Introduction and requirements
Prerequisites and high-level workflow for deploying an Azure Brain, including required permissions and Azure resources.
Introduction
This document outlines the steps to deploy a Vectra Brain in a customer’s Azure subscription. The Brain is deployed using the Azure CLI with a template provided by Vectra. The template references a Brain image that is made available to individual Azure logins via a shared image gallery.
Azure Brains can be used in both Respond UX and Quadrant UX deployments. For more detail on Respond UX vs Quadrant UX please see Vectra Analyst User Experiences (Respond vs Quadrant). One of the below guides should be the starting point for your overall Vectra deployment:
Deployment Process Overview
The steps involved in deploying the Brain include:
Preparing for deployment
Please ensure you meet all of the following:
The Brain is deployed using the Azure CLI with a template provided by Vectra.
Vectra has an integration with Azure that queries the API offered by the Azure Resource Manager to gather additional information about hosts running in Azure. This information contributes to Vectra’s automated Host identification (Host ID) and adds information to the Host entity details screen.
Sensor appliances must be pairing with your Brain for NDR functionality. Sensors capture network traffic and distill a metadata stream that is analyzed by your Brain appliance.
Vectra Requirements
Vectra will provide the following information:
Image share acceptance link – click this link to accept the Azure image share.
An image share must be accepted to that you can reach the Vectra Brain image for later deployment into your Azure subscription.
When Vectra shares the image with you, your Azure login will be sent an invite from Microsoft that contains a link you can use to accept the share.
Alternatively, if your Azure login is not email enabled, Vectra provides an image acceptance link that can be sent to any alternate corporate email address.
See Accepting the Organization Invite from Vectra for more detail.
Template URI – publicly accessible location housing the current Generally Available (GA) template to be used for deployment.
Brain Image – Azure resource identifier for the shared image.
Provisioning Token – allows the Brain to register with Vectra.
Please note that provisioning tokens expire after 7 days. Vectra can provide new ones if you don’t have a chance to deploy before the initial one expires.
Azure Requirements
A user with sufficient permissions in Azure who is available to deploy using the template.
Details on permissions required will be explained below in the Azure Permissions Required section.
Images are shared to an individual Azure login, not to the company, subscription, organization, etc.
Please Note:
Only work or school account types are supported, no personal Microsoft accounts are allowed.
Vectra does not support accounts that are managed by other accounts.
Access to the Azure CLI is required to deploy an image that resides in another subscription.
Installing Azure CLI instructions: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli.
Please Note:
Deployment via the Azure portal is not supported by Microsoft. Notably, the Azure Cloud Shell will also give an error if attempting the installation using it. The Azure CLI MUST be used.
From the linked article above, Microsoft has this below statement:
"You cannot use the portal to deploy a VM from an image in another azure tenant. To create a VM from an image shared between tenants, you must use the Azure CLI or Powershell."
You will need an Azure resource group, virtual network, subnet, and SSH key pair that can be used, or new ones will need to be created.
See Creating Azure Resources for more detail.
Your security group in Azure will need to meet all firewall requirements for Brain communication.
Azure Permissions Required
The user who will deploy using the Azure CLI should have permissions in their assigned role that allows deployment via ARM template to the resource group they will deploy into. The Owner or Contributor roles should suffice. Specific permissions required are:
Microsoft.Resources/deployments/readMicrosoft.Resources/deployments/writeMicrosoft.Resources/deployments/deleteMicrosoft.Resources/deployments/cancel/actionMicrosoft.Resources/deployments/validate/actionMicrosoft.Resources/deployments/whatIf/actionMicrosoft.Resources/deployments/exportTemplate/actionMicrosoft.Resources/deployments/operations/readMicrosoft.Resources/deployments/operationstatuses/readMicrosoft.Resources/deploymentScripts/readMicrosoft.Resources/deploymentScripts/writeMicrosoft.Resources/deploymentScripts/deleteMicrosoft.Resources/deploymentScripts/logs/read
Accepting the Organization Invite from Vectra
If your Azure login is enabled for email, you will receive an email from Microsoft Invitations on behalf of Vectra AI <[email protected]> saying that you have been invited to access applications. Alternatively, if your Azure login is not enabled for email, Vectra provides an acceptance link that can be sent to your corporate email address.
Please click the Accept Invitation link and then authenticate to Microsoft. It should look similar to the below sample:
You will need to authenticate with Microsoft using your Azure login credentials (not your email credentials) as part of the acceptance process.
This will require you to setup MFA for the Vectra tenant.
You can use any authenticator app you like (Microsoft is suggested).
Once accepted you should have access to the Brain image, but you will likely need to login again at your Azure CLI before deploying.
Login to Azure a second time using:
The
az login --tenant a6cc66bc-f419-45c2-a9c2-8ff4ab685f2dcommand.This will force Azure to use the MFA that you just setup. You can then use
az account listat the Azure CLI and should be able to see Vectra’s tenantID (in the lower section of JSON below).
Deployment will not succeed without seeing Vectra’s tenantID available via your login.
Please Note:
One of the subscriptions you can see when executing az account list will be designated as your default subscription (the top green arrow shows this in the above screenshot). If this is not the subscription that you intend to deploy into, you will need to use the --subscription option to specify the subscription that you wish to deploy into when executing the deployment command later.
Creating Azure Resources
Creating a Resource Group
A resource group is a container that holds related resources for an Azure solution. Please see the following Microsoft docs for information regarding creating resource groups using the Azure CLI or the Azure portal:
Save the name of the resource group for later use in the deployment.
Creating a Virtual Network (VNET) and Subnet
Please see the following Microsoft docs for information regarding creating a VNET and Subnet using the Azure CLI or the Azure portal:
After creating the VNET and Subnet, copy the subnet ID for later use during deployment from the JSON representation of the VNET using either the Azure portal or the CLI. To view this subnet ID in the Azure portal, navigate to your VNET and click on the JSON View:
Copy all of the subnet id that is inside of the quote marks. The entire ID is not visible in the screenshot but as an example it would begin with /subscriptions/ and continue until the last character before the closing quotation mark.
The subnet ID can also be retrieved from the Azure CLI by using the following command:
az network vnet list -g Resource_Group
An example is shown below:
Creating an SSH Key Pair
An RSA SSH key pair will need to be created for the Brain to allow an administrator to login to the CLI as the vectra user. See SSH login process for CLI for more details. These can be generated using any standard tool. Azure has some options documented:
The public key will need to be copied for later use during deployment so that it can be assigned to the Brain. After the Brain is deployed and registered with Vectra, you can login to the Brain CLI via SSH:
You may need to make the key readable to you using a command such as:
chmod 400 vectra.pem
Example login command:
ssh -i <private key path> vectra@BrainHostnameOrIP
Last updated
Was this helpful?