Skip to main content

Vectra Detect (Beta)

This Integration is part of the Vectra AI Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

This integration allows to create incidents based on Vectra Accounts/Hosts/Detections objects This integration was integrated and tested with version 7.0 of Vectra_Detect

Configure Vectra Detect (Beta) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Vectra Detect (Beta).

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Vectra Detect FQDN or IPEnter the FQDN or IP to reach the Vectra Detect API. (e.g. "my-vectra-box.local" or "192.168.1.1")True
    API TokenEnter the API token that can be retrieved from the Vectra UI > My Profile > General (tab) > API Token. You can also use the XSOAR credentials wallet to store it. In that case, the token should be the password.True
    API TokenTrue
    Trust any certificate (not secure)When checked, no SSL certificates check will be done when interracting with the Vectra Detect API. It's insecure. (Default - unchecked)False
    Use system proxy settingsUse the system proxy settings to reach with the Vectra Detect API.False
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)How far back in time you want to fetch alerts. (default - 7 days)False
    Entity types to fetchChoose what to fetch - Accounts and/or Hosts and/or Detections. (Default - Accounts,Hosts)False
    Hosts fetch queryOnly "active" Hosts matching this fetch query will be fetched. Will be used only if "Hosts" is selected in the "Entity types to fetch". (default - host.threat:&gt;=50)False
    Accounts fetch queryOnly "active" Accounts matching this fetch query will be fetched. Will be used only if "Accounts" is selected in the "Entity types to fetch". (default - account.threat:&gt;=50)False
    Detections fetch queryOnly "active" Detections matching this fetch query will be fetched. Will be used only if "Detections" is selected in the "Entity types to fetch". (default - detection.threat:&gt;=50 AND detection.certainty:&gt;=50)False
    Max created incidents per fetchHow many new incidents do you want to create at max per fetch. This value would be split between selected "Entity types to fetch". (Default - 50)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

vectra-search-accounts#


Returns a list of Account objects. All search attributes will be cummulative unless you're using the search_query_only one, in that case, only this one will be taken into account.

Base Command#

vectra-search-accounts

Input#

Argument NameDescriptionRequired
min_idReturns Accounts with an ID greater than or equal to the specified ID.Optional
max_idReturns Accounts with an ID less than or equal to the specified ID.Optional
min_threatReturns Accounts with a threat score greater than or equal to the specified score.Optional
max_threatReturns Accounts with a threat score less than or equal to the specified score.Optional
min_certaintyReturns Accounts with a certainty score greater than or equal to the specified score.Optional
max_certaintyReturns Accounts with a certainty score less than or equal to the specified score.Optional
stateFilters by state ('active', 'inactive'). Possible values are: active, inactive.Optional
search_querySearch query in Lucene query syntax.Optional
search_query_onlyUse specificaly this search query. Compared to "search_query" where default arguments are appended.Optional
min_privilege_levelReturns entries with a privilege level greater than or equal to the specified score.Optional
max_privilege_levelReturns entries with a privilege level greater than or equal to the specified score.Optional
privilege_categoryFilters by the privilege category ("low", "medium", "high") provided.Optional
tagsFilters by a tag or a comma-separated list tags.Optional

Context Output#

PathTypeDescription
Vectra.Account.AssigneeStringVectra user account this Account is assigned to
Vectra.Account.AssignedDateStringAssignment date
Vectra.Account.CertaintyScoreNumberAccount certainty score
Vectra.Account.IDNumberAccount ID (unique)
Vectra.Account.LastDetectionTimestampStringLast time a detection linked to this account has been seen
Vectra.Account.PrivilegeLevelNumberAccount privilege level (from 1 to 10)
Vectra.Account.PrivilegeCategoryStringAccount privilege category (Either 'Low', 'Medium' or 'High' - Privilege levels of 1-2 > 'Low', 3-7 > 'Medium', 8-10 > 'High')
Vectra.Account.SeverityStringAccount severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Account.StateStringAccount state ('active', 'inactive')
Vectra.Account.TagsStringAccount tags
Vectra.Account.ThreatScoreNumberAccount threat score
Vectra.Account.TypeStringAccount type ('kerberos' or 'o365')
Vectra.Account.URLStringAccount URL to pivot to Vectra UI
Vectra.Account.NameStringThe username of the account

vectra-search-hosts#


Returns a list of Host objects. All search attributes will be cummulative unless you're using the search_query_only one, in that case, only this one will be taken into account.

Base Command#

vectra-search-hosts

Input#

Argument NameDescriptionRequired
min_idReturns Hosts with an ID greater than or equal to the specified ID.Optional
max_idReturns Hosts with an ID less than or equal to the specified ID.Optional
min_threatReturns Hosts with a threat score greater than or equal to the specified score.Optional
max_threatReturns Hosts with a threat score less than or equal to the specified score.Optional
min_certaintyReturns Hosts with a certainty score greater than or equal to the specified score.Optional
max_certaintyReturns Hosts with a certainty score less than or equal to the specified score.Optional
stateFilters by state ('active', 'inactive'). Possible values are: active, inactive.Optional
search_querySearch query in Lucene query syntax.Optional
search_query_onlyUse specificaly this search query. Compared to "search_query" where default arguments are appended.Optional

Context Output#

PathTypeDescription
Vectra.Host.AssigneeStringVectra user account this Host is assigned to
Vectra.Host.AssignedDateStringAssignment date
Vectra.Host.CertaintyScoreNumberHost certainty score
Vectra.Host.HasActiveTrafficBooleanWhether this Host has active traffic
Vectra.Host.HostnameStringHost name
Vectra.Host.IDNumberHost ID (Unique)
Vectra.Host.IPStringHost IP address
Vectra.Host.IsKeyAssetBooleanWhether this Host is seen as a key asset
Vectra.Host.IsTargetingKeyAssetBooleanWhether this Host is targeting a key asset
Vectra.Host.PrivilegeLevelNumberHost privilege level (from 1 to 10)
Vectra.Host.PrivilegeCategoryStringHost privilege category. (Either 'Low', 'Medium' or 'High' - Privilege levels of 1-2 > 'Low', 3-7 > 'Medium', 8-10 > 'High')
Vectra.Host.ProbableOwnerStringHost probable owner
Vectra.Host.SensorLUIDStringSensor LUID that saw this Host
Vectra.Host.SensorNameStringSensor Name that saw this Host
Vectra.Host.SensorStringSensor details that have seen this Host
Vectra.Host.SeverityStringHost severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Host.StateStringHost state ('active', 'inactive')
Vectra.Host.TagsStringHost tags
Vectra.Host.ThreatScoreNumberHost threat score
Vectra.Host.URLStringHost URL to pivot to Vectra UI

vectra-search-detections#


Returns a list of Detection objects. All search attributes will be cummulative unless you're using the search_query_only one, in that case, only this one will be taken into account.

Base Command#

vectra-search-detections

Input#

Argument NameDescriptionRequired
min_idReturns Detections with an ID greater than or equal to the specified ID.Optional
max_idReturns Detections with an ID less than or equal to the specified ID.Optional
min_threatReturns Detections with a threat score greater than or equal to the specified score.Optional
max_threatReturns Detections with a threat score less than or equal to the specified score.Optional
min_certaintyReturns Detections with a certainty score greater than or equal to the specified score.Optional
max_certaintyReturns Detections with a certainty score less than or equal to the specified score.Optional
stateFilters by state ('active', 'inactive'). Possible values are: active, inactive.Optional
search_querySearch query in Lucene query syntax.Optional
search_query_onlyUse specificaly this search query. Compared to "search_query" where default arguments are appended.Optional

Context Output#

PathTypeDescription
Vectra.Detection.AssigneeStringVectra user account this detection is assigned to
Vectra.Detection.AssignedDateStringAssignment date
Vectra.Detection.CategoryStringDetection category (Lateral, Exfil, ...)
Vectra.Detection.CertaintyScoreNumberDetection certainty score
Vectra.Detection.DescriptionStringDetection description
vectra.Detection.DestinationIPsStringDetection destination IPs
vectra.Detection.DestinationPortsStringDetection destination ports
Vectra.Detection.FirstTimestampStringFirst time this detection has been seen
Vectra.Detection.IDNumberDetection ID (unique)
Vectra.Detection.IsTargetingKeyAssetBooleanWhether this detection is targeting a key asset
Vectra.Detection.LastTimestampStringLast time this detection has been seen
Vectra.Detection.NameStringThe name of the detection. Would be a user defined name if this detection is triaged or the default type name instead
Vectra.Detection.SeverityStringDetection severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Detection.SensorLUIDStringSensor LUID that saw this etection
Vectra.Detection.SensorNameStringSensor Name that saw this Detection
Vectra.Detection.SourceAccountIDStringAccount ID relating to this detection
Vectra.Detection.SourceHostIDStringHost ID relating to this detection
Vectra.Detection.SourceIPStringSource IP relating to this detection
Vectra.Detection.StateStringDetection state ('active', 'inactive')
Vectra.Detection.TagsStringDetection tags
Vectra.Detection.ThreatScoreNumberDetection threat score
Vectra.Detection.TriageRuleIDStringTriage rule ID related to this detection
Vectra.Detection.TypeStringDetection type (Brute Force, Port Sweep, ...)
Vectra.Detection.URLStringDetection URL to pivot to Vectra UI

vectra-account-describe#


Returns a single Account details

Base Command#

vectra-account-describe

Input#

Argument NameDescriptionRequired
idAccount ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.Account.AssigneeStringVectra user account this Account is assigned to
Vectra.Account.AssignedDateStringAssignment date
Vectra.Account.CertaintyScoreNumberAccount certainty score
Vectra.Account.IDNumberAccount ID (unique)
Vectra.Account.LastDetectionTimestampStringLast time a detection linked to this account has been seen
Vectra.Account.PrivilegeLevelNumberAccount privilege level (from 1 to 10)
Vectra.Account.PrivilegeCategoryStringAccount privilege category (Either 'Low', 'Medium' or 'High' - Privilege levels of 1-2 > 'Low', 3-7 > 'Medium', 8-10 > 'High')
Vectra.Account.SeverityStringAccount severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Account.StateStringAccount state ('active', 'inactive')
Vectra.Account.TagsStringAccount tags
Vectra.Account.ThreatScoreNumberAccount threat score
Vectra.Account.TypeStringAccount type ('kerberos' or 'o365')
Vectra.Account.URLStringAccount URL to pivot to Vectra UI
Vectra.Account.NameStringThe username of the account

vectra-account-add-tags#


Add tags to an Account

Base Command#

vectra-account-add-tags

Input#

Argument NameDescriptionRequired
idAccount ID you want to add tags on.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-account-del-tags#


Delete tags from an Account

Base Command#

vectra-account-del-tags

Input#

Argument NameDescriptionRequired
idAccount ID you want to del tags from.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-host-describe#


Returns a single Host details

Base Command#

vectra-host-describe

Input#

Argument NameDescriptionRequired
idHost ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.Host.AssigneeStringVectra user account this Host is assigned to
Vectra.Host.AssignedDateStringAssignment date
Vectra.Host.CertaintyScoreNumberHost certainty score
Vectra.Host.HasActiveTrafficBooleanWhether this Host has active traffic
Vectra.Host.HostnameStringHost name
Vectra.Host.IDNumberHost ID (Unique)
Vectra.Host.IPStringHost IP address
Vectra.Host.IsKeyAssetBooleanWhether this Host is seen as a key asset
Vectra.Host.IsTargetingKeyAssetBooleanWhether this Host is targeting a key asset
Vectra.Host.PrivilegeLevelNumberHost privilege level (from 1 to 10)
Vectra.Host.PrivilegeCategoryStringHost privilege category. (Either 'Low', 'Medium' or 'High' - Privilege levels of 1-2 > 'Low', 3-7 > 'Medium', 8-10 > 'High')
Vectra.Host.ProbableOwnerStringHost probable owner
Vectra.Host.SensorLUIDStringSensor LUID that saw this Host
Vectra.Host.SensorNameStringSensor Name that saw this Host
Vectra.Host.SensorStringSensor details that have seen this Host
Vectra.Host.SeverityStringHost severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Host.StateStringHost state ('active', 'inactive')
Vectra.Host.TagsStringHost tags
Vectra.Host.ThreatScoreNumberHost threat score
Vectra.Host.URLStringHost URL to pivot to Vectra UI

vectra-host-add-tags#


Add tags to an Host

Base Command#

vectra-host-add-tags

Input#

Argument NameDescriptionRequired
idHost ID you want to add tags on.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-host-del-tags#


Delete tags from an Host

Base Command#

vectra-host-del-tags

Input#

Argument NameDescriptionRequired
idHost ID you want to del tags from.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-detection-describe#


Returns a single detection details

Base Command#

vectra-detection-describe

Input#

Argument NameDescriptionRequired
idDetection ID you want to get details on.Optional

Context Output#

PathTypeDescription
Vectra.Detection.AssigneeStringVectra user account this detection is assigned to
Vectra.Detection.AssignedDateStringAssignment date
Vectra.Detection.CategoryStringDetection category (Lateral, Exfil, ...)
Vectra.Detection.CertaintyScoreNumberDetection certainty score
Vectra.Detection.DescriptionStringDetection description
vectra.Detection.DestinationIPsStringDetection destination IPs
vectra.Detection.DestinationPortsStringDetection destination ports
Vectra.Detection.FirstTimestampStringFirst time this detection has been seen
Vectra.Detection.IDNumberDetection ID (unique)
Vectra.Detection.IsTargetingKeyAssetBooleanWhether this detection is targeting a key asset
Vectra.Detection.LastTimestampStringLast time this detection has been seen
Vectra.Detection.NameStringThe name of the detection. Would be a user defined name if this detection is triaged or the default type name instead
Vectra.Detection.SeverityStringDetection severity according to scores ('Low', 'Medium', 'High', 'Critical')
Vectra.Detection.SensorLUIDStringSensor LUID that saw this etection
Vectra.Detection.SensorNameStringSensor Name that saw this Detection
Vectra.Detection.SourceAccountIDStringAccount ID relating to this detection
Vectra.Detection.SourceHostIDStringHost ID relating to this detection
Vectra.Detection.SourceIPStringSource IP relating to this detection
Vectra.Detection.StateStringDetection state ('active', 'inactive')
Vectra.Detection.TagsStringDetection tags
Vectra.Detection.ThreatScoreNumberDetection threat score
Vectra.Detection.TriageRuleIDStringTriage rule ID related to this detection
Vectra.Detection.TypeStringDetection type (Brute Force, Port Sweep, ...)
Vectra.Detection.URLStringDetection URL to pivot to Vectra UI

vectra-detection-get-pcap#


Returns a Detection's PCAP file (if available)

Base Command#

vectra-detection-get-pcap

Input#

Argument NameDescriptionRequired
idThe Detection ID you want to get the PCAP file from.Optional

Context Output#

There is no context output for this command.

vectra-detection-markasfixed#


Marks/Unmarks a Detection as fixed by providing the Detection ID

Base Command#

vectra-detection-markasfixed

Input#

Argument NameDescriptionRequired
idDetection ID you want to mark/unmark as fixed.Optional
fixedThe wanted detection status ("true", "false"). No default value. Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

vectra-detection-add-tags#


Add tags to a Detection

Base Command#

vectra-detection-add-tags

Input#

Argument NameDescriptionRequired
idDetection ID you want to add tags on.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.

vectra-detection-del-tags#


Delete tags from a Detection

Base Command#

vectra-detection-del-tags

Input#

Argument NameDescriptionRequired
idDetection ID you want to del tags from.Optional
tagsThe tags list (comma separated).Optional

Context Output#

There is no context output for this command.