Vectra

Vectra is a detection product that alerts on suspicious network behavior. It can recognize certain known attacks and suspicious interactions on the network level (e.g. Reverse Shell, Port Scans, etc)

Demisto supports fetching detections directly from Vectra. These are set to trigger incidents in Demisto.

Commands start with !Vectra and can be viewed by clicking Show commands in the Settings/Integrations page.

For additional information check out also the solution brief at https://www.vectranetworks.com/assets/sb_demisto_0411171.pdf

To set up the integration on Demisto:

  1. Go to ‘Settings > Integrations > Servers & Services’
  2. Locate the Vectra integration by searching for ‘Vectra’ using the search box on the top of the page.
  3. Click ‘Add instance’ to create and configure a new integration. You should configure the following Vectra and Demisto-specific settings:
    Name : A textual name for the integration instance.
    Server URL : The hostname or IP address of the Vectra application. Make sure the URL is reachable with respect to IP address and port.
    Credentials and Password : The username and password, or toggle to Credentials.
    Fetch incidents : Select whether to automatically create Demisto incidents from Vectra offenses.
    If this option is checked, the first batch of offenses pulled as incidents will be the one raised in last 10 minutes of adding the instance.
    Do not validate server certificate : Select to avoid server certification validation. You may want to do this in case Demisto cannot validate the integration server certificate (due to missing CA certificate)
    Incident type : Select to which incident type you want to map Vectra offenses.
    Demisto engine : If relevant, select the engine that acts as a proxy to the server.
    Engines are used when you need to access a remote network segments and there are network devices such as proxies, firewalls, etc. that prevent the Demisto server from accessing the remote networks.

For more information on Demisto engines see:
https://demisto.zendesk.com/hc/en-us/articles/226274727-Settings-Integrations-Engines
Require users to enter additional password: Select whether you’d like an additional step where users are required to authenticate themselves with a password.

  1. Press the ‘Test’ button to validate connection.
    If you are experiencing issues with the service configuration, please contact Demisto support at support@demisto.com
  2. After completing the test successfully, press the ‘Done’ button.

Commands:

vectra-detections - Detection objects contain all the information related to security events detected on the network.
vectra-health - The health configuration retrieves system health statistics such as subnet counts, traffic bandwidth, headend and sensor information.
vectra-hosts - Host information includes data that correlates the host data to detected security events.
vectra-sensors - The sensors branch retrieves a list of sensors that collect and feed data to the X-series.
vectra-settings - The settings information includes S-series sensor and X-series configurations input by the administrator.
vectra-triage - The rules branch can be used to retrieve a listing of configured Triage rules