Vectra

Overview

Vectra AI is a cybersecurity company that uses artificial intelligence and machine learning to detect and respond to cyber threats in real-time. Its platform focuses on network traffic analysis, using AI to identify anomalies, advanced attacks, and malicious behavior across cloud, on-premises, and hybrid environments. Vectra AI provides automated threat detection, prioritizes incidents based on risk, and helps security teams respond faster. By leveraging AI-driven insights, it enhances visibility, reduces false positives, and accelerates incident response to protect organizations from evolving cyber threats.

Supported data types

Vectra NDR

Table name: vectra_ndr

Vectra NDR logs offer a comprehensive overview of network activities, capturing detailed information on threats detected across cloud, data center, IoT, and enterprise environments. By leveraging artificial intelligence, Vectra analyzes network traffic in real-time, identifying patterns and behaviors indicative of cyber threats, such as compromised accounts and insider threats. These logs are invaluable for security teams, providing actionable intelligence for incident investigation, enabling prioritization based on the severity of threats, and facilitating compliance reporting.

Vectra Stream

Table name: vectra_metadata_logs

These logs contain detailed information about host behaviors, network connections, and potential security threats, facilitating deeper analysis and correlation with other data sources. This integration not only amplifies threat detection efforts but also supports comprehensive incident investigations and compliance reporting. Vectra Stream ensures that security teams have access to the actionable intelligence needed to respond swiftly to threats, making it a vital component for organizations aiming to bolster their defense mechanisms against sophisticated cyber attacks.

Send data to Hunters

Hunters supports the ingestion of Vectra logs via an intermediary AWS S3 bucket.

To connect Vectra logs:

1. Export your logs from Vectra to an AWS S3 bucket.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Vectra NDR

The expected format of the logs is the CEF format as exported by Vectra. In this document you can see the CEF format of each event type.

Example of a log by the Host Detection event type:

Jan  6 09:11:31 U26020000001320 vectra_cef_v2 -: CEF:0|Vectra Networks|X Series|7.3|port_sweep|Port Sweep|6.0|externalId=1111 cat=RECONNAISSANCE dvc=1.1.1.1 dvchost=10.10.10.10 shost=se01.domain.com src=1.1.1.1 flexNumber1Label=threat flexNumber1=60 flexNumber2Label=certainty flexNumber2=80 cs4Label=Vectra Event URL cs4=https://10.10.10.10/detections/89455?detail_id\=112233 cs5Label=triaged cs5=False dst=0.0.0.0 dhost= proto=tcp dpt=333 out=0 in=0 start=1647979227000 end=1672992283000 cnt=123 msg=1.1.1.1, 2.2.2.2, 3.3.3.3

Vectra Stream

{
    "AA": "false",
    "answers": "",
    "auth": "",
    "community_id": "null",
    "id.ip_ver": "ipv4",
    "id.orig_h": "1.2.3.4",
    "id.orig_p": "0",
    "id.resp_h": "1.2.3.4",
    "id.resp_p": "0",
    "local_orig": "true",
    "local_resp": "true",
    "metadata_type": "metadata_dns",
    "orig_hostname": "a.b.com",
    "orig_huid": "a.b.comL",
    "orig_sluid": "ZkZ-ik72",
    "proto": "17",
    "qclass": "0",
    "qclass_name": "Reserved",
    "qtype": "1",
    "qtype_name": "A",
    "query": "a.b.com",
    "RA": "false",
    "rcode": "0",
    "rcode_name": "NoError",
    "RD": "false",
    "rejected": "false",
    "resp_hostname": "a.b.com",
    "resp_huid": "1Qpg.g6Q",
    "resp_sluid": "WpN-EeTS",
    "saw_query": "true",
    "saw_reply": "false",
    "sensor_uid": "",
    "TC": "false",
    "total_answers": "0",
    "total_replies": "0",
    "trans_id": "62630",
    "ts": "1709652115626",
    "TTLs": "",
    "uid": ""
}