Vectra v2 (Deprecated)
This Integration is part of the Vectra (Deprecated) Pack.#
Deprecated
Use Vectra Detect instead.
Vectra is a detection product that alerts on suspicious network behavior. It can recognize certain known attacks and suspicious interactions on the network level (e.g. Reverse Shell, Port Scans, etc)
Detailed Description
-
Vectra API is available for administrators and developers to integrate Vectra's breach detection data into their applications. Vectra provides access to security event data, platform configuration, and health information via URI paths.
- Tested with API version 2.1.
- c_score and t_score fields changed to certainty and threat accordingly
Fetch Incidents
You can Fetch only Detections with Greater/Equal Certainty score and Threat score
Configure Vectra v2 on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Vectra v2.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1)
- API Token
-
First fetch time range (
- Fetch only Detections with greater/equal Certainty score
- Fetch only Detections with greater/equal Threat score
- Fetch only Detections with matching State
- The number of results returned in each fetch
- Fetch incidents
- Trust any certificate (not secure)
- Incident type
- Use system proxy settings
- Click Test to validate the new instance.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- vectra-get-detections: vectra-get-detections
- vectra-get-hosts: vectra-get-hosts
- vectra-triage: vectra-triage
- vectra-get-host-by-id: vectra-get-host-by-id
- vectra-get-detection-by-id: vectra-get-detection-by-id
- vectra-get-users: vectra-get-users
- vectra-get-proxies: vectra-get-proxies
- vectra-get-threatfeed: vectra-get-threatfeed
- vectra-search: vectra-search
1. vectra-get-detections
Detection objects contain all the information related to security events detected on the network
Base Command
vectra-get-detections
Input
| Argument Name | Description | Required |
|---|---|---|
| detection_id | Filter by detection ID | Optional |
| fields | Filters objects listed | Optional |
| page | Page number. Possible values are a positive integer or last | Optional |
| page_size | Page size. Possible values are a positive integer or all | Optional |
| ordering | Orders records by last timestamp, threat score and certainty score. The default out sorts threat and certainty score in ascending order. Scores can sorted in descending order by prepending the query with “minus” symbol | Optional |
| min_id | >= the id provided | Optional |
| max_id | <= the id provided | Optional |
| state | filter by state: active, inactive, ignored, ignored for all | Optional |
| type_vname | filter by the detection type (verbose name) | Optional |
| category | filter by the detection category | Optional |
| src_ip | filter by source (ip address) | Optional |
| threat_score | filter by threat score | Optional |
| threat_score_gte | filter by threat score >= the score provided | Optional |
| certainty_score | filter by certainty score | Optional |
| certainty_score_gte | filter by certainty score >= the score provided | Optional |
| last_timestamp | filter by last timestamp | Optional |
| host_id | filter by id of the host object a detection is attributed to | Optional |
| tags | filter by a tag or a comma-separated list of tags | Optional |
| destination | filter by destination in the detection detail set | Optional |
| proto | filter by the protocol in the detection detail set | Optional |
| destination_port | filter by the destination port in the detection detail set | Optional |
| inbound_ip | filter by the inbound_ip in the relayed comm set | Optional |
| inbound_proto | filter by the inbound_proto in the relayed comm set | Optional |
| inbound_port | filter by the inbound_port in the relayed comm set | Optional |
| inbound_dns | filter by the inbound_dns in the relayed comm set | Optional |
| outbound_ip | filter by the outbound_ip in the relayed comm set | Optional |
| outbound_proto | filter by the outbound_proto in the relayed comm set | Optional |
| outbound_port | filter by the outbound_port in the relayed comm set | Optional |
| outbound_dns | filter by the outbound_dns in the relayed_comm_set | Optional |
| dns_ip | filter by the dns_ip in the dns_set | Optional |
| dns_request | filter by the dns_request in the dns_set | Optional |
| resp_code | filter by the resp_code in the dns_set | Optional |
| resp | filter by the resp in the dns_set | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Vectra.Detection.Category | String | The category of the vname attack detected |
| Vectra.Detection.TargetsKeyAsset | Boolean | Flag indicating if the host has a detection targeting a key asset |
| Vectra.Detection.CertaintyScore | Number | The current certainty score correlated to this host |
| Vectra.Detection.ID | Number | Object ID |
| Vectra.Detection.FirstTimestamp | String | The timestamp when the event was first detected |
| Vectra.Detection.LastTimestamp | String | The timestamp when the event was last detected |
| Vectra.Detection.State | String | The state of the detection |
| Vectra.Detection.Threat_Score | Number | The threat score attributed to the detection |
| Vectra.Detection.SourceIP | String | The source IP address of the host attributed to the security event |
| Vectra.Detection.SourceAccount | Unknown | A dictionary with fields that describe the Account the detection is from |
Command Example
!vectra-get-detections certainty_score_gte=20
Context Example
{
"Vectra.Detection": [
{
"Category": "LATERAL MOVEMENT",
"CertaintyScore": 22,
"Detection": "Automated Replication",
"DetectionCategory": "LATERAL MOVEMENT",
"DetectionType": "Automated Replication",
"FirstTimestamp": "2019-10-02T22:05:34Z",
"ID": 3,
"LastTimestamp": "2019-10-02T22:12:39Z",
"SourceHost": {
"certainty": 0,
"groups": [],
"id": 9,
"ip": "0.0.0.0",
"is_key_asset": false,
"name": "sandbox",
"threat": 0,
"url": ""
},
"SourceIP": "0.0.0.0",
"State": "inactive",
"TargetsKeyAsset": false,
"ThreatScore": 22
},
{
"Category": "RECONNAISSANCE",
"CertaintyScore": 80,
"Detection": "Port Sweep",
"DetectionCategory": "RECONNAISSANCE",
"DetectionType": "Port Sweep",
"FirstTimestamp": "2019-10-02T22:38:58Z",
"ID": 5,
"LastTimestamp": "2019-10-02T22:54:49Z",
"SourceHost": {
"certainty": 27,
"groups": [],
"id": 11,
"ip": "0.0.0.0",
"is_key_asset": false,
"name": "Robert-MBP",
"threat": 11,
"url": ""
},
"SourceIP": "0.0.0.0",
"State": "active",
"TargetsKeyAsset": false,
"ThreatScore": 60
}
]
}
Human Readable Output
Detection table (Showing Page 1 out of 1)
| id | category | src_ip | threat | certainty | state | detection | detection_category | detection_type | first_timestamp | tags | targets_key_asset | type_vname |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3 | LATERAL MOVEMENT | 0.0.0.0 | 22 | 22 | inactive | Automated Replication | LATERAL MOVEMENT | Automated Replication | 2019-10-02T22:05:34Z | false | ||
| 5 | RECONNAISSANCE | 0.0.0.0 | 60 | 80 | active | Port Sweep | RECONNAISSANCE | Port Sweep | 2019-10-02T22:38:58Z | false |
2. vectra-get-hosts
Host information includes data that correlates the host data to detected security events
Base Command
vectra-get-hosts
Input
| Argument Name | Description | Required |
|---|---|---|
| host_id | Filter by host ID | Optional |
| fields | Filters objects listed | Optional |
| page | Page number. Possible values are a positive integer or last | Optional |
| page_size | Page size. Possible values are a positive integer or all | Optional |
| ordering | Orders records by last timestamp, threat score and certainty score. The default out sorts threat and certainty score in ascending order. Scores can sorted in descending order by prepending the query with “minus” symbol | Optional |
| name | filter by name | Optional |
| state | filter by state: active, inactive, suspended, ignored, ignored for all | Optional |
| last_source | filter by last_source (ip address) | Optional |
| threat_score | filter by threat score | Optional |
| threat_score_gte | filter by threat score >= the score provided | Optional |
| certainty_score | filter by certainty score | Optional |
| certainty_score_gte | filter by certainty score >= the score provided | Optional |
| last_detection_timestamp | filter by last_detection_timestamp | Optional |
| tags | filter by a tag or a comma-separated list of tags (returns hosts that contain any of the tags specified), e.g.tags=baz | tags=foo,bar" | Optional |
| key_assest | filter by key asset: True, False | Optional |
| mac_address | filter by mac address | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Vectra.Host.Name | String | The learned hostname |
| Vectra.Host.TargetsKeyAsset | Boolean | Flag indicating if the host has a detection targeting a key asset |
| Vectra.Host.CertaintyScore | Number | The current certainty score correlated to this host |
| Vectra.Host.DetectionID | String | List of Detections for Account |
| Vectra.Host.KeyAsset | Boolean | Flag indicating if the host is a key asset |
| Vectra.Host.State | String | The state of this host |
| Vectra.Host.Threat_Score | Number | The current threat score correlated to this host |
| Vectra.Host.LastDetection | String | Last detection activity from this host (Timestamp format: YYYY-MM-DD HH-MM-SS GMT) |
| Vectra.Host.IP | String | Last source IP associated with this host |
| Vectra.Host.ID | Number | ID of the Host |
Command Example
!vectra-get-hosts threat_score_gte=20
Context Example
{
"Vectra.Host": [
{
"ActiveTraffic": false,
"CertaintyScore": 45,
"DetectionID": [
"22",
"23",
"37",
"42",
"61",
"62",
"63",
"64"
],
"HostLuid": "duOUtBa4",
"ID": 57,
"IP": "0.0.0.0",
"KeyAsset": true,
"LastDetection": "2019-10-07T05:37:12Z",
"LastDetectionTimestamp": "2019-10-07T05:37:12Z",
"LastModified": "2019-10-03T07:04:06Z",
"LastSource": "0.0.0.0",
"Name": "leroy_brown",
"Note": null,
"OwnerName": "lbrown",
"Severity": "low",
"State": "active",
"Tags": [],
"ThreatScore": 34
},
{
"ActiveTraffic": false,
"CertaintyScore": 32,
"DetectionID": [
"53",
"56",
"60"
],
"HostLuid": "dwGUtBaK",
"ID": 103,
"IP": "0.0.0.0",
"KeyAsset": false,
"LastDetection": "2019-10-04T19:24:04Z",
"LastDetectionTimestamp": "2019-10-04T19:24:04Z",
"LastModified": "2019-10-04T12:40:38Z",
"LastSource": "0.0.0.0",
"Name": "winfs06r3u17",
"Note": null,
"OwnerName": null,
"Severity": "low",
"State": "active",
"Tags": [],
"ThreatScore": 22
}
]
}
Human Readable Output
Hosts table (Showing Page 1 out of 1)
| id | name | state | threat | certainty | last_source | url | assigned_to | owner_name | first_timestamp | tags | note |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 7 | BThomas-Win7 | active | 23 | 33 | 0.0.0.0 | demist.com/api/v2/hosts/7 | bthomas | ||||
| 11 | Robert-MBP | active | 25 | 46 | 0.0.0.0 | demist.com/api/v2/hosts/11 | rwilliams |
3. vectra-triage
The rules branch can be used to retrieve a listing of configured Triage rules
Base Command
vectra-triage
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| Vectra.Rule.ID | Unknown | The record id |
| Vectra.Rule.SmartCategory | Unknown | Custom Triage label used to recategorize specified detections |
| Vectra.Rule.Description | Unknown | Name of Triage filter |
| Vectra.Rule.Type | Unknown | Original detection type |
| Vectra.Rule.Category | Unknown | Original detection category |
| Vectra.Rule.Created | Unknown | The timestamp when this Triage filter was created |
| Vectra.Rule.LastUpdate | Unknown | The timestamp when this Triage filter was triggered |
| Vectra.Rule.Host.ID | Unknown | Host(s) that this Triage filter applies to |
| Vectra.Rule.IP | Unknown | Host IP |
| Vectra.Rule.Priority | Unknown | Used in ordering execution of Triage filters |
| Vectra.Rule.Remote.IP | Unknown | Destination IP where this Triage filter will be applied to |
| Vectra.Rule.Remote.Protocol | Unknown | Destination protocol where this Triage filter will be applied to |
| Vectra.Rule.Remote.Port | Unknown | Destination port where this Triage filter will be applied to |
| Vectra.Rule.Remote.DNS | Unknown | Destination FQDN where this Triage filter will apply to |
| Vectra.Rule.Remote.Kerberos.Account | Unknown | Kerberos Account |
| Vectra.Rule.Remote.Kerberos.Service | Unknown | Kerberos Service |
Command Example
!vectra-triage
Context Example
No output examples
Human Readable Output
Couldn't find any results
4. vectra-get-host-by-id
Get host by id
Base Command
vectra-get-host-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| host_id | The id of the required host (Can get from vectra-get-hosts) | Required |
Context Output
There are no context output for this command.
Command Example
!vectra-get-host-by-id host_id=11
Context Example
{
"Vectra.Host": [
{
"CertaintyScore": 27,
"Hostname": "Robert-MBP",
"ID": 11,
"IP": "0.0.0.0",
"KeyAsset": false,
"LastDetection": "2019-10-03T01:10:43Z",
"State": "active",
"TargetsKeyAsset": false,
"ThreatScore": 11
}
]
}
Human Readable Output
Search results table
| id | threat | certainty | state | first_timestamp |
|---|---|---|---|---|
| 11 | 25 | 46 | active |
5. vectra-get-detection-by-id
Get detections by detetction id
Base Command
vectra-get-detection-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| detection_id | The id of the required detection (Can get from vectra-get-detections) | Required |
6. vectra-get-users
Retrieves the current list of Users
Base Command
vectra-get-users
Input
| Argument Name | Description | Required |
|---|---|---|
| username | Filter by username | Optional |
| role | Filter by role | Optional |
| account_type | Filter by account type (Local, Special, Limited Time Link, LDAP, TACACS) | Optional |
| authentication_profile | Filter by authentication profile (LDAP or TACACS only) | Optional |
| last_login_gte | Filters for User’s that have logged in since the given timestamp | Optional |
Context Output
There are no context output for this command.
Command Example
!vectra-get-users
7. vectra-get-proxies
Retrieves the current list of proxy IP addresses, or just one by Proxy ID
Base Command
vectra-get-proxies
Input
| Argument Name | Description | Required |
|---|---|---|
| proxy_id | The id of the Proxy object | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Vectra.Proxy.Source | String | Whether the proxy was auto detected by Cognito or was added by user |
| Vectra.Proxy.ID | String | The ID of the Proxy |
| Vectra.Proxy.Source | String | Whether the proxy was auto detected by Cognito or was added by user |
| Vectra.Proxy.ConsidersProxy | String | Whether to consider the object as a proxy or not |
| Vectra.Proxy.Address | String | The proxy IP address |
Command Example
!vectra-get-proxies
Context Example
{}
Human Readable Output
Couldn't find any results
8. vectra-get-threatfeed
Retrieves the current list of all ThreatFeeds, or just one by ThreatFeed ID
Base Command
vectra-get-threatfeed
Input
| Argument Name | Description | Required |
|---|---|---|
| threatfeed_id | The id of the ThreatFeed object | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Vectra.ThreatFeed.Category | String | The category in which the detection will fire if a match is observed with any indicator in the ThreatFeed |
| Vectra.ThreatFeed.Name | String | The name of the ThreatFeed |
| Vectra.ThreatFeed.Certainty | String | The default certainty to use for indicators in the STIX file |
| Vectra.ThreatFeed.IndicatorType | String | The default indicatorType to use for the observables in the STIX file |
| Vectra.ThreatFeed.Duration | Number | The default duration for which indicators in the ThreatFeed are valid |
| Vectra.ThreatFeed.ID | String | The ID of the ThreatFeed |
Command Example
!vectra-get-threatfeed
Context Example
{
"Vectra.ThreatFeed": [
{
"Category": "exfil",
"Certainty": "Medium",
"Duration": 14,
"ID": "50f897f3c9bdc606472e8d72348c3263",
"IndicatorType": "Exfiltration",
"Name": "Suspicious Domains"
}
]
}
Human Readable Output
Rules table
| id | name | certainty | category | duration | indicatorType |
|---|---|---|---|---|---|
| 50f897f3c9bdc606472e8d72348c3263 | Suspicious Domains | Medium | exfil | 14 | Exfiltration |
9. vectra-search
Advanced search on hosts and detections
Base Command
vectra-search
Input
| Argument Name | Description | Required |
|---|---|---|
| query_string | The query that needs to be performed, e.g. `host.threat:>=50 and host.certainty:>=50` will find all hosts in the critical quadrant. `host.owner_name:bob` will find hosts with probable owner that contains the phrase “bob” in it. | Required |
| search_type | The type of search to preform, can be either Hosts or Detections | Required |
| page_size | Number of results returned per page. the default page_size is 50, max 5000 | Optional |
Context Output
There are no context output for this command.
Command Example
!vectra-search query_string="host.threat:>=20 and host.certainty:>=20" search_type=hosts
Context Example
{
"Vectra.Host": [
{
"Certainty_Score": 33,
"Hostname": "BThomas-Win7",
"ID": 7,
"IP": "0.0.0.0",
"KeyAsset": true,
"LastDetection": "2019-10-03T05:56:31Z",
"State": "active",
"TargetsKeyAsset": false,
"Threat_Score": 23
},
{
"Certainty_Score": 46,
"Hostname": "Robert-MBP",
"ID": 11,
"IP": "0.0.0.0",
"KeyAsset": false,
"LastDetection": "2019-10-03T01:10:43Z",
"State": "active",
"TargetsKeyAsset": false,
"Threat_Score": 25
}
]
}
Human Readable Output
Search results table
| id | threat | certainty | state | first_timestamp |
|---|---|---|---|---|
| 7 | 23 | 33 | active | |
| 11 | 25 | 46 | active |