Skip to content

Vectra Cognito Detect

Overview

Vectra provides AI-powered incident detection and resolution support for native and hybrid clouds.

The following Sekoia.io built-in rules match the intake Vectra Cognito Detect. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Vectra Cognito Detect on ATT&CK Navigator

Burp Suite Tool Detected

Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner)

  • Effort: intermediate
Potential DNS Tunnel

Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels.

  • Effort: advanced
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Telegram Bot API Request

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

  • Effort: advanced
Vectra General Threat Detection

Vectra Cognito detected a potential threat. This is a very generic rule to raise as much alerts as possible from Vectra detections however RECONNAISSANCE and INFO categories have been removed to avoid spamming.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Authentication logs Audit logs are generated for login events,logout events, as well as other user actions that can impact the security posture of the product.

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "- :{\"version\":\"6.12\",\"account_id\":123456,\"headend_addr\":\"198.51.100.94\",\"account_uid\":\"admin-prtg@company.local\",\"threat\":0,\"certainty\":0,\"score_decreases\":true,\"privilege\":4,\"href\":\"https:/198.51.100.94/accounts/522\",\"category\":\"ACCOUNT SCORING\",\"tags\":[],\"host_access_history\":[{\"id\":22235,\"name\":\"HOSTNAME.COMPANY.LOCAL\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:06:46+00:00\"}],\"service_access_history\":[{\"id\":1470943,\"uid\":\"cifs/serssq01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:06:46+00:00\"},{\"id\":5,\"uid\":\"krbtgt/company.local.company@company\",\"privilege\":null,\"privilegeCategory\":null,\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614295,\"uid\":\"rpcss/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:19+00:00\"},{\"id\":2614304,\"uid\":\"rpcss/host2db01.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T08:04:04+00:00\"},{\"id\":2614297,\"uid\":\"rpcss/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:57:44+00:00\"},{\"id\":990,\"uid\":\"rpcss/srv-appli02.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:54:04+00:00\"},{\"id\":2614303,\"uid\":\"rpcss/host201.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:37:28+00:00\"},{\"id\":4214403,\"uid\":\"http/alm.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:21:04+00:00\"},{\"id\":4186134,\"uid\":\"http/host109.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:50+00:00\"},{\"id\":3693289,\"uid\":\"http/host110.company.local@company.local\",\"privilege\":4,\"privilegeCategory\":\"Medium\",\"lastSeen\":\"2021-09-30T07:20:38+00:00\"}],\"last_detection_type\":\"Privilege Anomaly: Unusual Service - Insider\",\"vectra_timestamp\":\"1633338457\"}",
    "event": {
        "action": "ACCOUNT SCORING",
        "url": "https:/198.51.100.94/accounts/522"
    },
    "observer": {
        "ip": "198.51.100.94",
        "version": "6.12"
    },
    "related": {
        "ip": [
            "198.51.100.94"
        ]
    },
    "vectra": {
        "account": {
            "id": 123456,
            "uid": "admin-prtg@company.local"
        },
        "certainty": 0,
        "detection": {
            "last_type": "Privilege Anomaly: Unusual Service - Insider",
            "score_decreases": true,
            "tags": []
        },
        "history": {
            "host_access": [
                {
                    "id": 22235,
                    "lastSeen": "2021-09-30T08:06:46+00:00",
                    "name": "HOSTNAME.COMPANY.LOCAL",
                    "privilege": null,
                    "privilegeCategory": null
                }
            ],
            "host_access_hostname": [
                "HOSTNAME.COMPANY.LOCAL"
            ],
            "service_access": [
                {
                    "id": 1470943,
                    "lastSeen": "2021-09-30T08:06:46+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "cifs/serssq01.company.local@company.local"
                },
                {
                    "id": 5,
                    "lastSeen": "2021-09-30T08:04:19+00:00",
                    "privilege": null,
                    "privilegeCategory": null,
                    "uid": "krbtgt/company.local.company@company"
                },
                {
                    "id": 2614295,
                    "lastSeen": "2021-09-30T08:04:19+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "rpcss/host109.company.local@company.local"
                },
                {
                    "id": 2614304,
                    "lastSeen": "2021-09-30T08:04:04+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "rpcss/host2db01.company.local@company.local"
                },
                {
                    "id": 2614297,
                    "lastSeen": "2021-09-30T07:57:44+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "rpcss/host110.company.local@company.local"
                },
                {
                    "id": 990,
                    "lastSeen": "2021-09-30T07:54:04+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "rpcss/srv-appli02.company.local@company.local"
                },
                {
                    "id": 2614303,
                    "lastSeen": "2021-09-30T07:37:28+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "rpcss/host201.company.local@company.local"
                },
                {
                    "id": 4214403,
                    "lastSeen": "2021-09-30T07:21:04+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "http/alm.company.local@company.local"
                },
                {
                    "id": 4186134,
                    "lastSeen": "2021-09-30T07:20:50+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "http/host109.company.local@company.local"
                },
                {
                    "id": 3693289,
                    "lastSeen": "2021-09-30T07:20:38+00:00",
                    "privilege": 4,
                    "privilegeCategory": "Medium",
                    "uid": "http/host110.company.local@company.local"
                }
            ],
            "service_access_uid": {
                "host": [
                    "alm.company.local@company.local",
                    "company.local.company@company",
                    "host109.company.local@company.local",
                    "host109.company.local@company.local",
                    "host110.company.local@company.local",
                    "host110.company.local@company.local",
                    "host201.company.local@company.local",
                    "host2db01.company.local@company.local",
                    "serssq01.company.local@company.local",
                    "srv-appli02.company.local@company.local"
                ],
                "proto_host": [
                    "cifs/serssq01.company.local@company.local",
                    "http/alm.company.local@company.local",
                    "http/host109.company.local@company.local",
                    "http/host110.company.local@company.local",
                    "krbtgt/company.local.company@company",
                    "rpcss/host109.company.local@company.local",
                    "rpcss/host110.company.local@company.local",
                    "rpcss/host201.company.local@company.local",
                    "rpcss/host2db01.company.local@company.local",
                    "rpcss/srv-appli02.company.local@company.local"
                ]
            }
        },
        "risk_score_norm": 0,
        "timestamp": 1633338457,
        "user": {
            "privilege": 4
        }
    }
}
{
    "message": "-: {\"src_name\": \"IP-255.255.255.1\", \"src_ip\": \"255.255.255.1\", \"src_hid\": 11111, \"dest_name\": \"push.services.mozilla.com\", \"dest_ip\": \"255.255.255.2\", \"dest_id\": \"external\", \"timestamp\": 1111111222.0, \"campaign_name\": \"push.services.mozilla.com-13\", \"campaign_id\": 222, \"campaign_link\": \"https://255.255.255.3/campaigns/222\", \"action\": \"ADD\", \"reason\": \"Connection\", \"version\": \"6.8\", \"headend_addr\": \"255.255.255.3\", \"dvchost\": \"255.255.255.3\", \"vectra_timestamp\": \"1111111111\"}",
    "action": {
        "name": "ADD"
    },
    "destination": {
        "address": "255.255.255.2",
        "ip": "255.255.255.2"
    },
    "observer": {
        "ip": "255.255.255.3",
        "name": "255.255.255.3",
        "version": "6.8"
    },
    "related": {
        "ip": [
            "255.255.255.1",
            "255.255.255.2",
            "255.255.255.3"
        ]
    },
    "source": {
        "address": "255.255.255.1",
        "ip": "255.255.255.1"
    },
    "vectra": {
        "campaign": {
            "id": 222,
            "link": "https://255.255.255.3/campaigns/222",
            "name": "push.services.mozilla.com-13"
        },
        "destination": {
            "id": "external",
            "name": "push.services.mozilla.com"
        },
        "detection": {
            "reason": "Connection"
        },
        "source": {
            "hid": 11111,
            "name": "IP-255.255.255.1"
        },
        "timestamp": 1111111111
    }
}
{
    "message": "-: {\"version\": \"6.12\", \"detection_id\": 13281, \"category\": \"COMMAND & CONTROL\", \"severity\": 6.0, \"threat\": 60, \"certainty\": 72, \"d_type\": \"hidden_http_tunnel_cnc\", \"d_type_vname\": \"Hidden HTTP Tunnel\", \"triaged\": false, \"headend_addr\": \"198.51.100.94\", \"dvchost\": \"198.51.100.94\", \"href\": \"https://198.51.100.94/detections/13281?detail_id=94738\", \"dd_dst_ip\": \"198.51.100.1\", \"dd_dst_port\": 8002, \"dd_dst_dns\": \"mirror.centos.org\", \"dd_bytes_sent\": 1476677, \"dd_bytes_rcvd\": 8269214038, \"host_name\": \"IP-198.51.100.14\", \"host_ip\": \"198.51.100.14\", \"dd_proto\": \"tcp\", \"vectra_timestamp\": \"1633516306\"}",
    "event": {
        "action": "COMMAND & CONTROL",
        "url": "https://198.51.100.94/detections/13281?detail_id=94738"
    },
    "destination": {
        "address": "mirror.centos.org",
        "bytes": 8269214038,
        "domain": "mirror.centos.org",
        "ip": "198.51.100.1",
        "port": 8002,
        "registered_domain": "centos.org",
        "subdomain": "mirror",
        "top_level_domain": "org"
    },
    "host": {
        "ip": "198.51.100.14",
        "name": "IP-198.51.100.14"
    },
    "network": {
        "protocol": "tcp"
    },
    "observer": {
        "ip": "198.51.100.94",
        "name": "198.51.100.94",
        "version": "6.12"
    },
    "related": {
        "hosts": [
            "mirror.centos.org"
        ],
        "ip": [
            "198.51.100.1",
            "198.51.100.14",
            "198.51.100.94"
        ]
    },
    "source": {
        "bytes": 1476677
    },
    "vectra": {
        "certainty": 72,
        "detection": {
            "id": 13281,
            "name": "Hidden HTTP Tunnel",
            "type": "hidden_http_tunnel_cnc"
        },
        "risk_score_norm": 60,
        "severity": 6.0,
        "timestamp": 1633516306,
        "triaged": false
    }
}
{
    "message": "-: {\"version\": \"6.12\", \"host_id\": 27617, \"headend_addr\": \"198.51.100.94\", \"host_name\": \"IP-198.51.100.14\", \"dvchost\": \"198.51.100.94\", \"host_ip\": \"198.51.100.14\", \"threat\": 22, \"certainty\": 31, \"privilege\": 0, \"score_decreases\": false, \"href\": \"https://198.51.100.94/hosts/27617\", \"host_roles\": \"\", \"src_key_asset\": false, \"dst_key_asset\": false, \"category\": \"HOST SCORING\", \"sensor\": \"E123456789123456\", \"detection_profile\": {\"name\": \"saas\", \"vname\": \"Cloud Services\", \"scoringDetections\": [\"Hidden HTTP Tunnel (C&C)\"]}, \"host_groups\": [], \"tags\": [], \"account_access_history\": [], \"service_access_history\": [], \"mac_address\": null, \"mac_vendor\": null, \"last_detection_type\": \"Hidden HTTP Tunnel\", \"vectra_timestamp\": \"1633690973\"}",
    "event": {
        "action": "HOST SCORING",
        "url": "https://198.51.100.94/hosts/27617"
    },
    "host": {
        "id": "27617",
        "ip": "198.51.100.14",
        "name": "IP-198.51.100.14"
    },
    "observer": {
        "ip": "198.51.100.94",
        "name": "198.51.100.94",
        "product": "E123456789123456",
        "version": "6.12"
    },
    "related": {
        "ip": [
            "198.51.100.14",
            "198.51.100.94"
        ]
    },
    "vectra": {
        "certainty": 31,
        "destination": {
            "key_asset": false
        },
        "detection": {
            "last_type": "Hidden HTTP Tunnel",
            "profile": {
                "name": "saas",
                "scoringDetections": [
                    "Hidden HTTP Tunnel (C&C)"
                ],
                "vname": "Cloud Services"
            },
            "score_decreases": false,
            "tags": []
        },
        "history": {
            "account_access": [],
            "service_access": []
        },
        "host": {
            "group": []
        },
        "risk_score_norm": 22,
        "source": {
            "key_asset": false
        },
        "timestamp": 1633690973,
        "user": {
            "privilege": 0
        }
    }
}
{
    "message": "-: {\"category\": \"INFO\", \"certainty\": 0, \"d_type\": \"si_new_host\", \"d_type_vname\": \"New Host\", \"dd_bytes_rcvd\": null, \"dd_bytes_sent\": null, \"dd_dst_dns\": \"\", \"dd_dst_ip\": \"0.0.0.0\", \"dd_dst_port\": 80, \"dd_proto\": \"\", \"detection_id\": 9999, \"dvchost\": \"255.255.255.1\", \"headend_addr\": \"255.255.255.1\", \"host_ip\": \"10.0.0.1\", \"host_name\": \"plop-99\", \"href\": \"https://255.255.255.1/detections/9999?detail_id=11111\", \"severity\": 0, \"threat\": 0, \"triaged\": false, \"vectra_timestamp\": \"1099999999\", \"version\": \"6.7\"}",
    "event": {
        "action": "INFO",
        "url": "https://255.255.255.1/detections/9999?detail_id=11111"
    },
    "destination": {
        "address": "0.0.0.0",
        "ip": "0.0.0.0",
        "port": 80
    },
    "host": {
        "ip": "10.0.0.1",
        "name": "plop-99"
    },
    "observer": {
        "ip": "255.255.255.1",
        "name": "255.255.255.1",
        "version": "6.7"
    },
    "related": {
        "ip": [
            "0.0.0.0",
            "10.0.0.1",
            "255.255.255.1"
        ]
    },
    "vectra": {
        "certainty": 0,
        "detection": {
            "id": 9999,
            "name": "New Host",
            "type": "si_new_host"
        },
        "risk_score_norm": 0,
        "severity": 0,
        "timestamp": 1099999999,
        "triaged": false
    }
}
{
    "message": "-: {\"accounts\": \"user@company.net\", \"shares\": \"\", \"reason\": \"MORE_PROCESSING_REQUIRED\", \"count\": 295, \"version\": \"6.12\", \"detection_id\": 13295, \"category\": \"LATERAL MOVEMENT\", \"severity\": 2.0, \"threat\": 20, \"certainty\": 74, \"d_type\": \"smb_brute_force\", \"d_type_vname\": \"SMB Brute-Force\", \"triaged\": false, \"headend_addr\": \"198.51.100.94\", \"dvchost\": \"198.51.100.94\", \"href\": \"https://198.51.100.94/detections/13295?detail_id=94908\", \"dd_dst_ip\": \"198.51.100.38\", \"dd_dst_port\": 445, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"hostname\", \"host_ip\": \"198.51.100.155\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1633681756\"}",
    "event": {
        "action": "LATERAL MOVEMENT",
        "url": "https://198.51.100.94/detections/13295?detail_id=94908"
    },
    "destination": {
        "address": "198.51.100.38",
        "ip": "198.51.100.38",
        "port": 445
    },
    "host": {
        "ip": "198.51.100.155",
        "name": "hostname"
    },
    "observer": {
        "ip": "198.51.100.94",
        "name": "198.51.100.94",
        "version": "6.12"
    },
    "related": {
        "ip": [
            "198.51.100.155",
            "198.51.100.38",
            "198.51.100.94"
        ]
    },
    "vectra": {
        "certainty": 74,
        "detection": {
            "accounts": "user@company.net",
            "count": "295",
            "id": 13295,
            "name": "SMB Brute-Force",
            "reason": "MORE_PROCESSING_REQUIRED",
            "type": "smb_brute_force"
        },
        "risk_score_norm": 20,
        "severity": 2.0,
        "timestamp": 1633681756,
        "triaged": false
    }
}
{
    "message": "-: {\"version\": \"6.8\", \"detection_id\": 1900, \"category\": \"RECONNAISSANCE\", \"severity\": 7.0, \"threat\": 70, \"certainty\": 86, \"d_type\": \"rpc_recon_1to1\", \"d_type_vname\": \"RPC Targeted Recon\", \"triaged\": false, \"headend_addr\": \"255.255.255.1\", \"dvchost\": \"255.255.255.1\", \"href\": \"https://255.255.255.1/detections/1900?detail_id=66777\", \"dd_dst_ip\": \"10.43.0.81\", \"dd_dst_port\": 49668, \"dd_dst_dns\": \"\", \"dd_bytes_sent\": null, \"dd_bytes_rcvd\": null, \"host_name\": \"IP-192.168.71.1\", \"host_ip\": \"192.168.71.1\", \"dd_proto\": \"\", \"vectra_timestamp\": \"1623742534\"}",
    "event": {
        "action": "RECONNAISSANCE",
        "url": "https://255.255.255.1/detections/1900?detail_id=66777"
    },
    "destination": {
        "address": "10.43.0.81",
        "ip": "10.43.0.81",
        "port": 49668
    },
    "host": {
        "ip": "192.168.71.1",
        "name": "IP-192.168.71.1"
    },
    "observer": {
        "ip": "255.255.255.1",
        "name": "255.255.255.1",
        "version": "6.8"
    },
    "related": {
        "ip": [
            "10.43.0.81",
            "192.168.71.1",
            "255.255.255.1"
        ]
    },
    "vectra": {
        "certainty": 86,
        "detection": {
            "id": 1900,
            "name": "RPC Targeted Recon",
            "type": "rpc_recon_1to1"
        },
        "risk_score_norm": 70,
        "severity": 7.0,
        "timestamp": 1623742534,
        "triaged": false
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
destination.bytes long Bytes sent from the destination to the source.
destination.domain keyword The domain name of the destination.
destination.ip ip IP address of the destination.
destination.port long Port of the destination.
event.action keyword The action captured by the event.
event.outcome keyword The outcome of the event. The lowest level categorization field in the hierarchy.
event.url keyword Event investigation URL
host.id keyword Unique host id.
host.ip ip Host ip addresses.
host.mac keyword Host MAC addresses.
host.name keyword Name of the host.
network.protocol keyword Application protocol name.
observer.ip ip IP addresses of the observer.
observer.name keyword Custom name of the observer.
observer.product keyword The product name of the observer.
observer.version keyword Observer version.
source.bytes long Bytes sent from the source to the destination.
source.ip ip IP address of the source.
user.name keyword Short name or login of the user.
vectra.account.id long The ID of the account
vectra.account.name keyword The account name.
vectra.account.uid keyword The user ID of the account
vectra.audit.message text A message explains the cause/nature of the log
vectra.campaign.id long The id of the campaign
vectra.campaign.link keyword The link to the campaign in the UI
vectra.campaign.name keyword The name of the campaign
vectra.certainty long The certainty of the score assigned to this host
vectra.destination.id keyword The destination of the campaign. Defaults to 'external'
vectra.destination.key_asset bool Whether there is a detection that is targeting this host and this host is a key asset.
vectra.destination.name keyword The external domain of the campaign destination
vectra.detection.account keyword The related user account.
vectra.detection.accounts keyword The related accounts.
vectra.detection.base_object keyword The base distinguished name.
vectra.detection.bytes_received keyword The bytes of data received.
vectra.detection.bytes_sent keyword The bytes of data sent.
vectra.detection.client_name keyword The RDP client name.
vectra.detection.client_token keyword The RDP client token.
vectra.detection.cookie keyword The RDP client token.
vectra.detection.count keyword The number of attempts
vectra.detection.dos_type keyword The DOS type.
vectra.detection.dst_ips keyword The target subnets.
vectra.detection.extensions keyword File extensions used.
vectra.detection.function keyword The executed function.
vectra.detection.host keyword The suspicous host.
vectra.detection.http_method keyword The HTTP method.
vectra.detection.http_segment keyword The HTTP segment.
vectra.detection.id long The detection profile associated with this host.
vectra.detection.ip keyword The keywordernal target host.
vectra.detection.keyboard_id keyword They keyboard layout ID.
vectra.detection.keyboard_name keyword They keyboard layout name.
vectra.detection.last_type keyword The most recent type of detection associated with this host.
vectra.detection.matched_domain keyword The matched domain.
vectra.detection.matched_ip keyword The matched IP.
vectra.detection.matched_user_agent keyword The matched user-agent.
vectra.detection.name keyword The name of the detection
vectra.detection.namedpipe keyword The named pipe.
vectra.detection.networks keyword The target subnets.
vectra.detection.normal_admins keyword The normal admins observed.
vectra.detection.normal_servers keyword The normal servers observed.
vectra.detection.num_attempts keyword The number of attempts
vectra.detection.port keyword The external port used.
vectra.detection.ports long Ports scanned.
vectra.detection.product_id keyword The unusual product ID.
vectra.detection.profile object The detection profile associated with this host.
vectra.detection.protocol keyword The external protocol used.
vectra.detection.ransom_notes keyword Ransome notes found.
vectra.detection.reason keyword The event name of the campaign or The reason this is suspicious or The error code or The indicating reason.
vectra.detection.received_normal_pattern keyword Example received normal pattern.
vectra.detection.received_pattern keyword The received pattern.
vectra.detection.referer keyword The referer.
vectra.detection.reply_cache_control keyword The replay cache control setting.
vectra.detection.request keyword The LDAP request.
vectra.detection.response_code keyword The response code.
vectra.detection.scans keyword The number of attempts.
vectra.detection.score_decreases boolean Indicates whether both Threat and Certakeywordy scores are decreasing.
vectra.detection.sent_normal_pattern keyword Example sent normal pattern.
vectra.detection.sent_pattern keyword The sent pattern.
vectra.detection.shares keyword The related files shares.
vectra.detection.sql_fragment keyword The SQL fragment.
vectra.detection.successes keyword The number of successes.
vectra.detection.tags array A text of tags applied to the host.
vectra.detection.threat_feeds keyword The name of the threat feed.
vectra.detection.tunnel_type keyword The type of hidden tunnel.
vectra.detection.type keyword keyword
vectra.detection.url keyword The suspicous URL.
vectra.detection.uuid keyword The RPC UUID.
vectra.health.message text A message explains the cause/nature of the log
vectra.history.account_access array The account access history associated with this host.
vectra.history.host_access object The host access history associated with this account.
vectra.history.host_access_hostname keyword The host access history associated with this account (hostname).
vectra.history.service_access array The service access history associated with this host.
vectra.history.service_access_uid.host keyword The service access history associated with this account (hostname).
vectra.history.service_access_uid.proto_host keyword The service access history associated with this account (protocol + hostname).
vectra.host.group keyword To be defined
vectra.host.vendor keyword The vendor of the MAC address of this host.
vectra.lockdown.retry boolean When a Lockdown action has failed, this indicates whether the system will retry the action.
vectra.risk_score_norm long Newly calculated account threat
vectra.severity long A score proportional to threat
vectra.source.hid long The original host ID of the member host in this campaign
vectra.source.key_asset boolean Whether the host being scored is marked as a key asset
vectra.source.name keyword The host name of the source host
vectra.timestamp long Timestamp in seconds since epoch
vectra.triaged boolean Whether the detection has been triaged yet or not
vectra.user.agent keyword User agent
vectra.user.privilege long The observed privilege level of the host.
vectra.user.role keyword Role of the user who caused the log (e.g., admin, super admin, etc.)

Configure

This setup guide will show you how to forward logs produced by your Vectra Appliance server to Sekoia.io by means of an rsyslog transport channel.

Configure the Rsyslog server

Please consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.