Global View

Global View Feature Release Demo

Please see the below link for a video release demo of the feature:

Applicability and Requirements

• You must have at least two Respond UX instances (deployments) if you want to use Global View.

  • If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant).

• You must request a Global View "anchor" instance via your Vectra account team.

  • The account team will need the email address for a Super Admin user of the anchor instance.

  • A welcome email will be sent that provides local credentials for a Super Admin user.

  • SAML or local auth for additional users can be setup by this user once they log in to the anchor instance with the local account.

• For additional onboarding details please see the Onboading-Deployment section.

  • After receiving the welcome email, onboarding child instances into the Global View anchor instance can be done in a self-serve manner.

Capabilities

What is Global View

• Global View is a free feature for RUX deployments that enables a unified “Global Respond” view of prioritized entities in a new “anchor” instance of RUX that is created when a customer onboards to Global View.

  • The anchor instance only shows the Global Respond view. For functionality outside of the Global Respond screen, customers can drill into the child instance that contains the prioritized entity.

What customer use cases does Global View address?

• Global SOCs overseeing diverse regions or subsidiaries.

• Overcoming technical issues like IP overlap or data transfer costs.

• Scaling for those customers whose traffic engineering requirements require multiple Vectra Brains.

• Partners looking to centrally monitor their customers using Vectra.

Can the view be filtered?

• Yes, the view can be filtered by selecting various “Quick Filters” such as:

  • Vectra Instances – child instance label (representing each RUX deployment that is connected).

  • Detections In – Data sources such as (Network, Azure AD and M365, AWS Cloudtrail, Azure, etc).

  • Entity Type – Host or Account.

  • Killchain – Botnet Activity, Command and Control, Exfiltration, Lateral Movement, Reconnaissance.

Can detections be displayed?

• Yes, the Global Respond screen shows the same entity cards that you see in any child instance Respond screen.

• The “Show Active Detections” button on an entity card is visible to show summary information for detections attributed to the entity.

• If you need more than summary information from the entity card, you can drill into the child instance for full entity and detection pages.

Do screens in Global View automatically refresh?

• No, data is pulled live upon login to Global View and can be refreshed by reloading the page.

Onboarding/Deployment

How does a customer onboard into Global View?

• After receiving your welcome email and logging in to the Global View anchor instance, navigate to Configuration > Child Instances and click on "Add Child Instance".

• After you have entered the URL for a child instance, click the "Generate Credentials" button.

  • Do not include anything after the .vectra.ai portion of the URL.

• A new tab will open for the child instance.

• If you do not already have an established session with the child instance that you are connecting, you will need to login to the child instance.

• You will be seeing a "Create Global View API Client Credentials" dialog with a default "Client Name" and "Update Instance Name" already filled in.

  • The Client Name is the name of the API client that is being created on the child instance.

    • This API client will be used by the anchor instance to retrieve data for display in the Global View.

  • Update Instance Name allows you to change the instance name for the child instance.

    • The instance name will be displayed in the Global View and can be used to help filter the view.

    • If you want to change the instance name in the future, you can do so at Configuration > Setup > General Settings > Instance Name in the child instance.

  • Optionally enter a description and then click "Generate Credentials"

• You should see a message at the top that says the Global View api client was created and be presented with another dialog with the Client ID and Secret Key.

• Use the "Copy" buttons to copy these one at a time to the appropriate fields in the anchor instance tab that has the not yet completed "Connect Child Instance to Global View" dialog.

  • The Secret Key will only be displayed while this dialog is open. Make sure you have either completed setup in the other tab or saved these values before clicking done.

  • If mistakes are made or errors occur, you can simply delete the API client from the child instance, and start again adding the child instance.

• Once you have completed filling in the "Connect Child Instance to Global View" dialog on the anchor instance, click "Create Connection".

• You should receive a "Link Child Instance Successful" message at the top of your screen and see your new child instance in the list of connected child instances:

• Repeat this process for any other child instances that you wish to add to Global View.

Additional Onboarding Guidance

Time zone for the anchor instance

• This can be configured by a Super Admin in Configuration > SETUP > General Settings > Timezone in the anchor instance.

• This defaults to UTC.

Additional Users and Authentication.

• Super Admin users can configure additional users or authentication options.

  • Additional users for Global View must have the "Global Analyst" permission as part of their assigned role as detailed in "How is access to Global View controlled on existing RUX instances"

    • This applies to both the anchor instance and any child instance(s).

• Additional users can be configured by a Super Admin:

  • Authentication options are SAML (suggested), or direct login (local users).

  • Navigate to Configuration > Users (in the Global View "Anchor" instance) or Configuration > Access > Users (in a Child instance) to create new local users.

  • Navigate to Configuration > External Authentication (in the Global View "Anchor" instance) or Configuration > Access > External Authentication (in a Child instance) to configure SAML profiles.

    • SAML users are NOT added like local users are, the IdP configured in the SAML profile manages users, Vectra trusts the IdP and maps users and roles based on what is in the SAML assertion.

• SAML setup works the same as it does for any other RUX deployment. Please see the following KB articles for SAML setup guidance if required:

  • Setup SAML SSO with any IdP (Respond UX)

  • Setup SAML SSO with Azure AD (Respond UX)

  • Setup SAML SSO with Okta (Respond UX)

  • Setup SAML SSO with ADFS (Respond UX)

  • Setup SAML SSO with Keycloak (Respond UX)

Additional Deployment FAQs

How is access to Global View controlled on existing RUX instances?

• A new permission called “Global Analyst” controls which users can see the Global View link in their RUX instances.

  • The “Global Analyst” permission is enabled by default on Admin, Super Admin, and Global Analyst roles.

  • “Global Analyst” is also a new default role on instances that can participate in Global View.

What permissions does the Global Analyst role include?

• By default, the role permissions for a Global Analyst are the same as for a Security Analyst with the exception of the individual “Global Analyst” permission. That is only available by default in the Global Analyst role.

Can the Global Analyst role be modified?

• Yes, but at a minimum, the role must contain the “Global Analyst” permission in order for the feature to function properly.

  • The API client used for Global View is mapped to the Global Analyst role.

How does login to the anchor instance work?

• Both SAML and direct(local) login are available and can be configured by a Super Admin user in the anchor instance.

How does Global View deal with Brain replacements in RUX for Network deployments?

• RUX for Network refers to deployments that involve network data sources (Sensors).

  • The Sensors are paired to a Brain appliance that is linked to the RUX instance.

• Global View interoperates with RUX instances only and all communications are contained withing the Vectra Cloud.

  • Global View has no knowledge of Brains that may be linked to child RUX instances.

• If a Brain, linked to a child RUX instance, is replaced in any kind of fail over, standby, etc scenario, the “--replace” option should be used during the restore to ensure the replacement Brain that was the target of the restore operation is properly linked to the existing child RUX instance.

  • Please see Backup and Restore for Vectra Brain Appliances (v8.5+)** **for details on backup and restore operations.

  • Please see Vectra Brain Appliance Disaster Recovery (DR) / Migration Recommendations (v8.5+) for details on DR/Migration scenarios.

• Global View is not impacted, and the configuration of the anchor or any child RUX instance does not need to be updated.

Architecture

How does Global View work?

• A new anchor instance is provisioned in the Vectra region of your choice.

• Child tenants have API clients created for use by the anchor instance.

• The anchor tenant uses API calls to retrieve prioritized entities and detection details from the child instances for display in Global View when a user with the Global Analyst permission logs into the anchor instance.

• Global analysts can move back and forth from Global View to the child instances linked to Global View at will.

Are ML learnings or host sessions shared between child instances?

• No, each underlying child instance operates independently.

  • In this way, overlapping IP spaces are supported.

  • If the same traffic is seen by multiple Brains that are connected to child RUX instances, each child RUX instance will have its own set of ML learnings, host sessions, detections, entities, etc.

What data is stored in the anchor instance?

• No data is stored in the anchor instance.

  • All data is retrieved on demand when a user accesses Global View or refreshes the page in Global View.

What firewall rules or special requirements are there for the child instances?

• There are no firewall rules or special requirements for the child instances.

  • All communications are encrypted within the Vectra cloud and are between the RUX instances involved (anchor and child instances).

  • For customers with Network data sources, there is no need to communicate with the Vectra Brain and/or paired Sensors.

What Vectra products are supported by Global View?

• All Vectra products supported in RUX deployments are supported in Global View.

Miscellaneous FAQs

Can Global View help customers meet compliance or regulatory standards?

• Yes, some customers are required to separate data for compliance reasons. No data is stored in the anchor instance, and data will remain separated in child instances.

Are there any costs for Global View?

• No, Global View is a free feature available to any customer using the Respond UX.

How does support work for Global View?

• Please open a support case on the Vectra Support Portal.

What are common issues that can occur?

• If an API client for a child instance is deleted, then Global View will no longer function for data from that child instance.

• If the Global Analyst role is changed in a child instance and no longer contains the required Global Analyst permission, then Global view will fail for that child instance.