# Introduction and requirements ## Introduction This guide is intended to help customers or partners deploy Vectra Match in existing Vectra deployments. Match requires a functioning deployment of Vectra NDR (formerly Detect for Network). This means that your deployment will consist of a Brain appliance and at least one paired Sensor. The Brain appliance can be physical or virtual (including Brains deployed in supported IaaS clouds). Mixed mode deployment is also supported (the Brain serving as both Brain and Sensor). Both Respond UX (RUX) and Quadrant UX (QUX) deployments are supported. If you are unsure of your deployment type, please see [Vectra Analyst User Experiences (Respond vs Quadrant)](https://docs.vectra.ai/deployment/getting-started/analyst-ux-options-rux-vs-qux). Please see the table below for additional resources and guidance: | **Article** | **Description** | | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | | [Respond UX Deployment Guide](https://docs.vectra.ai/deployment/getting-started/respond-ux-deployment-guide) | Overview of the platform, requirements, deployment, initial configuration, recommended next steps. | | [Quadrant UX Deployment Guide](https://docs.vectra.ai/deployment/getting-started/quadrant-ux-deployment) | Overview of the platform, basic network connectivity requirements, initial settings, recommended next steps. | | [Match FAQ](https://docs.vectra.ai/deployment/match/faq) | Answers to frequently asked questions about Vectra Match. | | [Match Troubleshooting](https://docs.vectra.ai/deployment/match/troubleshooting) | Troubleshooting guidance for Vectra Match. | | [Match Performance and Ruleset Optimization Guidance](https://docs.vectra.ai/deployment/match/performance-and-rulset-optimization) | Performance guidance and tips for optimizing rulesets to achieve the best performance with Vectra Match. | | [Match Suricata Configuration](https://docs.vectra.ai/deployment/match/suricata-configuration) | Default suricata.yaml configuration file. | | [Managing Rulesets](https://docs.vectra.ai/deployment/match/managing-rulesets) | Applying modifications to uploaded rulesets. | | [Vectra Curated Ruleset](https://docs.vectra.ai/deployment/match/vectra-curated-ruleset) | Details on the curated ruleset included with Vectra Match. | | [Stream Deployment Guide](https://docs.vectra.ai/deployment/stream/deployment) | How to deploy Stream to use with QUX or RUX Match deployments. | ## About Vectra Match Vectra Match utilizes the open source [Suricata](https://suricata.io/) IDS engine. Vectra’s Sensors (network data sources) are extremely high performance and adept at producing the proprietary metadata required to supply the AI-based behavioral models utilized by Vectra NDR. Match enables these same Sensors to also run a Suricata engine that is fed by the same capture buffers that feed the existing data processing pipeline. | **Deployment Type** | **Supported methods for output of Matches to downstream systems** | | ------------------- | ----------------------------------------------------------------- | | Respond UX | Vectra Stream | | Quadrant UX | Vectra Stream, Syslog, Kafka | Both Respond UX (RUX) and Quadrant UX (QUX) deployments support configuration and ruleset management via GUI or API. Different APIs using different ruleset upload processes are used for RUX vs QUX deployments. ## Requirements * Vectra NDR with paired Sensor(s) already deployed. * Only paired Sensors will be available to be enabled for Match. * Mixed mode deployment is also supported. Please see [Throughput (Performance)](#throughput-performance) for more details. * Valid license for Match through either a PoV or purchase. * Without a valid license, Match cannot be enabled, rulesets cannot be uploaded, and existing rulesets cannot be assigned. * A user with role that supports **Edit** permissions for the following: * **Configuration – Vectra Match Ruleset** * **Configuration – Vectra Match** * **Vectra Match Policy** - only required if you want to edit policy in uploaded rulesets. * Please see [Role Permission Details](#role-permission-details) below for additional detail. * For deployment using the API, see [API Deployment](https://docs.vectra.ai/deployment/match/deployment/api-deployment) for additional guidance. * QUX requires * At least one local user account for the Brain with an API token. * The user account tied to the API token must have the privileges specified above. * RUX requires * API client credentials tied to a Restricted Admin or Setting Admin role. * Downstream SIEM or other system setup to receive Match log data via syslog or Kafka transport. * Customers with existing Suricata deployments simply need to reconfigure their receivers to accept from the new source (your Vectra Brain) and configure the Brain for syslog or Kafka transport (QUX) or use Stream for output of Matches (QUX or RUX). ### Role Permission Details Three permissions, each with **View** or **Edit** rights, support Vectra Match:
PermissionRightsAllowed Capabilities
Configuration – Vectra Match RulesetViewViewing ruleset assignments and information about ruleset files
Configuration – Vectra Match RulesetEditUploading, assigning, or deleting rulesets
Configuration – Vectra MatchViewViewing enablement state of a Sensor, stats, and status
Configuration – Vectra MatchEditEnabling or disabling Match on a Sensor
Vectra Match PolicyViewViewing Match policy configuration
Vectra Match PolicyEditModifying Match policy configuration
The below permissions and rights are the defaults included in your deployment:
Predefined RolesRightsPermission
admins, super_admins, restricted_admins, setting_admins, read_onlyViewConfiguration – Vectra Match Ruleset Configuration – Vectra Match
Vectra Match Policy
admins, super_admins, restricted_admins, setting_adminsEditConfiguration – Vectra Match Ruleset
admins, super_admins, restricted_admins, setting_adminsEditConfiguration – Vectra Match
admins, super_admins, restricted_admins, setting_admins, security_analystsEditVectra Match Policy
{% hint style="info" %} **Please Note:** * Only `restricted_admins` and `setting_admins` can be assigned to an API client for use in RUX deployments. * Customers who have created their own roles (QUX only) will need to make sure that the user used for deployment will have the proper permissions to do the deployment. {% endhint %} #### Changes from prior versions Due to navigation updates for the Vectra UI, some permissions were renamed: * **Manage – Vectra Match Ruleset** became **Configuration – Vectra Match Ruleset** * **Settings – Vectra Match** became **Configuration – Vectra Match** The following default permission changes were introduced: * **Restricted Admins** now have **Edit** rights for **Configuration – Vectra Match** * This did not previously include Edit. * **Vectra Match Policy** is a newly added permission, with **Edit** rights granted by default to: * `admins` * `super_admins` * `restricted_admins` * `setting_admins` * `security_analysts` * No other default role mappings were changed. ## Throughput (Performance) Please see the [Match Performance and Ruleset Optimization Guidance](https://docs.vectra.ai/deployment/match/performance-and-rulset-optimization) article for additional details. Below is some general guidance regarding throughput of Vectra Match: * Physical Sensors generally perform the most consistently and process around 60% of the traffic they were capable of processing before enabling Match. * Virtual Sensors (both deployed in traditional hypervisor environments and in IaaS clouds) process around 50% of the traffic they were capable of processing before enabling Match. * In some cases, larger configurations of vSensors or additional physical Sensors may be required to fully support the throughput required to run Vectra Match in addition to Vectra NDR. * Please work with your Vectra account team to ensure your deployment is sized appropriately. * If you virtual Sensor does not have the resources to run Match in addition to its normal duties producing metadata for your Vectra platform, it can be resized to a larger configuration that supports more throughput. Alternatively, you can also redeploy the vSensor in a larger supported configuration. For details per supported platform, please see the guidance in the [Resizing Virtual Sensors and Brains](https://docs.vectra.ai/deployment/appliance-operations/resizing-virtual-appliances) KB article. **Sensor throughput running Vectra NDR and throughput with Vectra Match also enabled:**
Appliance ModelModeThroughput
Sensor Only		Match Throughput
Sensor and Match
S1Sensor1 Gbps400 Mbps
S2Sensor1 Gbps600 Mbps
S11Sensor2 Gbps1.2 Gbps
S101 (v1 and v2)Sensor50 Gbps33 Gbps
S127Sensor58 Gbps30 Gbps
X3Sensor9 Gbps3 Gbps
X3Mixed8 Gbps1 Gbps
X29 (v1 and v2)Sensor15 Gbps9 Gbps
X29 (v1 and v2)Mixed8 Gbps4.6 Gbps
X47Sensor20 Gbps13 Gbps
X47Mixed15 Gbps6 Gbps
X80Sensor20 Gbps11 Gbps
2 core vSensors (VMware, Hyper-V, KVM)Sensor500 Mbps250 Mbps
4 core vSensors (VMware, Hyper-V, KVM)Sensor1 Gbps500 Mbps
8 core vSensors (VMware, Hyper-V, KVM)Sensor2 Gbps1 Gbps
16 core vSensors (VMware, Hyper-V, KVM)Sensor5 Gbps2.5 Gbps
32 core vSensor (VMware)Sensor20 Gbps10 Gbps
2 core vSensors (AWS, Azure, GCP)Sensor1 Gbps500 Mbps
4 core vSensors (AWS, Azure, GCP)Sensor2 Gbps1 Gbps
8 core vSensors (AWS)Sensor4 Gbps2 Gbps
16 core vSensors (AWS)Sensor8 Gbps4 Gbps
16 core vSensor (GCP)Sensor5 Gbps2.5 Gbps
32 core vSensor (GCP)Sensor10 Gbps5 Gbps
## Connectivity Requirements Vectra Match runs in the same environment on the same physical or virtual systems on which you deployed Vectra NDR. All communications between the Sensors and Brain use existing channels that are also used for Vectra NDR. The only new additional firewall rules that might be required for Match is if you need to configure a new destination for the Matches to be forwarded to. See [Firewall requirements](https://docs.vectra.ai/deployment/getting-started/firewall-requirements) for full details on all potential rules that may be needed for your Vectra deployment. For new destinations for Matches (see [Outputting Matches to Downstream Receivers](https://docs.vectra.ai/deployment/match/deployment/outputting-matches-to-downstream-receivers) for more detail): * See the [Stream Deployment Guide](https://docs.vectra.ai/deployment/stream/deployment) for communications requirements when using Stream Match output. * Syslog or Kafka requires open communication downstream using TCP or SSL and choice of port. ## Unsupported Suricata Features Match does not support editing of suricata.yaml, thresholds.conf, or classification.config. Vectra does not support: file extraction (file-stor), Lua scripting, datasets, GeoIP functionality, logging metadata, rolling PCAP (pcap-log).