Vectra AI Platform Investigate FAQ

!! In addition to this KB article, please see the Vectra AI Platform Advanced Investigation QuickStart Guide for additional details and query examples for using Advanced Investigation. That KB article also discusses how to launch into Advanced Investigation from Instant Investigation.

FAQ

1. What is Vectra AI Platform Investigation?

Investigation is a key functionality of the Vectra AI Platform that allows SOC analysts to hunt and investigate malicious activity across different attack surfaces (Azure AD, M365, AWS, Network). It's available in Vectra's Respond UX (RUX) and it's composed of both Instant Investigation and Advanced Investigation (Investigate option in the UI's left menu).

2. Do I need a separate license to deploy Investigations?

No, Investigations is part of the Vectra AI Platform offering. When purchasing a license for CDR for AWS, CDR for M365, IDR for Azure ID or NDR, that license includes access to Investigation for those data sources.

3. Is there a limit in the number of results that will be rendered in the investigations?

Yes, the limit of results that the UI will render as part of a query is of 10000 results.

4. Is there a limit in the number of results that will be downloaded in the .csv file in the Advanced Investigation UI?

The Advanced Investigation download feature will download to a csv file the number of results that has been rendered in the UI. Thus, if the 10000 limit has been reached by a search, those 10000 results will be downloaded.

5. What is the retention period?

The retention period is the maximum number of days during which a customers' data is kept in the Vectra AI Platform.

The retention period is 3 days by default, but it can be extended to 14 or 30 days when purchasing an extended retention period.

6. What is the search window?

The search window is the period for which a user has access to the metadata.

The search window for Network metadata is 3 days by default but when purchasing an extended retention period, the search window gets extended to that same extended period.

7. Where can I find more information about purchasing extended retention periods for the metadata?

To find out more about purchasing extended retention period for the metadata, please get in touch with your Vectra Account team.

8. What ways are there to begin and drill into an investigation?

For details on how to drill into an investigation you can see examples in the Vectra AI Platform Advanced Investigation QuickStart Guide.

9. Do you have examples of searching across different M365 and Azure AD data streams. How can it be done?

Some examples can be found in the Vectra AI Platform Advanced Investigation QuickStart Guide.

10. How do I filter my network metadata using a sensor?

To filter by or exclude a sensor ID from your results, you can use the field “sensor_uid” as shown below:

11. How do the filters for CIDR notation work?

To use CIDR notation you can add a filter for any IP address field and specify the filter “in (CIDR notation)” as shown below:

12. Where can I see the network metadata available in Advanced Investigation?

You can see the metadata fields and a description for each in Vectra AI Platform Network Metadata.

13. What is a Vectra enriched field?

Enriched metadata fields refer to fields that contain additional information or attributes that being added to the existing metadata of a network or security event, provide more context and insights into the event, enhancing the overall understanding of the data.

Typically, enriched metadata fields are derived from advanced analysis techniques, machine learning algorithms, or other data enrichment processes.

14. Where can I see the AWS metadata available in Investigation?

You can find the descriptions of the AWS metadata fields available in Vectra AI Platform AWS CloudTrail metadata.

15. Are there Vectra enriched fields for AWS metadata?

Yes, the Vectra enriched metadata field in AWS is called Vectra.entity.Resolved_Identity.Canonical_Name.

In AWS, a user or service often performs actions using an assumed role. In the metadata, this is reflected by a value in the assumedRole field.

Vectra automatically attributes all CloudTrail events to the original entity that initiated the action instead of intermediate / temporary access key or Role, providing the visibility needed for a successful investigation and renders that data in Vectra.entity.Resolved_Identity.Canonical_Name.

16. Where can I see the Azure AD (AD) and M365 metadata available in Investigation?

You can find the Azure AD and M365 metadata fields in Vectra AI Platform Azure AD and M365 Metadata.

17. Which Microsoft license do I need to collect all the metadata needed for AAD and M365 Instant Investigation?

Microsoft requires a P1 license for access to Azure AD Signin and Directory Audit logs. No other log types are limited by Microsoft licenses.

18. Why do I get an error message in Instant Investigation for Azure AD and M365 that says I may not have the required Microsoft license?

Microsoft requires a P1 license for access to Azure AD Signin and Directory Audit logs. If you don’t have that license in your deployment, Instant Investigation won’t be able to provide results for the Signins and Directory Audit data streams.

19. Are there Vectra enriched fields for AAD and M365 metadata?

The enriched field in Azure AD & M365 data streams is VECTRA.IDENTITY_PRICIPAL, and it’s the field that identifies the user performing the action.

20. Why is it I don’t see the Instant Investigation tab in my tenants’ UI?

We currently have a limitation in the software by which the Instant Investigation tab is not available if you have more than one connector configured for CDR for AWS, IDR for Azure AD or CDR for M365. For Network metadata, you should always see the Instant Investigation tab.

21. What search period is selected by default after I click the Instant Investigation tab?

When accessing the Instant Investigation tab for a host or an account, the default time selected is 6 hours prior to the last active detection.

If the last active detection falls outside the retention period, the default search will instead be set to 6 hours before the moment the Instant Investigation page is accessed ('now').

22. How is Instant Investigation different from the Chaos Dashboard? When should I use one vs the other?

The Chaos Dashboard is very well suited for cases in which your organization is being onboarded into Vectra AI’s platform. This is because after a connector has been created and data starts flowing, no data will be exposed in Vectra AI’s UI platform until a detection is fired. This could take several days, depending on how much activity there is in the deployment.

Once detections are being prioritized by the platform, Instant Investigation can help you investigate with an “in-workflow” approach, as the metadata will be filtered to reflect the specific event you’re investigating.

For more details on how to do this please see the examples in the Vectra AI Platform Advanced Investigation QuickStart Guide.