|
| 1 | +--- |
| 2 | +id: vectra |
| 3 | +title: Vectra |
| 4 | +sidebar_label: Vectra |
| 5 | +description: The Vectra app for Sumo Logic provides security analysts with visibility into security threats detected across networks, cloud environments, and endpoints. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/vectra.png')} alt="Vectra-icon" width="70" /> |
| 11 | + |
| 12 | +The Vectra app offers comprehensive visibility into security threats detected across networks, cloud environments, and endpoints. It consolidates threat intelligence from multiple sources, categorizing detections by their severity, type, and behavior, while providing detailed contextual data to accelerate investigations. With interactive dashboards and targeted monitoring tools, security teams can track trends, pinpoint high-risk activities, and measure remediation effectiveness. By combining threat scoring, detection timelines, and enriched metadata, the app empowers proactive threat hunting, rapid incident response, and continuous improvement of security posture. |
| 13 | + |
| 14 | +:::info |
| 15 | +This app includes [built-in monitors](#vectra-alerts). For details on creating custom monitors, refer to the [Create monitors for Vectra app](#create-monitors-for-the-vectra-app). |
| 16 | +::: |
| 17 | + |
| 18 | +## Log types |
| 19 | + |
| 20 | +This app uses Sumo Logic’s [Vectra Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to collect detections from the Vectra platform. |
| 21 | + |
| 22 | +### Sample log message |
| 23 | + |
| 24 | +```json title="Detection" |
| 25 | +{ |
| 26 | + "summary": { |
| 27 | + "user_agents": [ |
| 28 | + "Microsoft Azure CLI", |
| 29 | + "Microsoft Azure CLI" |
| 30 | + ], |
| 31 | + "browser": [ |
| 32 | + "Chrome 138.0.0", |
| 33 | + "Chrome" |
| 34 | + ], |
| 35 | + "operating_system": [ |
| 36 | + "Linux", |
| 37 | + "Linux" |
| 38 | + ], |
| 39 | + "workloads": [ |
| 40 | + "Azure Resource Manager", |
| 41 | + "AzureActiveDirectory" |
| 42 | + ], |
| 43 | + "operations": [ |
| 44 | + "UserLoggedIn" |
| 45 | + ], |
| 46 | + "src_ips": [ |
| 47 | + "80.117.40.124" |
| 48 | + ], |
| 49 | + "description": "This account was seen using a scripting engine to access services in Azure AD which is unusual for the account. Unusual usage of scripting engines in Azure AD and Microsoft 365 can be indicative of a compromised account." |
| 50 | + }, |
| 51 | + "data_source": { |
| 52 | + "type": "o365", |
| 53 | + "connection_name": "M365-Demo", |
| 54 | + "connection_id": "s9s9c5cj" |
| 55 | + }, |
| 56 | + "filtered_by_rule": false, |
| 57 | + "src_account": { |
| 58 | + "id": 1034, |
| 59 | + "name": "O365:demolab.vectra.ai", |
| 60 | + "url": "https://37373829274.cc1.portal.vectra.ai/api/v3.3/accounts/1034", |
| 61 | + "threat": 30, |
| 62 | + "certainty": 90, |
| 63 | + "privilege_level": null, |
| 64 | + "privilege_category": null |
| 65 | + }, |
| 66 | + "threat": 70, |
| 67 | + "last_timestamp": "2025-08-12T18:29:21Z", |
| 68 | + "is_targeting_key_asset": false, |
| 69 | + "sensor_name": "Vectra X", |
| 70 | + "filtered_by_ai": false, |
| 71 | + "id": 3586, |
| 72 | + "c_score": 60, |
| 73 | + "src_ip": null, |
| 74 | + "assigned_date": null, |
| 75 | + "filtered_by_user": false, |
| 76 | + "is_custom_model": false, |
| 77 | + "assigned_to": null, |
| 78 | + "detection_category": "lateral_movement", |
| 79 | + "note_modified_timestamp": null, |
| 80 | + "created_timestamp": "2025-08-12T18:53:29Z", |
| 81 | + "note": null, |
| 82 | + "is_marked_custom": false, |
| 83 | + "url": "https://37373829274.cc1.portal.vectra.ai/api/v3.3/detections/3586", |
| 84 | + "state": "active", |
| 85 | + "detection": "Azure AD Unusual Scripting Engine Usage", |
| 86 | + "triage_rule_id": null, |
| 87 | + "groups": [], |
| 88 | + "category": "lateral_movement", |
| 89 | + "first_timestamp": "2025-08-12T18:29:21Z", |
| 90 | + "certainty": 60, |
| 91 | + "t_score": 70, |
| 92 | + "tags": [], |
| 93 | + "note_modified_by": null, |
| 94 | + "detection_url": "https://37373829274.cc1.portal.vectra.ai/api/v3.3/detections/3586", |
| 95 | + "description": null, |
| 96 | + "notes": [], |
| 97 | + "detection_type": "Azure AD Unusual Scripting Engine Usage", |
| 98 | + "custom_detection": null, |
| 99 | + "sensor": "s9s9c5cj", |
| 100 | + "targets_key_asset": false, |
| 101 | + "is_triaged": false, |
| 102 | + "src_host": null, |
| 103 | + "type": "account", |
| 104 | + "grouped_details": [ |
| 105 | + { |
| 106 | + "workload": "Azure Resource Manager", |
| 107 | + "user_agent": "Microsoft Azure CLI", |
| 108 | + "operating_system": "Linux", |
| 109 | + "browser": "Chrome 138.0.0", |
| 110 | + "operations": [ |
| 111 | + "UserLoggedIn" |
| 112 | + ], |
| 113 | + "operations_count": 1, |
| 114 | + "src_ips": [ |
| 115 | + "80.117.40.124" |
| 116 | + ], |
| 117 | + "first_timestamp": "2025-08-12T18:29:21Z", |
| 118 | + "last_timestamp": "2025-08-12T18:29:21Z" |
| 119 | + }, |
| 120 | + { |
| 121 | + "workload": "AzureActiveDirectory", |
| 122 | + "user_agent": "Microsoft Azure CLI", |
| 123 | + "operating_system": "Linux", |
| 124 | + "browser": "Chrome", |
| 125 | + "operations": [ |
| 126 | + "UserLoggedIn" |
| 127 | + ], |
| 128 | + "operations_count": 1, |
| 129 | + "src_ips": [ |
| 130 | + "80.117.40.124" |
| 131 | + ], |
| 132 | + "first_timestamp": "2025-08-12T18:29:21Z", |
| 133 | + "last_timestamp": "2025-08-12T18:29:21Z" |
| 134 | + } |
| 135 | + ] |
| 136 | +} |
| 137 | +``` |
| 138 | + |
| 139 | +### Sample queries |
| 140 | + |
| 141 | +```sql title="Total Detections" |
| 142 | +_sourceCategory="Labs/Vectra" |
| 143 | +| json "id","last_timestamp","first_timestamp","state","t_score","c_score","category","type","summary.operations[*]","grouped_details[*].src_ips[*]","detection_url","assigned_to","detection","certainty","src_account.id","src_account.name","src_account.url","src_account.threat","src_account.certainty" as id,last_timestamp,first_timestamp,state,t_score,c_score,category,type,operations,src_ips,detection_url,assigned_to,detection,certainty,src_account_id,src_account_name,src_account_url,src_account_threat,src_account_certainty nodrop |
| 144 | +| if (t_score>=70,"critical",if(t_score>=41 and t_score<=69, "medium", if(t_score<=40,"low","unknown"))) as severity |
| 145 | + |
| 146 | +// global filters |
| 147 | +| where isNull(state) or state matches "{{state}}" |
| 148 | +| where isNull(category) or category matches "{{category}}" |
| 149 | +| where isNull(severity) or severity matches "{{severity}}" |
| 150 | +| where isNull(type) or type matches "{{type}}" |
| 151 | +| where isNull(certainty) or certainty matches "{{certainty}}" |
| 152 | + |
| 153 | +// panel specific |
| 154 | +| count by id |
| 155 | +| count |
| 156 | +``` |
| 157 | + |
| 158 | +## Collection configuration and app installation |
| 159 | + |
| 160 | +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; |
| 161 | + |
| 162 | +<CollectionConfiguration/> |
| 163 | + |
| 164 | +:::important |
| 165 | +Use the [Cloud-to-Cloud Integration for Vectra](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/vectra-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Vectra app is properly integrated and configured to collect and analyze your Vectra data. |
| 166 | +::: |
| 167 | + |
| 168 | +### Create a new collector and install the app |
| 169 | + |
| 170 | +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; |
| 171 | + |
| 172 | +<AppCollectionOPtion1/> |
| 173 | + |
| 174 | +### Use an existing collector and install the app |
| 175 | + |
| 176 | +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; |
| 177 | + |
| 178 | +<AppCollectionOPtion2/> |
| 179 | + |
| 180 | +### Use an existing source and install the app |
| 181 | + |
| 182 | +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; |
| 183 | + |
| 184 | +<AppCollectionOPtion3/> |
| 185 | + |
| 186 | +## Viewing the Vectra dashboards |
| 187 | + |
| 188 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 189 | + |
| 190 | +<ViewDashboards/> |
| 191 | + |
| 192 | +### Overview |
| 193 | + |
| 194 | +The **Vectra - Overview ** dashboard offers a consolidated, real-time summary of all detected threats, enabling security teams to quickly assess the current threat landscape. It breaks down detections by severity(critical, medium, low), category, type, and resolution state, providing both counts and visual distributions. Time-based trend charts reveal spikes or patterns in threat activity, while geo-location maps identify where hosts are operating, including those in embargoed regions that may pose compliance risks. Additional panels highlight the top-impacted users, frequently targeted operations, and relevant detection sources, with direct links for in-depth investigation. This dashboard serves as the central entry point for monitoring threats, understanding scope, and prioritizing security actions.< br/><img src=' https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Vectra/Vectra-Overview.png' alt="Vectra-Overview" style={{border:'1px solid gray'}} /> |
| 195 | + |
| 196 | +### Security |
| 197 | + |
| 198 | +The **Vectra - Security ** dashboard focuses on advanced and high-severity threats that require immediate attention. It highlights critical threat detections, command-and-control activities, and account-based privilege escalation attempts, as well as anomalies in Azure AD operations. Persistent threats are tracked with metrics on time-to-remediation, enabling teams to assess response efficiency. Each panels are designed to surface patterns that indicate targeted attacks, lateral movement, or ongoing compromise attempts. By consolidating these high-priority insights, the dashboard helps security analysts quickly isolate urgent incidents, understand attack context, and coordinate effective containment and remediation strategies.< br/><img src=' https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Vectra/Vectra-Security.png' alt="Vectra-Security" style={{border:'1px solid gray'}} /> |
| 199 | + |
| 200 | +## Create monitors for the Vectra app |
| 201 | + |
| 202 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 203 | + |
| 204 | +<CreateMonitors/> |
| 205 | + |
| 206 | +### Vectra alerts |
| 207 | + |
| 208 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 209 | +|:--|:--|:--|:--| |
| 210 | +| `Critical Threat Detections` | This alert is triggered when one or more threat detections with a threat score above 70 are identified. These detections indicate the most severe security risks and necessitate immediate investigation and remediation to prevent potential compromise or damage. | Critical | Count > 0 | |
| 211 | + |
| 212 | +## Upgrading/Downgrading the Vectra app (Optional) |
| 213 | + |
| 214 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 215 | + |
| 216 | +<AppUpdate/> |
| 217 | + |
| 218 | +## Uninstalling the Vectra app (Optional) |
| 219 | + |
| 220 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 221 | + |
| 222 | +<AppUninstall/> |
0 commit comments