Vectra AI | Marketplace

Details
Content
Dependencies
Version History

This content pack allows to create incidents based on Vectra Accounts/Hosts/Detections objects.

Vectra® is the leading AI-driven threat detection and response platform for the enterprise.
Only Vectra optimizes AI to detect advanced attacker behaviors across hybrid and multi-cloud environments.
The resulting high-fidelity signal and rich context enables security teams to prioritize, investigate and respond to threats in real-time.
Learn more at Vectra Website.

This pack is designed to quickly integrate with Vectra Detect platform to detect and analyze malicious attacks in progress by creating incident based on Accounts, Hosts or Detections. It gives security engineers visibility into advanced threats to speed detection and remediation response times.

What does this pack do?

Create XSIAM events from detections and audits.
Fetch accounts, hosts and detections from Vectra Detect.
Bi-Directional Mirroring for accounts and hosts.
List and Describe accounts, hosts, detections and users.
List, Describe, Create and Resolve assignment for account and host.
List, Describe and Create assignment outcomes.
List, Create, Update and Delete notes for account, host and detection.
List, Create and Remove tags for account, host and detection.
List, Assign and Unassign members in group.
Mark and Unmark detection as fixed.
Mark all detections as fixed for account and host.
Get detection's PCAP file.
Cleanup all incidents in XSOAR by closing duplicate incidents from Vectra Detect.

Configuration on Server Side

To get up and running with this pack, you must have a valid API token on your Vectra AI instance. In your Vectra AI instance:

Navigate to My Profile.
Click the General tab.
Create an API Token.

Be sure that the user has a role with sufficient permissions to do all the actions.

Pack Contributors:

DUDA Olivier

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

This pack includes Cortex XSIAM content.

What does this pack do?

Create XSIAM events from detections and audits.
Fetch accounts, hosts and detections from Vectra Detect.
Bi-Directional Mirroring for accounts and hosts.
List and Describe accounts, hosts, detections and users.
List, Describe, Create and Resolve assignment for account and host.
List, Describe and Create assignment outcomes.
List, Create, Update and Delete notes for account, host and detection.
List, Create and Remove tags for account, host and detection.
List, Assign and Unassign members in group.
Mark and Unmark detection as fixed.
Mark all detections as fixed for account and host.
Get detection's PCAP file.
Cleanup all incidents in XSOAR by closing duplicate incidents from Vectra Detect.

Configuration on Server Side

To get up and running with this pack, you must have a valid API token on your Vectra AI instance. In your Vectra AI instance:

Navigate to My Profile.
Click the General tab.
Create an API Token.

Be sure that the user has a role with sufficient permissions to do all the actions.

Collect Events from Vendor

REST API

The integration uses the 2.2 API version of detections and audits endpoints to collect events.

Pack Contributors:

DUDA Olivier

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Automations

Name	Description
VectraDetectCloseDuplicateIncidents	This script closes duplicate incidents in XSOAR while resolving the assignment for the corresponding Vectra entity.
VectraDetectDisplayDetections	This script enables the display of detection details, available in the context, in the form of a markdown table.
VectraDetectAddNotesInLayouts	This script allows to add Entity notes in the layout.

Classifiers

Name	Description
Vectra Detect	Classifies Vectra Detect incidents.
Vectra Detect - Incoming Mapper	Maps incoming Vectra Detect incidents fields.

Incident Fields

Name	Description
Vectra Assignment Resolved By
Vectra Host Targets Key Asset
Vectra Detection Profile
Vectra Groups	The groups associated with the Vectra entity.
Vectra Service Access History
Vectra Assignment Outcome
Vectra Account Type
Vectra Assignment Resolved Date
Vectra Assigned Date
Vectra Host Previous IPs
Vectra Host Key Asset
Vectra Account Host Access History
Vectra Entity Type
Vectra Assignment ID
Vectra Certainty Score
Vectra Assigned To
Vectra Sensors
Vectra Privilege Category
Vectra Assigned By
Vectra Last Detection Timestamp
Vectra Detection Count
Vectra Host Artifact Set
Vectra Detection Details
Vectra Privilege Level
Vectra Host Active Traffic
Vectra Host Account Access History
Vectra Threat Score

Incident Types

Name	Description
Vectra Host
Vectra Detection
Vectra Account

Integrations

Name	Description
Vectra Detect (Partner Contribution)	This integration allows to create incidents based on Vectra Accounts/Hosts/Detections objects.

Layouts

Name	Description
Vectra Account	Show Details about Vectra Account.
Vectra Host	Show Details about Vectra Host.

Playbooks

Name	Description
Dispatch Incident - Vectra Detect	This playbook is called from the Process Incident - Vectra Detect playbook. It will fetch all active detections for the entity under investigation. It will then assign the entity to a user; if an assignment already exists, it will update that assignment and add a note in Vectra.
Close All Duplicate XSOAR Incidents - Vectra Detect	This playbook will clean up all incidents in XSOAR by closing duplicate incidents from Vectra Detect.
Add Note - Vectra Detect	This playbook will add a note in Vectra for an entity based on its type.
Process Incident - Vectra Detect	This playbook is used to initiate the processing of an incident. This playbook runs when a pending incident is selected for investigation. It will change the state from pending to active and it will list the available users in Vectra and request the user ID to use for assignment. Once the data collection is complete, it will call the Dispatch Incident - Vectra Detect playbook.
Close Duplicate XSOAR Incidents - Vectra Detect	This playbook is called from the Close All Duplicate XSOAR Incidents - Vectra Detect playbook. It will close the duplicate incidents in XSOAR and resolve its assignment in Vectra.

Automations

Name	Description
VectraDetectCloseDuplicateIncidents	This script closes duplicate incidents in XSOAR while resolving the assignment for the corresponding Vectra entity.
VectraDetectCloseDuplicateAlerts	This script closes duplicate alerts in XSOAR while resolving the assignment for the corresponding Vectra entity.
VectraDetectDisplayDetections	This script enables the display of detection details, available in the context, in the form of a markdown table.
VectraDetectAddNotesInLayouts	This script allows to add Entity notes in the layout.

Classifiers

Name	Description
Vectra Detect	Classifies Vectra Detect incidents.
Vectra Detect - Incoming Mapper	Maps incoming Vectra Detect incidents fields.

Incident Fields

Name	Description
Vectra Entity Type
Vectra Last Detection Timestamp
Vectra Privilege Level
Vectra Assigned To
Vectra Host Key Asset
Vectra Threat Score
Vectra Certainty Score
Vectra Sensors
Vectra Detection Count
Vectra Account Host Access History
Vectra Detection Profile
Vectra Host Artifact Set
Vectra Assignment ID
Vectra Host Previous IPs
Vectra Detection Details
Vectra Groups	The groups associated with the Vectra entity.
Vectra Host Targets Key Asset
Vectra Assigned Date
Vectra Assignment Outcome
Vectra Host Active Traffic
Vectra Assignment Resolved By
Vectra Privilege Category
Vectra Assigned By
Vectra Assignment Resolved Date
Vectra Service Access History
Vectra Account Type
Vectra Host Account Access History

Incident Types

Name	Description
Vectra Detection
Vectra Account
Vectra Host

Integrations

Name	Description
Vectra AI Event Collector	Collects Vectra Detections and Audits into XSIAM Events.
Vectra Detect (Partner Contribution)	This integration allows to create incidents based on Vectra Accounts/Hosts/Detections objects.

Modeling Rules

Name	Description
Vectra AI Event Collector Modeling Rule

Playbooks

Name	Description
Close Duplicate XSOAR Incidents - Vectra Detect	This playbook is called from the Close All Duplicate XSOAR Incidents - Vectra Detect playbook. It will close the duplicate incidents in XSOAR and resolve its assignment in Vectra.
Dispatch Incident - Vectra Detect	This playbook is called from the Process Incident - Vectra Detect playbook. It will fetch all active detections for the entity under investigation. It will then assign the entity to a user; if an assignment already exists, it will update that assignment and add a note in Vectra.
Add Note - Vectra Detect	This playbook will add a note in Vectra for an entity based on its type.
Process Incident - Vectra Detect	This playbook is used to initiate the processing of an incident. This playbook runs when a pending incident is selected for investigation. It will change the state from pending to active and it will list the available users in Vectra and request the user ID to use for assignment. Once the data collection is complete, it will call the Dispatch Incident - Vectra Detect playbook.
Close All Duplicate XSOAR Incidents - Vectra Detect	This playbook will clean up all incidents in XSOAR by closing duplicate incidents from Vectra Detect.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

2.0.2 - 1834150 (December 18, 2024)

Playbooks

Process Incident - Vectra Detect

Documentation and metadata improvements.

Close Duplicate XSOAR Incidents - Vectra Detect

Documentation and metadata improvements.

Dispatch Incident - Vectra Detect

Documentation and metadata improvements.

Related pull requests:
- 37690

Download

2.0.1 - 1748140 (December 4, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 37528
- 37524
- 37525
- 37526
- 37527

Download

2.0.0 - R1709192 (November 26, 2024)

Incident Types

Vectra Host
Updated the incident type for the new layout and attached playbook.
Vectra Account
Updated the incident type for the new layout and attached playbook.

Integrations

Vectra Detect

Added the parameter to set the lookback time.
Added the parameters to filter incidents for Vectra Account and Host entities.
Added the validation for the parameters.
Updated the fetch incidents logic to handle duplication of incidents.
Added the support for the bi-directional mirroring.
Added the retry mechanism for 429 and 5xx errors.
Updated the client module to add header in requests mentioning the integration version and platform name.
Added the following set of commands:
- vectra-account-note-add
- vectra-host-note-add
- vectra-detection-note-add
- vectra-account-note-update
- vectra-host-note-update
- vectra-detection-note-update
- vectra-account-note-list
- vectra-host-note-list
- vectra-detection-note-list
- vectra-account-note-remove
- vectra-host-note-remove
- vectra-detection-note-remove
- vectra-account-tag-list
- vectra-host-tag-list
- vectra-detection-tag-list
- vectra-account-markall-detections-asfixed
- vectra-host-markall-detections-asfixed
- vectra-group-list
- vectra-group-assign
- vectra-group-unassign
Updated the Docker image to: demisto/python3:3.11.10.111039.

Mappers

Vectra Detect - Incoming Mapper

Updated the mapper to populate the new fields.

Playbooks

New: Add Note - Vectra Detect

New: This playbook will add a note in Vectra for an entity based on its type.

New: Close All Duplicate XSOAR Incidents - Vectra Detect

New: This playbook will clean up all incidents in XSOAR by closing duplicate incidents from Vectra Detect.

New: Close Duplicate XSOAR Incidents - Vectra Detect

New: This playbook is called from the Close All Duplicate XSOAR Incidents - Vectra Detect playbook. It will close the duplicate incidents in XSOAR and resolve its assignment in Vectra.

New: Dispatch Incident - Vectra Detect

New: This playbook is called from the Process Incident - Vectra Detect playbook. It will fetch all active detections for the entity under investigation. It will then assign the entity to a user; if an assignment already exists, it will update that assignment and add a note in Vectra.

New: Process Incident - Vectra Detect

New: This playbook is used to initiate the processing of an incident. This playbook runs when a pending incident is selected for investigation. It will change the state from pending to active and it will list the available users in Vectra and request the user ID to use for assignment. Once the data collection is complete, it will call the Dispatch Incident - Vectra Detect playbook.

Scripts

New: VectraDetectAddNotesInLayouts

New: This script allows to add Entity notes in the layout.

New: VectraDetectCloseDuplicateIncidents

New: This script closes duplicate incidents in XSOAR while resolving the assignment for the corresponding Vectra entity.

New: VectraDetectDisplayDetections

New: This script enables the display of detection details, available in the context, in the form of a markdown table.

Related pull requests:
- 36039
- 36291

Download

1.2.13 - R1051712 (May 28, 2024)

Integrations

Vectra Detect

Added a retrospective search jitter of 1 hour when fetching incidents to ensure that Vectra events that triggered but haven't been published are ingested.
Note: Due to the added jitter, duplicate incidents may be created right after the integration update.
Updated the Docker image to: demisto/python3:3.10.14.91134.

Related pull requests:
- 33854
- 34364

Download

1.2.12 - 765039 (January 16, 2024)

Integrations

Vectra Detect

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32212

Download

1.2.11 - 733853 (January 2, 2024)

Integrations

Vectra Detect

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31878

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	August 24, 2022
Last Release	December 18, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.