External threat intel integration

Threat Intel Integration supports STIX version 1.2 files containing information on malicious IP addresses, domains, URLs or user-agents.

If you need to convert from later formats such as 2.1, there are 3rd party tools available on the internet such as: https://cti-stix-slider.readthedocs.io/en/latest/
Vectra does not specifically support or validate any such tools.

Vectra monitors north-south and east-west traffic for the IoCs and will fire detections when a match is observed.

Threat Intel Integration augments the Vectra attacker behavior detection algorithms to amplify the attacker signal. The Vectra threat intelligence detections provide additional context for the detection event such as bytes sent and received, number of events, and a PCAP of the actual event.

Creating a Threat Feed

In the UI under the Manage, Threat Feeds page.
Add the required fields: Threat Feed Name, Indicator Type, Days.
Click Save and click Open.
Now Upload a STIX file of your choice containing the indicators of interest and select the relevant category (e.g., command and control).

If the system identifies a match, a Threat Intelligence Match detection fires on the offending host in the specified category.

The current supported observable for threat feeds are :

DomainNameObjectType
- Domain name only - example "foo.bar.com"
AddressObjectType
- IP Address - IPv4 or IPv6 address
URIObjectType
- For use in Vectra, this must be only the part after the hostname (not including the hostname).
- To match against the full domain/path found in a URL, you must combine the domain name object with the URI Object using an "AND" operator.
  - The OR operator is also supported when combining observables in this way.
UserAccountObjectType
HTTPSessionObjectType
WindowsUserAccountObjectType

Please note:

Vectra supports up to 100,000 observables in one STIX file - (file size limit is 100MB)
- In some cases the file size limit will be enforced at 4.5MB for Respond UX deployments. Please contact Vectra support to investigate if any workaround is possible if this is problematic for your deployment.
Max configurable threat feed duration is 90 days
- If the STIX file has expiry on the observables, we will use the data in the file for expiry instead the feed configuration
Depending on the category selected, we will match in to out traffic or in to in (if category is Lateral for example)
Vectra matches on IP, Domain, URI, User-Agent and User-Account observables
- User-Account is matched in Kerberos and SMB traffic
- Domain matches are for iSession metadata (i.e. DNS requests / HTTP host header / SNI of SSL)
- User-Agent and URI in HTTP traffic
- User-Account looks in RDP, SMB, RPC, NTLM, Kerberos

Automating STIX FILE upload

The upload of the STIX file can also be automated via the API.

Details of the threat feed API can be found in the REST API Guide under the Resources page in the UI. It is important that only high-quality threat or IoC feeds be uploaded to Vectra to avoid a high volume of matches on low-level threats.

There are also scripts available in our community tools.

Where to obtain quality STIX Threat Feeds

You can use a number third party STIX providers on your exact needs. There are a number of both free and commercial STIX feeds available that best suits your needs. Vectra does provide any specific recommendations.

Can I directy pull third party feeds using the Vectra API

Vectra's API does not currently include functionality to directly download STIX/TAXII feeds from third parties, we are tracking a feature request.

One possible solution would be to use the Threat Feed Providers API to download the STIX file and then upload it using Vectra's APIs or Vectra Community API tools https://github.com/vectranetworks/vectra_api_tools/wiki/2.-Vectra-module#poststixfile

Where can I see examples of the proper formats for my testing?

Please see the attachments for full examples:

stix_domain.xml

Matches against a domain value. See file for full example, syntax for the specific observables included below:

<DomainNameObj:Value>pac.zscalertwo.net</DomainNameObj:Value>

stix_complete_path.xml

Matches against path. See file for full example, syntax for the specific observables included below:

<URIObj:Value>/8j2gyG9Jp4wK/apppacfile.pac</URIObj:Value>

stix_domain_and_path.xml

Matches against domain and path. See file for full example, syntax for the specific observables and operator included below:

This AND operator will need to be included:
<cybox:Observable_Composition operator="AND">

Both the Domain and URI path will need to be included:
<DomainNameObj:Value>pac.zscalertwo.net</DomainNameObj:Value>
<URIObj:Value>/8j2gyG9Jp4wK/apppacfile.pac</URIObj:Value>

stix_ip_and_path.xml

Matches against IP and path. See file for full example, syntax for the specific observables and operator included below:

This AND operator will need to be included:
<cybox:Observable_Composition operator="AND">

Bothe IP and URI path will need be included:
<AddressObj:Address_Value>192.168.4.45</AddressObj:Address_Value>
<URIObj:Value>/8j2gyG9Jp4wK/apppacfile.pac</URIObj:Value>