vCenter integration (VMware)

VMware vCenter (vSphere) Integration

If using VMware vSphere, some configuration is required to enable the Brain appliance to query the vCenter API. Enabling API access to vCenter provides a read-only view into the vSphere state, otherwise obtainable only by logging into vSphere itself.

Enabling the vCenter integration also helps with vSensor deployment planning by identifying the physical hosts, clusters and data centers that currently have vSensor coverage, and those that do not have coverage.

The integration also shows available resources on physical VMware hosts, and exposes any configuration errors that might be affecting packet capture. This view helps the user identify the exact requirements that need to be conveyed to VMware operational teams.

Summary of benefits gained by enabling vCenter integration:

• Enables the Network Stats → Virtual Infrastructure view in your Vectra UI.

• vCenter host artifacts help to feed Vectra’s automated Host ID.

• Additional VMware context is available for analysts on VMware hosts.

• vCenter alerts are possible as an additional email notification type.

Enabling vCenter Integration

Preparing vSphere Account for Vectra Brain

To connect the Brain to vSphere, a vSphere user account and password must be configured into the Brain. The vSphere user account must have at least global, read-only rights. The Brain will not attempt to write any data to your VMware environment.

To ensure that the vSphere user/group the Brain will use has global, read-only access, use the following steps in the vSphere UI:

• From the vSphere Administration page select Access > Global Permissions.

• Click the plus sign to display the global permissions dialog.

• At the bottom of the left pane, click Add.

• Ensure the domain is set to the proper domain, select the users or groups you intend to use in Vectra’s configuration to connect to vCenter’s API and click OK.

• In the Assign Role section, select Read-Only from the drop-down list.

• Make sure the Propagate to children checkbox is selected, and click “OK”.

Requirements

Configuring vCenter/vSphere Integration

You can configure multiple vCenter integrations if you have more than one server to connect to. You will also need to have the port number, username and password. Simply repeat these steps to add additional vCenter connectors to your Vectra deployment.

Navigate to Configuration → SETUP > External Connectors > vCenter and edit the vCenter settings. Any previously configured vCenters will be shown in this area:

Click on + Add vCenter to add a vCenter integration, fill in the blanks, and click Save.

Virtual Infrastructure View

The vCenter integration helps with VMware vSensor deployment planning by identifying the physical hosts, clusters and data centers that currently have vSensor coverage, and those that do not have coverage.

Also shown are available resources on physical VMware hosts and any configuration errors that might impact packet capture. This view, seen in your Vectra GUI at the Network Stats > Virtual Infrastructure page, helps the Vectra admin identify the exact requirements that need to be conveyed to VMware operational teams.

With this integration, the security team may not need to rely on the IT team to be notified of changes impacting them.

The filter dropdown allows you to determine what is shown on the Virtual Infrastructure page:

A red exclamation point means that a particular physical hypervisor is NOT covered. This either means that there is no vSensor installed on the hypervisor or that the installed vSensor cannot be detected. A yellow warning sign icon means that there is a configuration issue with the installed vSensor:

A green checkmark means that the vSensor is configured and functioning properly:

vCenter Host ID artifacts

Vectra’s automated Host ID is a key benefit for analysts using the system. The goal of Vectra’s Host naming is to provide human-readable names associated with known Hosts.

Host names result from known information about the Host. Each observed name is referred to as an "artifact". Artifacts will typically be added to a Host record over time as more Host activity is seen and better associations are made. Host artifacts may be removed from a Host depending on the observed behaviors.

Hosts are tracked internally in a name agnostic manner. When assessing Host naming in your deployment, it is important to understand that Host names are decided at the time of viewing the web page. It is therefore expected that displayed Host names will change over time to reflect the most human readable name given the artifacts available at the time of page display.

The hostname obtained through vCenter/vSphere integration via an active query using the vCenter API is a key artifact when available in a customer environment. It is considered a best practice to enable the vCenter integration even if you will not deploy VMware vSensors in your environment.

For additional information regarding Vectra’s automated Host ID, please see Understanding Vectra host naming

Additional Host Context for Analysts

When an analyst views a Host that is running VMware tools and reporting back to vCenter/vShere with the Vectra vCenter integration enabled, additional context about the Host is available. To view this context, look at the left-hand side of the Host’s page in the Vectra UI for summary information including the VM name and operating system as reported by the vCenter API. The Host Details view has a more complete view. Below are examples of each:

vCenter Alerts

vCenter alerts notify about changes in the virtual environment that merit security consideration. To enable vCenter alerts, edit your email alert settings at Configuration → RESPONSE → Notifications → Email Alerts and enable vCenter Alerts.

For example: • A new physical VMware server where a vSensor may be needed is added to the network. • vSensor has been moved or powered down. • VM is moved from a host that is monitored by a Sensor to a host that is not monitored by a Sensor.