Vectra

Integration version: 8.0

Use Cases

  1. Ingest Vectra detections to use them to create Google Security Operations SOAR alerts. Next, in Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.
  2. Perform enrichment actions - get data from Vectra to enrich data in Google Security Operations SOAR Alerts.

Product Permission

In order to get an API token, you have to go to the Profile page and copy it.

API token location

Configure Vectra integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
API Root String https://{address}:{port} Yes API root of the Vectra server.
API Token Password N/A Yes API token of the Vectra account.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Vectra server is valid.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to Vectra with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

The action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful:

Print "Successfully connected to the Vectra server with the provided connection parameters!"

The action should fail and stop a playbook execution:
If not successful:

Print "Failed to connect to the Vectra server! Error is {0}".format(exception.stacktrace)

General

Enrich Endpoint

Description

Fetch endpoint's system information by its hostname or IP address.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname

Action Results

Entity Enrichment
Enrichment Field Name Source (JSON Key) Logic - When to apply
Vectra_id results/id When available in JSON
Vectra_name results/name When available in JSON
Vectra_state results/state When available in JSON
Vectra_threat results/threat When available in JSON
Vectra_certainty results/certainty When available in JSON
Vectra_ip results/last_source When available in JSON
Vectra_tags Space-separated {results/tags} When available in JSON
Vectra_note results/note When available in JSON
Vectra_url results/url When available in JSON
Vectra_last_modified results/last_modified When available in JSON
Vectra_groups Space-separated {results/groups} When available in JSON
Vectra_is_key_asset results/is_key_asset When available in JSON
Vectra_has_active_traffic results/has_active_traffic When available in JSON
Vectra_is_targeting_key_asset results/is_targeting_key_asset When available in JSON
Vectra_privilege_level results/privilege_level When available in JSON
Vectra_previous_ip Space-separated {results/previous_ips} When available in JSON
Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
            "id": 131,
            "name": "DESKTOP-DAIOS7J",
            "active_traffic": false,
            "has_active_traffic": false,
            "t_score": 0,
            "threat": 0,
            "c_score": 0,
            "certainty": 0,
            "severity": null,
            "last_source": "10.0.2.68",
            "ip": "10.0.2.68",
            "previous_ips": [],
            "last_detection_timestamp": "2019-10-08T17:13:57Z",
            "key_asset": false,
            "is_key_asset": false,
            "state": "inactive",
            "targets_key_asset": false,
            "is_targeting_key_asset": false,
            "detection_set": [],
            "host_artifact_set": [
                {
                    "type": "netbios",
                    "value": "DESKTOP-DAIOS7J",
                    "source": null,
                    "siem": false
                }
            ],
            "sensor": "YLq09aHU",
            "sensor_name": "Vectra X",
            "tags": [],
            "note": null,
            "note_modified_by": null,
            "note_modified_timestamp": null,
            "url": "https://70.54.200.216:64443/api/v2.1/hosts/131",
            "host_url": "https://70.54.200.216:64443/api/v2.1/hosts/131",
            "last_modified": "2020-02-12T13:41:51Z",
            "assigned_to": null,
            "assigned_date": null,
            "groups": [],
            "has_custom_model": false,
            "privilege_level": null,
            "privilege_category": null,
            "probable_owner": null,
            "detection_profile": null,
            "host_session_luids": [],
            "host_luid": "e0M-jygN"
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities were enriched (is_success = true):

Print "Successfully enriched the following endpoints from Vectra: \n {0}".format(entity.identifier list)

If action found multiple matches in Vectra for some Google Security Operations SOAR entities, first match was taken to enrich endpoint:

Print "Multiple matches were found in Vectra, taking first match for the following entities:/n {0}".format(entity.identifiers list)

If Ifail to enrich specific entities(is_success = true):

Print "No entities were enriched."

The action should fail and stop a playbook execution:
If fatal error, like wrong credentials, no connection to server, other:

Print "Error executing action "Enrich Endpoint". Reason: {0}''.format(error.Stacktrace)

General

Add Tags

Description

Add tags to the endpoint or detection in Vectra.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Item Type Dropdown

Endpoint

Possible values:
Endpoint

Detection

Yes Select to which item type you want to add tags.
Item ID String N/A Yes Specify ID of the detection/endpoint.
Tags CSV N/A Yes Specify what tags you want to add to detection/endpoint. Tags should be separated by comma, for example: tag1, tag2.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If detection/endpoint is found and tags were successfully updated (is_success = true):

Print "Successfully added tags {0} to {1} with ID {2}.format(tags, Item Type, Item ID)

If detection/endpoint was found, but tags were not added (is_success=False):

Print "Action wasn't able to add tags {0} to {1} with ID {2}. Reason: {3}. format(tags, Item Type, Item ID, tags parameter from response)".

If detection/endpoint was not found (is_success=False):

Print "{0} with ID {1} was not found.format(Item Type, Item ID)."

II is_success=false without a specific situation and it's not a critical error:

Print "Action wasn't able to add tags to {0} with ID {1}.format(Item Type, Item ID)":

The action should fail and stop a playbook execution:
If fatal error (wrong credentials, connection error, action crashes):

Print "Error executing action "Add Tags". Reason: {0}''.format(error.Stacktrace)

General

Remove Tags

Description

Remove tags from the endpoint or detection in Vectra.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Item Type Dropdown

Endpoint

Possible values:
Endpoint

Detection

Yes Select from which item type you want to remove tags.
Item ID String N/A Yes Specify ID of the detection/endpoint.
Tags CSV N/A Yes Specify what tags you want to remove from detection/endpoint. Tags should be separated by comma, for example: tag1, tag2.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If detection/endpoint is found and tags were successfully updated (is_success = true):

Print "Successfully removed tags {0} from {1} with ID {2}.format(tags, Item Type, Item ID)

If detection/endpoint was not found (is_success=False):

Print "{0} with ID {1} was not found.".format(Item Type, Item ID)."

If detection/endpoint was found, but tag is not found (is_success=False):

Print "Tags {0} don't exist in {1} with ID {2}.".format(list of tags that were not found separated by comma, Item Type, Item ID)."

If is_success=false without a specific situation and it's not a critical error:

Print "Action wasn't able to remove tags from {0} with ID {1}.format(Item Type, Item ID)":

The action should fail and stop a playbook execution:
If fatal error (wrong credentials, connection error, action crashes):

Print "Error executing action "Remove Tags". Reason: {0}''.format(error.Stacktrace)

General

Update Note

Description

Update note for the endpoint or detection.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Item Type Dropdown

Endpoint

Possible values:
Endpoint

Detection

Yes Select on which item type you want to update a note.
Item ID String N/A Yes Specify ID of the detection/endpoint.
Note String N/A Yes Specify what note you want to have on the detection/endpoint.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If detection/endpoint is found and note was successfully updated (is_success = true):

Print "Successfully updated note on {1} with ID {2}.format(Item Type, Item ID)

If detection/endpoint was not found (is_success=False):

Print "{0} with ID {1} was not found.".format(Item Type, Item ID)."

If is_success=false without a specific situation and it's not a critical error:

Print "Action wasn't able to update note on {0} with ID {1}.format(Item Type, Item ID)":

The action should fail and stop a playbook execution:
If fatal error (wrong credentials, connection error, action crashes):

Print "Error executing action "Update Note". Reason: {0}''.format(error.Stacktrace)

General

Update Detection Status

Description

Update status of the detection.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Detection ID Integer N/A Yes Specify the detection ID on which you want to update the status.
Status DDL

Fixed

Possible Values:

Fixed

Active

Yes Specify what status to set on the detection.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message\*

The action should not fail nor stop a playbook execution:

If detection is found and status was successfully updated (is_success = true):

Print "Successfully updated status to '{0}' on detection with ID {1}.format(Status, Detection ID)

If detection was not found (is_success=False):

Print "Detection with ID {1} was not found.".format(Detection ID)."

If is_success=false without a specific situation and it's not a critical error:

Print "Action wasn't able to update status on detection with ID {1}.format(detection ID)":

The action should fail and stop a playbook execution:
If fatal error (wrong credentials, connection error, action crashes):

Print "Error executing action "Update Detection Status". Reason: {0}''.format(error.Stacktrace)

General

Get Triage Rule Details

Description

Get detailed information about triage rules.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Triage Rule IDs Integer N/A Yes Specify a comma-separated list of triage rule IDs. Example: 28,29
Create Insights Checkbox True Yes If enabled, action will create a separate insight for every processed triage rule.

Run On

This action doesn't run on entities.

Action Results

Insight
Insight Title Insight Description
"Triage Rule {0}".format(triage_rule) "Detection Category: {0}\n Triage Category: {1}\n Detection: {2} \n Description: {3}".format(detection_category, triage_category, detection, description)
Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "id": 28,
    "url": "https://api.demo.vectranetworks.com/api/v2.1/rules/28",
    "description": "whatever",
    "enabled": true,
    "created_timestamp": "2020-10-01T17:21:19Z",
    "last_timestamp": "2020-10-01T17:21:19Z",
    "is_whitelist": false,
    "priority": 1,
    "active_detections": 1,
    "total_detections": 1,
    "template": false,
    "additional_conditions": {
        "OR": [
            {
                "AND": [
                    {
                        "ANY_OF": {
                            "field": "remote1_ip",
                            "values": [
                                {
                                    "url": null,
                                    "value": "35.166.75.118",
                                    "label": "35.166.75.118"
                                }
                            ],
                            "groups": [],
                            "label": "C&C Server IP"
                        }
                    }
                ]
            }
        ]
    },
    "source_conditions": {
        "OR": [
            {
                "AND": [
                    {
                        "ANY_OF": {
                            "field": "host",
                            "values": [
                                {
                                    "url": "https://api.demo.vectranetworks.com/api/v2.1/hosts/142",
                                    "value": 142,
                                    "label": "IP-10.10.100.10"
                                }
                            ],
                            "groups": [],
                            "label": "Host"
                        }
                    }
                ]
            }
        ]
    },
    "detection_category": "COMMAND & CONTROL",
    "triage_category": "triage rule 1",
    "detection": "Hidden HTTPS Tunnel"
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided rule ids were enriched (is_success = true):

Print "Successfully retrieved information about the following triage rules from Vectra: \n {0}".format(processed rule ids)

If fail to enrich specific entities(is_success = true):

Print "Action was not able to retrieve information about the following triage rules\n: {0}".format(not processed rule ids)

If fail to enrich for all entities (is_success = false):

Print "No information was retrieved about the triage rules."

The action should fail and stop a playbook execution:
If fatal error (wrong credentials, connection error, action crashes):

Print "Error executing action "Get Triage Rule Details". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: Triage Rules Details

Table Columns:

ID (mapped as id)

Enabled (mapped as enabled)

Detection Category (mapped as detection_category)

Triage Category (mapped as triage_category)

Detection (mapped as detection)

Whitelist (mapped as is_whitelist)

Priority (mapped as priority)

Created At (mapped as created_timestamp)

General

Connectors

Vectra - Detections Connector

Configure Vectra - Detections Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String Product Name Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String eventType Yes Enter the source field name in order to retrieve the Event Field name.

Environment Field Name

String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern

String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
API Root String https://x.x.x.x:x:x Yes API root of the Vectra server.
API Token Password N/A Yes API token of the Vectra account.
Lowest Threat Score To Fetch Integer 50 Yes

Lowest threat score that will be used to fetch detections.

Min: 0

Max: 100

Lowest Certainty Score To Fetch Integer 0 No

Lowest certainty score that will be used to fetch detections.

Min: 0

Max: 100

Category Filter Comma-separated values Command and Control,Botnet ,Reconnaissance,Lateral Movement,Exfiltration,Info

Specify which categories of detections to ingest into Google Security Operations SOAR.

Possible values:

Command and Control

Botnet

Reconnaissance

Lateral Movement

Exfiltration

Info

Fetch Max Hours Backwards Integer 1 No Amount of hours from where to fetch threats.
Max Detections To Fetch Integer 25 No How many detections to process per one connector iteration. Limit is 5000. This is a Vectra limitation.
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Checked Yes If enabled, verify the SSL certificate for the connection to the Vectra server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector rules

Proxy support

The connector supports proxy.