Configuring data sources

Network (Sensors)

Physical and Virtual Sensors (vSensors) collect raw traffic from your network, store it in a rolling capture buffer, and generate a metadata stream that the Brain processes further. When detections are created by the Brain, a PCAP (if enabled) is requested from the Sensor that saw the traffic in question so that it can be attached to the detection for viewing by the analyst. Sensors can also be instructed to perform packet capture based on configured parameters.

Sensor deployment and pairing with the Brain is covered in the following guides:

• Physical appliance deployment quick start guides (All)

  • X-Series appliances can be used in Brain or Mixed mode.

  • B-Series appliances can only be used in Brain mode.

  • S-Series appliances can only be used as Sensors.

  • M-Series appliances can only be used for Stream.

• Traditional Hypervisor vSensor Deployment and Pairing:

  • VMware vSensor Deployment Guide

  • Hyper-V vSensor Deployment Guide

  • KVM vSensor Deployment Guide

  • Nutanix vSensor Deployment Guide

• Cloud IaaS vSensor Deployment and Pairing:

  • AWS Sensor Deployment Guide

  • Azure Sensor Deployment Guide

  • GCP Sensor Deployment Guide

• Pairing appliances covers pairing of all Vectra Sensor or Stream appliances with any Vectra Brain.

Traffic Validation

Once you have deployed and added network Sensors to your environment, the next step is to direct traffic at those Sensors so they can produce metadata for analysis by the Brain appliance. This is typically done via SPAN/COPY/MIRROR ports on switches, network TAPs, or packet brokers. Please see the following Vectra support articles for recommendations on network traffic that should be examined and excluded from analysis:

• Vectra NDR (Detect) and Network Identity Architecture Overview

• Vectra Platform Network Traffic Recommendations

After sending traffic to your Sensors, it is a best practice to validate that the traffic observed meets quality standards required for accurate detection and processing. Vectra’s Enhanced Network Traffic Validation feature provides alarms and metrics that can be used to validate the quality of your traffic. Please see the following Vectra support article for details:

• Traffic Validation (ENTV)

IDR for Azure AD & CDR for M365

IDR for Azure AD and CDR for M365 can be deployed at any time once you are able to access the Vectra Respond UX. Some capabilities after enabling a connection to Azure AD and M365 are:

• See and stop attackers targeting Federated applications, the Azure AD backend and all your M365 applications like SharePoint, Exchange and Teams.

• Respond to threats immediately with zero-query investigations.

• See through the chaos and understand how attackers could be bypassing MFA and accessing your tenant.

To enable this data source in your Cloud UI, navigate to Configuration > Data Sources > Azure AD & M365 and click the “Get Started” button in the top right. The Vectra IDR for Azure AD and CDR for M365 Quickstart Guide is also linked from this page:

CDR for AWS

CDR for AWS can be deployed at any time once you are able to access the Vectra Respond UX. Some capabilities after enabling an AWS CloudTrail connection are:

• Monitor AWS CloudTrail Management and Data events to detect changes to your AWS environment which malicious actors can exploit to impact your org.

• Rapidly detect threats against AWS infrastructure without relying on signatures, agents, V-Taps, or static policies.

• Agentless monitoring of applications, users, roles, serverless compute, and storage, through AWS CloudTrail logs.

• Automate response to attacks with native integrations into AWS and 3rd party solutions to automatically stop attacks without impact to service.

To enable this data source in your Respond UX, navigate to Configuration > Data Sources > AWS CloudTrail and click the “Get Started” button in the top right. The CDR for AWS Deployment Guide is also linked from this page:

CDR for Azure

CDR for Azure can be deployed at any time once you are able to access the Vectra Respond UX. CDR for Azure monitors Azure Activity and Resource logs to detect suspicious activity in your environment Some capabilities after enabling a connection to Azure are:

• Azure Detections - High fidelity detections of malicious behaviors in your Azure tenants based on our proprietary ML and security analytics capabilities.

• Azure Threat Surface Dashboard - Insights to help you identify security related threat patterns in your Azure tenants.

• Azure Investiage - Curated Azure metadata that allows you to perform in-depth investigations on potential threats in your Azure tenant. This data consists of enriched metadata fields and all the existing Advanced Investigation capabilities to help you efficiently conduct an investigation.

To enable this data source in your Respond UX, navigate to Configuration > Data Sources > Microsoft Azure and click the “Get Started” button in the top right. The CDR for Azure Deployment Guide is also linked from this page.