.Host.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Host.Notes.created_byStringUser who created the note.
Vectra.Host.Notes.modified_byStringUser who last modified the note.
Vectra.Host.Notes.noteStringContent of the note.

Command example#

!vectra-account-note-update host_id="7" note_id="1960" note="updated test note"

Context Example#

{
"Vectra.Host.Notes": {
"date_created": "2024-07-10T07:31:58.574942Z",
"date_modified": "2024-07-12T06:44:29.546835Z",
"created_by": "xsoar",
"modified_by": "xsoar",
"note": "updated test note",
"note_id": 1960,
"host_id": 7
}
}

Human Readable Output#

The note has been successfully updated in the host.#

vectra-host-note-remove#


Remove a note from the host.

Base Command#

vectra-host-note-remove

Input#

Argument NameDescriptionRequired
host_idSpecify the ID of the host.Required
note_idSpecify the ID of the note.

Note: Use the vectra-host-note-list command to get note_id.
Required

Context Output#

There is no context output for this command.

Command example#

!vectra-host-note-remove host_id="7" note_id="1960"

Human Readable Output#

The note has been successfully removed from the host.#

vectra-host-note-list#


List all notes of the specific host.

Base Command#

vectra-host-note-list

Input#

Argument NameDescriptionRequired
host_idSpecify the ID of the host.Required

Context Output#

PathTypeDescription
Vectra.Host.Notes.host_idNumberID of the host associated with the note.
Vectra.Host.Notes.note_idNumberID of the note.
Vectra.Host.Notes.date_createdDateDate when the note was created.
Vectra.Host.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Host.Notes.created_byStringUser who created the note.
Vectra.Host.Notes.modified_byStringUser who last modified the note.
Vectra.Host.Notes.noteStringContent of the note.

Command example#

!vectra-host-note-list host_id="7"

Context Example#

{
"Vectra.Host.Notes": [
{
"date_created": "2024-07-11T07:32:31Z",
"created_by": "xsoar",
"note": "test note",
"note_id": 1960,
"host_id": 7
},
{
"date_created": "2024-07-11T06:23:07Z",
"created_by": "cds_xsoar",
"note": "test note",
"note_id": 1982,
"host_id": 7
}
]
}

Human Readable Output#

Notes Table#
Note IDNoteCreated ByCreated Date
1960test notexsoar2024-07-11T07:32:31Z
1982test notecds_xsoar2024-07-11T06:23:07Z

vectra-host-markall-detections-asfixed#


Mark active detections as fixed by providing ID of the host in the argument.

Base Command#

vectra-host-markall-detections-asfixed

Input#

Argument NameDescriptionRequired
host_idProvide a host ID.Required

Context Output#

There is no context output for this command.

Command example#

!vectra-host-markall-detections-asfixed host_id=23176

Human Readable Output#

The active detections of the provided host have been successfully marked as fixed.

vectra-detection-describe#


Returns a single detection details

Base Command#

vectra-detection-describe

Input#

Argument NameDescriptionRequired
idDetection ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.Detection.AssigneeStringVectra user account this detection is assigned to
Vectra.Detection.AssignedDateStringAssignment date
Vectra.Detection.CategoryStringDetection category (Lateral, Exfil, ...)
Vectra.Detection.CertaintyScoreNumberDetection certainty score
Vectra.Detection.DescriptionStringDetection description
Vectra.Detection.DestinationIPsStringDetection destination IPs
Vectra.Detection.DestinationPortsStringDetection destination ports
Vectra.Detection.FirstTimestampStringFirst time this detection has been seen
Vectra.Detection.IDNumberDetection ID (unique)
Vectra.Detection.IsTargetingKeyAssetBooleanWhether this detection is targeting a key asset
Vectra.Detection.LastTimestampStringLast time this detection has been seen
Vectra.Detection.NameStringThe name of the detection. Would be a user defined name if this detection is triaged or the default type name instead
Vectra.Detection.SeverityStringDetection severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Detection.SensorLUIDStringSensor LUID that saw this detection
Vectra.Detection.SensorNameStringSensor name that saw this detection.
Vectra.Detection.SourceAccountIDStringAccount ID relating to this detection
Vectra.Detection.SourceHostIDStringHost ID relating to this detection
Vectra.Detection.SourceIPStringSource IP relating to this detection
Vectra.Detection.StateStringDetection state ('active', 'inactive')
Vectra.Detection.TagsStringDetection tags
Vectra.Detection.ThreatScoreNumberDetection threat score
Vectra.Detection.TriageRuleIDStringTriage rule ID related to this detection
Vectra.Detection.TypeStringDetection type (Brute Force, Port Sweep, ...)
Vectra.Detection.URLStringDetection URL to pivot to Vectra UI

vectra-detection-get-pcap#


Returns a Detection's PCAP file (if available)

Base Command#

vectra-detection-get-pcap

Input#

Argument NameDescriptionRequired
idThe Detection ID you want to get the PCAP file from.Optional

Context Output#

There is no context output for this command.

vectra-detection-markasfixed#


Marks/Unmarks a Detection as fixed by providing the Detection ID

Base Command#

vectra-detection-markasfixed

Input#

Argument NameDescriptionRequired
idDetection ID you want to mark/unmark as fixed.Optional
fixedThe wanted detection status ("true", "false"). No default value. Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

vectra-detection-add-tags#


Add tags to a Detection

Base Command#

vectra-detection-add-tags

Input#

Argument NameDescriptionRequired
idDetection ID you want to add tags on.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-detection-del-tags#


Delete tags from a Detection

Base Command#

vectra-detection-del-tags

Input#

Argument NameDescriptionRequired
idDetection ID you want to del tags from.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-detection-tag-list#


Returns a list of tags for a specified detection.

Base Command#

vectra-detection-tag-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the detection.Required

Context Output#

PathTypeDescription
Vectra.Detection.IDNumberID of the detection associated with the tags.
Vectra.Detection.TagsStringTags associated to the detection.

Command example#

!vectra-detection-tag-list id="2"

Context Example#

{
"Vectra.Detection": {
"ID": 2,
"Tags": [
"note",
"tag_from_xsoar",
"tag_from_vectra"
]
}
}

Human Readable Output#

List of tags: note, tag_from_xsoar, tag_from_vectra#

vectra-detection-note-add#


Add a note to the detection.

Base Command#

vectra-detection-note-add

Input#

Argument NameDescriptionRequired
detection_idSpecify the ID of the detection.Required
noteNote to be added in the specified detection_id.Required

Context Output#

PathTypeDescription
Vectra.Detection.Notes.detection_idNumberID of the detection associated with the note.
Vectra.Detection.Notes.note_idNumberID of the note.
Vectra.Detection.Notes.date_createdDateDate when the note was created.
Vectra.Detection.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Detection.Notes.created_byStringUser who created the note.
Vectra.Detection.Notes.modified_byStringUser who last modified the note.
Vectra.Detection.Notes.noteStringContent of the note.

Command example#

!vectra-detection-note-add detection_id="7" note="test note"

Context Example#

{
"Vectra.Detection.Notes": {
"date_created": "2024-07-10T07:32:58.574942Z",
"created_by": "xsoar",
"note": "test note",
"note_id": 1961,
"detection_id": 7
}
}

Human Readable Output#

The note has been successfully added to the detection.#

Returned Note ID: 1961

vectra-detection-note-update#


Update a note in the detection.

Base Command#

vectra-detection-note-update

Input#

Argument NameDescriptionRequired
detection_idSpecify the ID of the detection.Required
note_idSpecify the ID of the note.

Note: Use the vectra-detection-note-list command to get note_id.
Required
noteNote to be updated for the specified note_id.Required

Context Output#

PathTypeDescription
Vectra.Detection.Notes.detection_idNumberID of the detection associated with the note.
Vectra.Detection.Notes.note_idNumberID of the note.
Vectra.Detection.Notes.date_createdDateDate when the note was created.
Vectra.Detection.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Detection.Notes.created_byStringUser who created the note.
Vectra.Detection.Notes.modified_byStringUser who last modified the note.
Vectra.Detection.Notes.noteStringContent of the note.

Command example#

!vectra-detection-note-update detection_id="9" note_id="1961" note="updated test note"

Context Example#

{
"Vectra.Detection.Notes": {
"date_created": "2024-07-10T07:32:58.574942Z",
"date_modified": "2024-07-12T06:43:29.546835Z",
"created_by": "xsoar",
"modified_by": "xsoar",
"note": "updated test note",
"note_id": 1961,
"detection_id": 9
}
}

Human Readable Output#

The note has been successfully updated in the detection.#

vectra-detection-note-remove#


Remove a note from the detection.

Base Command#

vectra-detection-note-remove

Input#

Argument NameDescriptionRequired
detection_idSpecify the ID of the detection.Required
note_idSpecify the ID of the note.

Note: Use the vectra-detection-note-list command to get note_id.
Required

Context Output#

There is no context output for this command.

Command example#

!vectra-detection-note-remove detection_id=97" note_id="1961"

Human Readable Output#

The note has been successfully removed from the detection.#

vectra-detection-note-list#


List all notes of the specific detection.

Base Command#

vectra-detection-note-list

Input#

Argument NameDescriptionRequired
detection_idSpecify the ID of the detection.Required

Context Output#

PathTypeDescription
Vectra.Detection.Notes.detection_idNumberID of the detection associated with the note.
Vectra.Detection.Notes.note_idNumberID of the note.
Vectra.Detection.Notes.date_createdDateDate when the note was created.
Vectra.Detection.Notes.date_modifiedDateDate when the note was last modified.
Vectra.Detection.Notes.created_byStringUser who created the note.
Vectra.Detection.Notes.modified_byStringUser who last modified the note.
Vectra.Detection.Notes.noteStringContent of the note.

Command example#

!vectra-detection-note-list detection_id="9"

Context Example#

{
"Vectra.Detection.Notes": [
{
"date_created": "2024-07-12T04:52:20Z",
"date_modified": "2024-07-12T10:21:03Z",
"created_by": "xsoar",
"modified_by": "xsoar",
"note": "updated note 2nd",
"note_id": 1961,
"detection_id": 9
},
{
"date_created": "2024-07-11T07:32:20Z",
"created_by": "xsoar",
"note": "your first test note",
"note_id": 1937,
"detection_id": 9
}
]
}

Human Readable Output#

Notes Table#
Note IDNoteCreated ByCreated DateModified ByModified Date
1961updated note 2ndxsoar2024-07-12T04:52:20Zxsoar2024-07-12T10:21:03Z
1937your first test notexsoar2024-07-11T07:32:20Z

vectra-outcome-describe#


Returns a single outcome details

Base Command#

vectra-outcome-describe

Input#

Argument NameDescriptionRequired
idOutcome ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.Outcome.IsBuiltInStringIs this Outcome a builtin Outcome
Vectra.Outcome.CategoryStringOutcome's category ('False Positive', 'Benign True Positive', 'Malicious True Positive')
Vectra.Outcome.IDNumberOutcome ID (unique)
Vectra.Outcome.TitleStringOutcome title

vectra-outcome-create#


Creates a new assignment outcome

Base Command#

vectra-outcome-create

Input#

Argument NameDescriptionRequired
titleOutcome title (will be visible in the UI).Optional
categoryOutcome category (one of the 3). Possible values are: Benign True Positive, Malicious True Positive, False Positive.Optional

Context Output#

PathTypeDescription
Vectra.Outcome.IsBuiltInStringIs this Outcome a builtin Outcome
Vectra.Outcome.CategoryStringOutcome's category ('False Positive', 'Benign True Positive', 'Malicious True Positive')
Vectra.Outcome.IDNumberOutcome ID (unique)
Vectra.Outcome.TitleStringOutcome title

vectra-assignment-describe#


Returns a single assignment details

Base Command#

vectra-assignment-describe

Input#

Argument NameDescriptionRequired
idAssignment ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.Assignment.AccountIDNumberAccount ID this assignment is linked to
Vectra.Assignment.AssignedByStringWho lastly assigned this assignment
Vectra.Assignment.AssignedDateStringWhen this assignment was lastly assigned
Vectra.Assignment.AssignedToStringTo who this assignment is assigned
Vectra.Assignment.HostIDStringHost ID this assignment is linked to
Vectra.Assignment.IDNumberAssignment ID (unique)
Vectra.Assignment.IsResolvedBooleanIs this assignment resolved
Vectra.Assignment.OutcomeCategoryStringAssignment Outcome category
Vectra.Assignment.OutcomeTitleStringAssignment Outcome title
Vectra.Assignment.TriagedDetectionsStringList of Detection that have been triaged with the resolution
Vectra.Assignment.TriagedAsStringName of the triage rule if any
Vectra.Assignment.ResolvedByStringWho resolved this assignment
Vectra.Assignment.ResolvedDatestringWhen this assignment was resolved

vectra-assignment-assign#


Assigns an Account/Host entity to a Vectra User for investigation. If an assignment already exists on this entity, it will be reassigned

Base Command#

vectra-assignment-assign

Input#

Argument NameDescriptionRequired
assignee_idAssignee's ID (Vectra User ID).Optional
assignment_idAssignment ID if an assignment already exists for the given entity.Optional
account_idAccount ID.Optional
host_idHost ID.Optional

Context Output#

PathTypeDescription
Vectra.Assignment.AccountIDNumberAccount ID this assignment is linked to
Vectra.Assignment.AssignedByStringWho lastly assigned this assignment
Vectra.Assignment.AssignedDateStringWhen this assignment was lastly assigned
Vectra.Assignment.AssignedToStringTo who this assignment is assigned
Vectra.Assignment.HostIDStringHost ID this assignment is linked to
Vectra.Assignment.IDNumberAssignment ID (unique)
Vectra.Assignment.IsResolvedBooleanIs this assignment resolved
Vectra.Assignment.OutcomeCategoryStringAssignment Outcome category
Vectra.Assignment.OutcomeTitleStringAssignment Outcome title
Vectra.Assignment.TriagedDetectionsStringList of Detection that have been triaged with the resolution
Vectra.Assignment.TriagedAsStringName of the triage rule if any
Vectra.Assignment.ResolvedByStringWho resolved this assignment
Vectra.Assignment.ResolvedDatestringWhen this assignment was resolved

vectra-assignment-resolve#


Resolves an assignment by selecting resolution scheme. Could be 'resolving only' or 'resolving by filtering detections'

Base Command#

vectra-assignment-resolve

Input#

Argument NameDescriptionRequired
assignment_idAssignment's ID.Optional
outcome_idAssignment Outcome's ID.Optional
noteA note to add to this resolution.Optional
detections_filterDo you want to filter detections when resolving this assignment ? [Default is None]. Possible values are: None, Filter Rule.Optional
filter_rule_nameFilter rule's name (when using filter_detections="Filter Rule").Optional
detections_listDetection IDs list you want to filter.Optional

Context Output#

PathTypeDescription
Vectra.Assignment.AccountIDNumberAccount ID this assignment is linked to
Vectra.Assignment.AssignedByStringWho lastly assigned this assignment
Vectra.Assignment.AssignedDateStringWhen this assignment was lastly assigned
Vectra.Assignment.AssignedToStringTo who this assignment is assigned
Vectra.Assignment.HostIDStringHost ID this assignment is linked to
Vectra.Assignment.IDNumberAssignment ID (unique)
Vectra.Assignment.IsResolvedBooleanIs this assignment resolved
Vectra.Assignment.OutcomeCategoryStringAssignment Outcome category
Vectra.Assignment.OutcomeTitleStringAssignment Outcome title
Vectra.Assignment.TriagedDetectionsStringList of Detection that have been triaged with the resolution
Vectra.Assignment.TriagedAsStringName of the triage rule if any
Vectra.Assignment.ResolvedByStringWho resolved this assignment
Vectra.Assignment.ResolvedDatestringWhen this assignment was resolved

vectra-user-describe#


Returns a single Vectra User details

Base Command#

vectra-user-describe

Input#

Argument NameDescriptionRequired
idUser ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.User.EmailStringUser's email address
Vectra.User.IDNumberUser ID (unique)
Vectra.User.RoleStringUser's role
Vectra.User.TypeStringUser type ('Local', 'SAML', ...)
Vectra.User.UsernameStringUsername
Vectra.User.LastLoginDateStringUser's last login datetime

vectra-group-list#


Returns a list of all groups.

Base Command#

vectra-group-list

Input#

Argument NameDescriptionRequired
group_typeFilter by group type. Possible values are: account, host, ip, domain.Optional
account_namesFilter by Account Names. Supports comma-separated values.

Note: Only valid when the group_type parameter is set to "account".
Optional
domainsFilter by Domains. Supports comma-separated values.

Note: Only valid when the group_type parameter is set to "domain".
Optional
host_idsFilter by Host IDs. Supports comma-separated values.

Note: Only valid when the group_type parameter is set to "host".
Optional
host_namesFilter by Host Names. Supports comma-separated values.

Note: Only valid when the group_type parameter is set to "host".
Optional
importanceFilter by group importance. Possible values are: high, medium, low, never_prioritize.Optional
ipsFilter by IPs. Supports comma-separated values.

Note: Only valid when the group_type parameter is set to "ip".
Optional
descriptionFilter by group description.Optional
last_modified_timestampReturn only the groups which have a last modification timestamp equal to or after the given timestamp.

Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ.

For example: 01 May 2023, 01 Mar 2023 04:45:33, 2023-04-17T14:05:44Z.
Optional
last_modified_byFilters by the user id who made the most recent modification to the group.Optional
group_nameFilters by group name.Optional

Context Output#

PathTypeDescription
Vectra.Group.group_idNumberID of the group.
Vectra.Group.nameStringName of the group.
Vectra.Group.descriptionStringDescription of the group.
Vectra.Group.last_modifiedDateDate when the group was last modified.
Vectra.Group.last_modified_byStringName of the user who last modified the group.
Vectra.Group.typeStringType of the group.
Vectra.Group.members.idNumberEntity ID of member.
Vectra.Group.members.nameStringEntity name of member.
Vectra.Group.members.is_key_assetBooleanIndicates key asset.
Vectra.Group.members.urlStringEntity URL of member.
Vectra.Group.members.uidStringEntity UID of member.
Vectra.Group.rules.triage_categoryStringTriage category of rule.
Vectra.Group.rules.idNumberID of the rule.
Vectra.Group.rules.descriptionStringDescription of the rule.
Vectra.Group.importanceStringImportance level of the group.
Vectra.Group.cognito_managedBooleanWhether the group is managed by Cognito or not.

Command example#

!vectra-group-list group_type=account importance=high

Context Example#

{
"Vectra": {
"Group": [
{
"description": "",
"group_id": 1,
"id": 1,
"last_modified": "2024-07-22T06:44:44Z",
"last_modified_by": "cds_xsoar",
"members": [
{
"uid": "user@lab.test.local"
},
{
"uid": "O365:serviceprincipal_00000000-0000-0000-0000-000000000001"
}
],
"name": "AccountNoBlock",
"type": "account"
},
{
"description": "",
"group_id": 2,
"id": 2,
"last_modified": "2024-07-22T06:44:40Z",
"last_modified_by": "cds_xsoar",
"members": [
{
"uid": "O365:serviceprincipal_00000000-0000-0000-0000-000000000001"
}
],
"name": "AccountBlock",
"type": "account"
}
]
}
}

Human Readable Output#

Groups Table#

Group IDNameGroup TypeMembersLast Modified Timestamp
1AccountNoBlockaccountuser@lab.test.local, O365:serviceprincipal_00000000-0000-0000-0000-0000000000012024-07-22T06:44:44Z
2AccountBlockaccountO365:serviceprincipal_00000000-0000-0000-0000-0000000000012024-07-22T06:44:40Z

vectra-group-assign#


Assign members to the specified group.

Base Command#

vectra-group-assign

Input#

Argument NameDescriptionRequired
group_idSpecify Group ID to assign members.

Note: You can get the group_id by executing the \"vectra-group-list\" command.
Required
membersA comma-separated list of member values based on the group type.

Note:
You can get the members by executing the \"vectra-group-list\" command.
If the group type is host, then the "Host IDs".
If the group type is account, then "Account Names".
If the group type is ip, then the list of "IPs".
If the group type is domain, then the list of "Domains".
Required

Context Output#

PathTypeDescription
Vectra.Group.group_idNumberID of the group.
Vectra.Group.nameStringName of the group.
Vectra.Group.descriptionStringDescription of the group.
Vectra.Group.last_modifiedDateDate when the group was last modified.
Vectra.Group.last_modified_byStringName of the user who last modified the group.
Vectra.Group.typeStringType of the group.
Vectra.Group.members.idNumberEntity ID of member.
Vectra.Group.members.nameStringEntity name of member.
Vectra.Group.members.is_key_assetBooleanIndicates key asset.
Vectra.Group.members.urlStringEntity URL of member.
Vectra.Group.members.uidStringEntity UID of member.
Vectra.Group.rules.triage_categoryStringTriage category of rule.
Vectra.Group.rules.idNumberID of the rule.
Vectra.Group.rules.descriptionStringDescription of the rule.

Command example#

!vectra-group-assign group_id=3557 members="account_4"

Context Example#

{
"Vectra": {
"Group": {
"id": 3,
"name": "xsoar-account-group-2",
"last_modified": "2023-09-04T09:22:46Z",
"last_modified_by": "TEST Client",
"members": [
{
"uid": "account_1"
},
{
"uid": "account_2"
},
{
"uid": "account_3"
},
{
"uid": "account_4"
}
],
"type": "account",
"group_id": 3
}
}
}

Human Readable Output#

Member(s) account_4 have been assigned to the group.#

Updated group details:#

Group IDNameGroup TypeMembersLast Modified Timestamp
3xsoar-account-group-2accountaccount_1, account_2, account_3, account_42023-09-04T09:22:46Z

vectra-group-unassign#


Unassign members from the specified group.

Base Command#

vectra-group-unassign

Input#

Argument NameDescriptionRequired
group_idSpecify Group ID to unassign members.

Note: You can get the group_id by executing the \"vectra-group-list\" command.
Required
membersA comma-separated list of member values based on the group type.

Note:
You can get the members by executing the \"vectra-group-list\" command.
If the group type is host, then the "Host IDs".
If the group type is account, then "Account Names".
If the group type is ip, then the list of "IPs".
If the group type is domain, then the list of "Domains".
Required

Context Output#

PathTypeDescription
Vectra.Group.group_idNumberID of the group.
Vectra.Group.nameStringName of the group.
Vectra.Group.descriptionStringDescription of the group.
Vectra.Group.last_modifiedDateDate when the group was last modified.
Vectra.Group.last_modified_byStringName of the user who last modified the group.
Vectra.Group.typeStringType of the group.
Vectra.Group.members.idNumberEntity ID of member.
Vectra.Group.members.nameStringEntity name of member.
Vectra.Group.members.is_key_assetBooleanIndicates key asset.
Vectra.Group.members.urlStringEntity URL of member.
Vectra.Group.members.uidStringEntity UID of member.
Vectra.Group.rules.triage_categoryStringTriage category of rule.
Vectra.Group.rules.idNumberID of the rule.
Vectra.Group.rules.descriptionStringDescription of the rule.

Command example#

!vectra-group-unassign group_id=5 members="2126"

Context Example#

{
"Vectra": {
"Group": {
"id": 2,
"group_id": 2,
"type": "host",
"name": "TEST RENAME",
"description": "TEST RENAME",
"last_modified": "2023-09-04T06:27:57Z",
"last_modified_by": "TEST Client"
}
}
}

Human Readable Output#

Member(s) 2126 have been unassigned from the group.#

Updated group details:#

Group IDNameGroup TypeDescriptionLast Modified Timestamp
2TEST RENAMEhostTEST RENAME2023-09-04T06:27:57Z

Troubleshooting#

Receive Notification on an Incident Fetch Error#

The administrator and Cortex XSOAR users on the recipient's list receive a notification when an integration experiences an incident fetch error. Cortex XSOAR users can select their notification method, such as email, from their user preferences. Refer to Cortex XSOAR 6.13 documentation or Cortex XSOAR 8 Cloud documentation or Cortex XSOAR 8.7 On-prem documentation for more information.

The following are tips for handling issues with mirroring incidents between Vectra and Cortex XSOAR#
IssueRecommendation
Mirroring is not working.Open Context Data and search for dbot. Confirm the dbot fields are configured correctly either through the mapper for that specific incident type or using setIncident. Specifically, make sure the integration instance is configured correctly for the mirroring direction (incoming, outgoing, both) - dbotMirrorId, dbotMirrorDirection, dbotMirrorInstance, dbotMirrorTags.
Required fields are not getting sent or not visible in UI.This may be a mapping issue, specifically if you have used a custom mapper make sure you've covered all the out of box mapper fields.
Notes from Cortex XSOAR have not been mirrored in VectraTag is required for mirroring notes from Cortex XSOAR to Vectra. There might be a reason the note is not tagged as the tag needs to be added manually in Cortex XSOAR.
Click Actions > Tags and add the "note" tag (OR the specific tag name which was set up in the Instance Configuration).

Docker timeout issue for Fetch Incidents#

  • If you encounter a timeout error while fetching incidents, you can try adjusting the value of the max_fetch parameter in the instance configuration. Setting it to a lower value, such as 50 can help prevent the timeout issue.

  • Another way to address this issue is to increase the timeout of the Docker container. By default, Docker containers have a timeout of 5 minutes. You can increase this timeout to a higher value, such as 10 minutes, to allow more time for the fetch command to complete. Refer to this XSOAR documentation for more information.

Handling HTTP 429 and 5xx Errors#

The commands and fetch incidents mechanism will do up to 3 internal retries with a gap of 15, 30, and 60 seconds (exponentially) between the retries.