AI-Assisted Search
Introduction
AI-Assisted Search lets analysts ask investigation and hunting questions in plain language and get instant, context-rich answers plus recommended next steps. There is no need for a deep understanding of Vectra's metadata or our query language. It uses Generative Pre-trained Transformer technology (GPT) similar to LLMs such as Claude or ChatGPT. It is a 3rd option, in addition to SQL Search and Basic Search, for Investigate (metadata search and export) in RUX deployments.
Related Resources:
Basic Search functionality
Requirements
Your deployment must be a RUX deployment.
QUX deployments are not supported for AI-Assisted Search.
If you are unsure of your deployment type, please see Vectra Analyst User Experiences (Respond vs Quadrant).
You must be licensed for at least 14 days of metadata retention in your deployment.
Please contact your Vectra account team to upgrade to longer retention if required.
Existing customers who have previously accepted Vectra's EULA must opt-in to enable the feature.
To opt-in, the Vectra user must have the "Opt into new functionality" permission as part of their role.
By default this is part of the Admin or Super Admin roles.
Vectra is working on an updated EULA that covers data handling and privacy concerns that some customers may have with this feature.
When the updated EULA is available, if it has been accepted, then opt-in consent will not be required.
Please see the Data Handling / Privacy section below for more details.
Limitations
Repeated prompts may not always produce the exact same response.
AI-Assisted Seach is powered by Generative Pre-trained Transformer (GPT) technology, similar to ChatGPT or Claude. This technology is probabilistic, not deterministic - meaning the same question may not always produce the same answer. The more vague the question, the greater the variation in responses can be.
Context
AI-Assisted search does not know Vectra detection details or your specific metadata.
It works only with the metadata descriptors available in your deployment from the configured data sources.
Replies will only contain suggestions on how to take the query further, reasoning for why the model replied in the way it did, and suggested SQL queries to perform against your metadata.
AI-Assisted Search is not intended to be a general purpose LLM for all Vectra related questions.
Data Source Support
Only enabled data sources will be selectable when creating a new AI-Assisted Search.
Please work with your Vectra account team to enable and license additional data sources.
Changing data sources will reset the current AI-Assisted Search session.
Session Timeout
Sessions will time out after 10 minutes with no interaction.
AI-Assisted search will maintain memory of interactions during a session so that continued prompting can help refine responses.
"Reset Chat" will manually reset a session if you want to start over with the currently selected data source.
Use "New" at the top right of the Investigate screen to start a new search in a new data source.'
Please see Using AI-Assisted Search for more details.
Data Handling / Privacy
AI-Assisted Search runs entirely within the Vectra AI Platform (RUX) using existing metadata (Network, Entra ID, M365, Azure, AWS).
It is supported in all active RUX regions (US, EU, Switzerland, Canada, Australia).
Cross Region Inferencing
Every effort is taken to ensure we can service our customers within their region, but due to architectural limitations, some cross region inferencing is required.
The Vectra AI Platform runs inside of AWS.
Vectra AI-Assisted Search utilizes Amazon Bedrock models that may require Cross Region Inferencing (CRI). This means your data may be processed in AWS regions that are different from where your request originates.
Background: AWS has strategically consolidated advanced AI models in select regions to optimize performance and enable faster innovation. This industry-wide trend affects all major cloud AI providers.
Vectra Data Processing Locations:
US customers: Data my cross regions but will be processed in US
EU customers: Data may cross regions but will be processed in EU
Canadian customers: Data may cross regions but will be processed in US
Swiss customers: Data crosses border and will be processed in EU
Australia customers: Data may cross borders/regions but will be processed in AP regions
Our Safeguards: We implement appropriate technical and legal safeguards and comply with applicable data protection laws. All cross-region transfers are encrypted and logged for compliance purposes.
What data is impacted by Cross Region Inferencing?
No customer metadata is sent across regions, only the conversation that users have with the AI model can be impacted by cross region inferencing.
Searches against your metadata still happen in the Vectra region that your RUX deployment is in.
If PII movement is a concern, take care to not include any PII in prompts given to AI-Assisted Search.
For example, use an anonymized email address in a prompt and then modify the resulting query that comes back with the real email address for execution against your actual metadata.
Model learning
AI-Assisted Search does not learn based on information given to it in prompts.
Only your active session retains context to allow further prompts to continue to refine responses.
Sessions can be reset manually at any time, and time out automatically after 10 minutes of inactivity.
Anonymized prompt data may be used by Vectra engineering in specific situations.
Troubleshooting problems with specific types of queries.
Refining SQL output to fix structure problems.
Logs are stored for 30 days.
Enabling
Existing Vectra Customers:
Existing Vectra customers must opt in to the feature because the original EULA did not cover AI-Assisted Search functionality. To enable it:
Users attempting to opt-in must have the "Opt into new functionality" permission as part of their role.
By default this is part of the Admin or Super Admin roles.
Roles can be edited to change which roles have this permission if required.
Navigate to Investigate > AI Assisted Search.
Read the details under "New Feature Available" and when ready, click "Agree and Continue".
New Vectra Customers:
Per the Requirements section, Vectra is working on a new EULA that will cover AI-Assisted Search functionality. When this new EULA is available, AI-Assisted Search will be available by default and will not require a separate opt-in step for new deployments. If you onboard prior to the new EULA being available, the opt-in step will be required.
Using AI-Assisted Search
AI-Assisted Search is meant to be largely self explanatory and interacted with just like you would other GPT type models. There are a few tips to keep in mind:
To access AI-Assisted Search, navigate to Investigate > AI Assisted Search.
To change data sources, click on "New" to start a new investigation.
To reset the current session, click "Reset Chat".
This will start a new chat session with the current data source.
Queries can be modified with the pencil icon and then saved and later opened using the buttons on the top right.
Editing a returned query from AI-Assisted Search automatically moves you into SQL Search where the query can be saved.
Many languages are supported for queries, feel free to try your desired language.
If there are specific needs that are not being met regarding language support, please raise this through your account team for future consideration by Vectra product and engineering teams.
With GPT models like AI-Assisted Search, responses can sometimes drift from what you are driving at if you have too much information in the session memory.
To achieve the highest quality results from your investigation, if the conversation history contains more than a dozen interactions on your request, it is recommended to reset the session history.
Be careful with PII in prompts.
If you include PII in prompts, that PII may cross regions or borders depending on your deployment.
See the Data Handling / Privacy section for more details.
Sample Prompts
Below are examples of how you can use AI-Assisted Search to turn questions into insights in no time.
Investigate Hybrid Threats
Modern attacks rarely stay in one domain. AI-Assisted Search helps analysts trace activity across network, identity, and cloud - from the first sign of compromise to lateral movement.
Try asking:
“Show me RDP or NTLM authentications between my domain controllers and untrusted hosts.”
“Which cloud identities accessed on-prem servers this week?”
“List all systems communicating with external IPs over uncommon ports.”
“Identify users with repeated authentication failures followed by successful logins.”
AI-Assisted Search correlates this activity automatically, surfacing suspicious behaviors that may indicate hybrid or multi-stage attacks - giving teams the full picture faster.
Validate Exposure to CVEs and New Threats
When a new vulnerability is published, the first question every analyst asks is, are we impacted?
With AI-Assisted Search, you can validate potential exposure instantly - without waiting for new signatures or building queries manually.
Try asking:
“Check if any hosts connected to domains linked to the latest Cisco CVE.”
“Show me devices running outdated versions of OpenSSL.”
“Find systems using SMBv1 or weak ciphers.”
“List all external connections made to suspicious IP ranges last week.”
AI-Assisted Search helps teams confirm exposure in minutes - saving time and providing immediate peace of mind during patch cycles or threat disclosures.
Hunt for Known Threat Actors
Threat groups like Scattered Spider, Volt Typhoon, or Qilin are constantly evolving. Their indicators change, but their behaviors don’t. AI-Assisted Search lets analysts quickly look for tactics, techniques, or infrastructure tied to specific actors - using the rich metadata already in the platform.
Try asking:
“Help me hunt for Scattered Spider activity in my network.”
“Show me any use of PowerShell with encoded commands.”
“Find lateral movement attempts using SMB shares or RDP.”
“List hosts communicating with domains containing .top or .ru.”
With built-in recommendations, you can pivot from one behavior to another seamlessly — following the trail like a seasoned threat hunter.
Ensure Compliance and Strengthen Governance
Beyond threat detection, AI-Assisted Search uncovers policy violations and compliance risks before they become audit findings.
Teams can verify proper data handling, access control, and configuration hygiene - all through simple questions.
Try asking:
“Show me any unsecured file shares containing sensitive data.”
“Find hosts using outdated browsers or unpatched systems.”
“Who accessed HR files outside business hours?”
“List all users with admin privileges on non-admin systems.”
The ability to quickly confirm compliance posture helps organizations close gaps, reduce audit findings, and maintain stronger governance.
Understand Your Modern Network Better
Visibility is clarity. From uncovering shadow IT to tracking data flows, the feature helps analysts gain deeper institutional knowledge of how their hybrid environment behaves.
Try asking:
“Which devices are consuming the most network bandwidth?”
“Are there any unmanaged hosts communicating with my domain controllers?”
“Show me new cloud identities created in the past 24 hours.”
These insights help teams baseline normal activity, detect anomalies early, and build confidence in their visibility.
Last updated
Was this helpful?