Recommended next steps

Backing up your Brain

As discussed earlier in the Deployment Process Overview, the Brain appliance should be backed up by the customer. The Vectra cloud platform stores detections, metadata, and triage filters but the configuration of the Brain is not backed up by Vectra. Care should be taken to ensure backup to a Windows server, SFTP/SCP, or AWS S3 bucket.

Please see the following Vectra support portal articles for more details:

• Backup and Restore for Vectra Brain Appliances (v8.5+)

• Vectra Brain Appliance Disaster Recovery (DR) / Migration Recommendations (v8.5+)

Recommended Next Steps

Vectra offers a variety of deployment services, consulting, or full MDR options for customers that need more help or expert analyst assistance. Please work with your Vectra account team for additional details.

This guide covered initial configuration of basic settings. Some recommended next steps are:

• Work on traffic engineering and getting traffic flowing to your Sensors or mixed mode Brain.

• Integrations that help with HostID or add context such as:

  • vCenter integration if you have a VMware environment

  • SIEM Event Forwarding

  • Windows Event Log ingestion

  • EDR integration

  • AD integration

• Integrations to enable taking action.

  • AD and EDR integration bring host and account Lockdown capability.

  • Entra ID (Azure AD) Account Lockdown works with and Azure AD data source.

• Enabling Stream.

• Setting up SSO using SAML if you have not already done so.

• Building groups and triage rules to suppress unwanted detections for authorized behaviors.

Best Practices

• Change default passwords for the 'admin' (GUI) and vectra (CLI and IPMI/iDRAC) users to strong versions.

  • See ssh login process for CLI for details on accessing the CLI of your Brain appliance.

  • Passwords must be between 8 and 128 characters and contain at least: 1 number, both lowercase and uppercase letters, and 1 symbol (e.g. ~!@#$%^&*,.?-_+=).

• Limit exposure to admin interfaces through firewall rules that permit communication only from appropriate nodes/networks (including Vectra required endpoints as well).

• IPMI / iDRAC interfaces should be on their own isolated networks when possible.

  • See IPMI / iDRAC configuration for more details.