Vectra v2

Vectra is a detection product that alerts on suspicious network behavior. It can recognize certain known attacks and suspicious interactions on the network level (e.g. Reverse Shell, Port Scans, etc)

Detailed Description

    Vectra API is available for administrators and developers to integrate Vectra's breach detection data into their applications. Vectra provides access to security event data, platform configuration, and health information via URI paths.
  • Tested with API version 2.1.
  • c_score and t_score fields changed to certainty and threat accordingly

Fetch Incidents

You can Fetch only Detections with Greater/Equal Certainty score and Threat score

Configure Vectra v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Vectra v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1)
    • API Token
    • First fetch time range (
    • Fetch only Detections with greater/equal Certainty score
    • Fetch only Detections with greater/equal Threat score
    • Fetch only Detections with matching State
    • The number of results returned in each fetch
    • Fetch incidents
    • Trust any certificate (not secure)
    • Incident type
    • Use system proxy settings
  4. Click Test to validate the new instance.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. vectra-get-detections: vectra-get-detections
  2. vectra-get-hosts: vectra-get-hosts
  3. vectra-triage: vectra-triage
  4. vectra-get-host-by-id: vectra-get-host-by-id
  5. vectra-get-detection-by-id: vectra-get-detection-by-id
  6. vectra-get-users: vectra-get-users
  7. vectra-get-proxies: vectra-get-proxies
  8. vectra-get-threatfeed: vectra-get-threatfeed
  9. vectra-search: vectra-search

1. vectra-get-detections


Detection objects contain all the information related to security events detected on the network

Base Command

vectra-get-detections

Input
Argument Name Description Required
detection_id Filter by detection ID Optional
fields Filters objects listed Optional
page Page number. Possible values are a positive integer or last Optional
page_size Page size. Possible values are a positive integer or all Optional
ordering Orders records by last timestamp, threat score and certainty score. The default out sorts threat and certainty score in ascending order. Scores can sorted in descending order by prepending the query with “minus” symbol Optional
min_id >= the id provided Optional
max_id <= the id provided Optional
state filter by state: active, inactive, ignored, ignored for all Optional
type_vname filter by the detection type (verbose name) Optional
category filter by the detection category Optional
src_ip filter by source (ip address) Optional
threat_score filter by threat score Optional
threat_score_gte filter by threat score >= the score provided Optional
certainty_score filter by certainty score Optional
certainty_score_gte filter by certainty score >= the score provided Optional
last_timestamp filter by last timestamp Optional
host_id filter by id of the host object a detection is attributed to Optional
tags filter by a tag or a comma-separated list of tags Optional
destination filter by destination in the detection detail set Optional
proto filter by the protocol in the detection detail set Optional
destination_port filter by the destination port in the detection detail set Optional
inbound_ip filter by the inbound_ip in the relayed comm set Optional
inbound_proto filter by the inbound_proto in the relayed comm set Optional
inbound_port filter by the inbound_port in the relayed comm set Optional
inbound_dns filter by the inbound_dns in the relayed comm set Optional
outbound_ip filter by the outbound_ip in the relayed comm set Optional
outbound_proto filter by the outbound_proto in the relayed comm set Optional
outbound_port filter by the outbound_port in the relayed comm set Optional
outbound_dns filter by the outbound_dns in the relayed_comm_set Optional
dns_ip filter by the dns_ip in the dns_set Optional
dns_request filter by the dns_request in the dns_set Optional
resp_code filter by the resp_code in the dns_set Optional
resp filter by the resp in the dns_set Optional

Context Output
Path Type Description
Vectra.Detection.Category String The category of the vname attack detected
Vectra.Detection.TargetsKeyAsset Boolean Flag indicating if the host has a detection targeting a key asset
Vectra.Detection.CertaintyScore Number The current certainty score correlated to this host
Vectra.Detection.ID Number Object ID
Vectra.Detection.FirstTimestamp String The timestamp when the event was first detected
Vectra.Detection.LastTimestamp String The timestamp when the event was last detected
Vectra.Detection.State String The state of the detection
Vectra.Detection.Threat_Score Number The threat score attributed to the detection
Vectra.Detection.SourceIP String The source IP address of the host attributed to the security event
Vectra.Detection.SourceAccount Unknown A dictionary with fields that describe the Account the detection is from

Command Example

!vectra-get-detections certainty_score_gte=20

Context Example
{
    "Vectra.Detection": [
        {
            "Category": "LATERAL MOVEMENT",
            "CertaintyScore": 22,
            "Detection": "Automated Replication",
            "DetectionCategory": "LATERAL MOVEMENT",
            "DetectionType": "Automated Replication",
            "FirstTimestamp": "2019-10-02T22:05:34Z",
            "ID": 3,
            "LastTimestamp": "2019-10-02T22:12:39Z",
            "SourceHost": {
                "certainty": 0,
                "groups": [],
                "id": 9,
                "ip": "0.0.0.0",
                "is_key_asset": false,
                "name": "sandbox",
                "threat": 0,
                "url": ""
            },
            "SourceIP": "0.0.0.0",
            "State": "inactive",
            "TargetsKeyAsset": false,
            "ThreatScore": 22
        },
        {
            "Category": "RECONNAISSANCE",
            "CertaintyScore": 80,
            "Detection": "Port Sweep",
            "DetectionCategory": "RECONNAISSANCE",
            "DetectionType": "Port Sweep",
            "FirstTimestamp": "2019-10-02T22:38:58Z",
            "ID": 5,
            "LastTimestamp": "2019-10-02T22:54:49Z",
            "SourceHost": {
                "certainty": 27,
                "groups": [],
                "id": 11,
                "ip": "0.0.0.0",
                "is_key_asset": false,
                "name": "Robert-MBP",
                "threat": 11,
                "url": ""
            },
            "SourceIP": "0.0.0.0",
            "State": "active",
            "TargetsKeyAsset": false,
            "ThreatScore": 60            
        }
    ]
}
Human Readable Output

Detection table (Showing Page 1 out of 1)

id category src_ip threat certainty state detection detection_category detection_type first_timestamp tags targets_key_asset type_vname
3 LATERAL MOVEMENT 0.0.0.0 22 22 inactive Automated Replication LATERAL MOVEMENT Automated Replication 2019-10-02T22:05:34Z false
5 RECONNAISSANCE 0.0.0.0 60 80 active Port Sweep RECONNAISSANCE Port Sweep 2019-10-02T22:38:58Z false

2. vectra-get-hosts


Host information includes data that correlates the host data to detected security events

Base Command

vectra-get-hosts

Input
Argument Name Description Required
host_id Filter by host ID Optional
fields Filters objects listed Optional
page Page number. Possible values are a positive integer or last Optional
page_size Page size. Possible values are a positive integer or all Optional
ordering Orders records by last timestamp, threat score and certainty score. The default out sorts threat and certainty score in ascending order. Scores can sorted in descending order by prepending the query with “minus” symbol Optional
name filter by name Optional
state filter by state: active, inactive, suspended, ignored, ignored for all Optional
last_source filter by last_source (ip address) Optional
threat_score filter by threat score Optional
threat_score_gte filter by threat score >= the score provided Optional
certainty_score filter by certainty score Optional
certainty_score_gte filter by certainty score >= the score provided Optional
last_detection_timestamp filter by last_detection_timestamp Optional
tags filter by a tag or a comma-separated list of tags (returns hosts that contain any of the tags specified), e.g.tags=baz | tags=foo,bar" Optional
key_assest filter by key asset: True, False Optional
mac_address filter by mac address Optional

Context Output
Path Type Description
Vectra.Host.Name String The learned hostname
Vectra.Host.TargetsKeyAsset Boolean Flag indicating if the host has a detection targeting a key asset
Vectra.Host.CertaintyScore Number The current certainty score correlated to this host
Vectra.Host.DetectionID String List of Detections for Account
Vectra.Host.KeyAsset Boolean Flag indicating if the host is a key asset
Vectra.Host.State String The state of this host
Vectra.Host.Threat_Score Number The current threat score correlated to this host
Vectra.Host.LastDetection String Last detection activity from this host (Timestamp format: YYYY-MM-DD HH-MM-SS GMT)
Vectra.Host.IP String Last source IP associated with this host
Vectra.Host.ID Number ID of the Host

Command Example

!vectra-get-hosts threat_score_gte=20

Context Example
{
    "Vectra.Host": [
        {
            "ActiveTraffic": false,
            "CertaintyScore": 45,
            "DetectionID": [
                "22",
                "23",
                "37",
                "42",
                "61",
                "62",
                "63",
                "64"
            ],
            "HostLuid": "duOUtBa4",
            "ID": 57,
            "IP": "0.0.0.0",
            "KeyAsset": true,
            "LastDetection": "2019-10-07T05:37:12Z",
            "LastDetectionTimestamp": "2019-10-07T05:37:12Z",
            "LastModified": "2019-10-03T07:04:06Z",
            "LastSource": "0.0.0.0",
            "Name": "leroy_brown",
            "Note": null,
            "OwnerName": "lbrown",
            "Severity": "low",
            "State": "active",
            "Tags": [],
            "ThreatScore": 34
        },
        {
            "ActiveTraffic": false,
            "CertaintyScore": 32,
            "DetectionID": [
                "53",
                "56",
                "60"
            ],
            "HostLuid": "dwGUtBaK",
            "ID": 103,
            "IP": "0.0.0.0",
            "KeyAsset": false,
            "LastDetection": "2019-10-04T19:24:04Z",
            "LastDetectionTimestamp": "2019-10-04T19:24:04Z",
            "LastModified": "2019-10-04T12:40:38Z",
            "LastSource": "0.0.0.0",
            "Name": "winfs06r3u17",
            "Note": null,
            "OwnerName": null,
            "Severity": "low",
            "State": "active",
            "Tags": [],
            "ThreatScore": 22
        }
    ]
}
Human Readable Output

Hosts table (Showing Page 1 out of 1)

id name state threat certainty last_source url assigned_to owner_name first_timestamp tags note
7 BThomas-Win7 active 23 33 0.0.0.0 demist.com/api/v2/hosts/7 bthomas
11 Robert-MBP active 25 46 0.0.0.0 demist.com/api/v2/hosts/11 rwilliams

3. vectra-triage


The rules branch can be used to retrieve a listing of configured Triage rules

Base Command

vectra-triage

Input
There are no input arguments for this command.

Context Output
Path Type Description
Vectra.Rule.ID Unknown The record id
Vectra.Rule.SmartCategory Unknown Custom Triage label used to recategorize specified detections
Vectra.Rule.Description Unknown Name of Triage filter
Vectra.Rule.Type Unknown Original detection type
Vectra.Rule.Category Unknown Original detection category
Vectra.Rule.Created Unknown The timestamp when this Triage filter was created
Vectra.Rule.LastUpdate Unknown The timestamp when this Triage filter was triggered
Vectra.Rule.Host.ID Unknown Host(s) that this Triage filter applies to
Vectra.Rule.IP Unknown Host IP
Vectra.Rule.Priority Unknown Used in ordering execution of Triage filters
Vectra.Rule.Remote.IP Unknown Destination IP where this Triage filter will be applied to
Vectra.Rule.Remote.Protocol Unknown Destination protocol where this Triage filter will be applied to
Vectra.Rule.Remote.Port Unknown Destination port where this Triage filter will be applied to
Vectra.Rule.Remote.DNS Unknown Destination FQDN where this Triage filter will apply to
Vectra.Rule.Remote.Kerberos.Account Unknown Kerberos Account
Vectra.Rule.Remote.Kerberos.Service Unknown Kerberos Service

Command Example

!vectra-triage

Context Example
No output examples
Human Readable Output

Couldn't find any results

4. vectra-get-host-by-id


Get host by id

Base Command

vectra-get-host-by-id

Input
Argument Name Description Required
host_id The id of the required host (Can get from vectra-get-hosts) Required

Context Output
There are no context output for this command.

Command Example

!vectra-get-host-by-id host_id=11

Context Example
{
    "Vectra.Host": [
        {
            "CertaintyScore": 27,
            "Hostname": "Robert-MBP",
            "ID": 11,
            "IP": "0.0.0.0",
            "KeyAsset": false,
            "LastDetection": "2019-10-03T01:10:43Z",
            "State": "active",
            "TargetsKeyAsset": false,
            "ThreatScore": 11
        }
    ]
}
Human Readable Output

Search results table

id threat certainty state first_timestamp
11 25 46 active

5. vectra-get-detection-by-id


Get detections by detetction id

Base Command

vectra-get-detection-by-id

Input
Argument Name Description Required
detection_id The id of the required detection (Can get from vectra-get-detections) Required

6. vectra-get-users


Retrieves the current list of Users

Base Command

vectra-get-users

Input
Argument Name Description Required
username Filter by username Optional
role Filter by role Optional
account_type Filter by account type (Local, Special, Limited Time Link, LDAP, TACACS) Optional
authentication_profile Filter by authentication profile (LDAP or TACACS only) Optional
last_login_gte Filters for User’s that have logged in since the given timestamp Optional

Context Output
There are no context output for this command.

Command Example

!vectra-get-users

7. vectra-get-proxies


Retrieves the current list of proxy IP addresses, or just one by Proxy ID

Base Command

vectra-get-proxies

Input
Argument Name Description Required
proxy_id The id of the Proxy object Optional

Context Output
Path Type Description
Vectra.Proxy.Source String Whether the proxy was auto detected by Cognito or was added by user
Vectra.Proxy.ID String The ID of the Proxy
Vectra.Proxy.Source String Whether the proxy was auto detected by Cognito or was added by user
Vectra.Proxy.ConsidersProxy String Whether to consider the object as a proxy or not
Vectra.Proxy.Address String The proxy IP address

Command Example

!vectra-get-proxies

Context Example
{}
Human Readable Output

Couldn't find any results

8. vectra-get-threatfeed


Retrieves the current list of all ThreatFeeds, or just one by ThreatFeed ID

Base Command

vectra-get-threatfeed

Input
Argument Name Description Required
threatfeed_id The id of the ThreatFeed object Optional

Context Output
Path Type Description
Vectra.ThreatFeed.Category String The category in which the detection will fire if a match is observed with any indicator in the ThreatFeed
Vectra.ThreatFeed.Name String The name of the ThreatFeed
Vectra.ThreatFeed.Certainty String The default certainty to use for indicators in the STIX file
Vectra.ThreatFeed.IndicatorType String The default indicatorType to use for the observables in the STIX file
Vectra.ThreatFeed.Duration Number The default duration for which indicators in the ThreatFeed are valid
Vectra.ThreatFeed.ID String The ID of the ThreatFeed

Command Example

!vectra-get-threatfeed

Context Example
{
    "Vectra.ThreatFeed": [
        {
            "Category": "exfil",
            "Certainty": "Medium",
            "Duration": 14,
            "ID": "50f897f3c9bdc606472e8d72348c3263",
            "IndicatorType": "Exfiltration",
            "Name": "Suspicious Domains"
        }
    ]
}
Human Readable Output

Rules table

id name certainty category duration indicatorType
50f897f3c9bdc606472e8d72348c3263 Suspicious Domains Medium exfil 14 Exfiltration

9. vectra-search


Advanced search on hosts and detections

Base Command

vectra-search

Input
Argument Name Description Required
query_string The query that needs to be performed, e.g. `host.threat:>=50 and host.certainty:>=50` will find all hosts in the critical quadrant. `host.owner_name:bob` will find hosts with probable owner that contains the phrase “bob” in it. Required
search_type The type of search to preform, can be either Hosts or Detections Required
page_size Number of results returned per page. the default page_size is 50, max 5000 Optional

Context Output
There are no context output for this command.

Command Example

!vectra-search query_string="host.threat:>=20 and host.certainty:>=20" search_type=hosts

Context Example
{
    "Vectra.Host": [
        {
            "Certainty_Score": 33,
            "Hostname": "BThomas-Win7",
            "ID": 7,
            "IP": "0.0.0.0",
            "KeyAsset": true,
            "LastDetection": "2019-10-03T05:56:31Z",
            "State": "active",
            "TargetsKeyAsset": false,
            "Threat_Score": 23
        },
        {
            "Certainty_Score": 46,
            "Hostname": "Robert-MBP",
            "ID": 11,
            "IP": "0.0.0.0",
            "KeyAsset": false,
            "LastDetection": "2019-10-03T01:10:43Z",
            "State": "active",
            "TargetsKeyAsset": false,
            "Threat_Score": 25
        }
    ]
}
Human Readable Output

Search results table

id threat certainty state first_timestamp
7 23 33 active
11 25 46 active