search

v9.4 Release Notes (QUX)

Vectra AI Platform – 9.4 Release Notes

The Vectra® X-series appliances, B-series appliances, S-series sensors, VM and Cloud Brain, VM and Cloud Sensors, are scheduled to be updated to Vectra Network software release version 9.4. The 9.4 release includes new JA4+ Fingerprints, External App Alerts, Identity Detection Model: Azure AD Scripting Engine Usage, Detection UI Enhancements in Entra ID & M365, and Azure Cloud Detection Model Enhancement: Azure Diagnostic Logging Disabled.

9.4 will have the following release schedule:

  • Customers with Remote Support Enabled: Customers who have remote support enabled will receive the update starting today.

    • You can check if you have remote support enabled under Settings > General with Remote Support set to Enabled.

    • If you plan to enable or disable Remote Support in the near future, please reach out to Support to confirm if you will receive or skip the upgrade.

  • Customers Connected to Updater: Assuming a smooth rollout, customers who do not have remote support enabled but are connected to Updater will receive updates on or after September 4th, 2025.

    • You can check if you are connected to Updater under Data Source > Brain-Setup > Proxy & Status and see that Updater Destination shows as connected, while Remote Support shows disabled.

  • All Other Customers*: Assuming a smooth rollout, all customers will be able to download the update on or after September 4th, 2025.

    • *Note: This does not impact customers that have requested they be pinned to a specific release from support.

hashtag
Platform

hashtag
JA4+ Fingerprints

Vectra AI now includes JA4L, JA4X, and JA4H fingerprints in metadata—bringing next-gen fingerprinting to encrypted traffic analysis. This powerful framework reduces collisions, links related sessions, and makes it easier to spot attacker infrastructure hiding behind common protocols. Analysts get clearer, faster insights with less noise and better context across detections. JA4+ is supported in Investigate (RUX), Stream, and Recall. Read more about the new attributes herearrow-up-right.

hashtag
External App Alerts (Webhook Notifications)

With External App Alerts, Vectra AI delivers instant notifications to your team’s collaboration tools when critical security events occur, such as high-priority hosts or accounts and key system alerts. No more screen-watching or delayed responses — you get real-time intel that drives faster action. Available now with direct Microsoft Teams integration and Slack support coming soon. See External App Alerts for implementation details.

hashtag
Detections

hashtag
Azure AD Scripting Engine Usage

Vectra has introduced enhancements to improve both the breadth of behaviors and user agents covered by this detection. Updates to the parsing layer now filter user agents more accurately from logs, increasing fidelity and reducing false positives.

hashtag
UI Improvements to Entra ID and M365 Detections 

Enhancements have been introduced across several detections to provide additional context and streamline investigative workflows:

  • Azure AD Privilege Operation Anomaly: Now includes user agent details when available.

  • Azure AD Suspicious Factor Registration: Updated to include the result_reason field from logs.

  • Azure AD Suspicious Sign In: Updated to display device status for improved context.

  • M365 Spearphishing: Updated to display filenames, enabling faster triage.

hashtag
Azure Cloud Detection Model Enhancement

Enhancements to the Azure Diagnostic Logging Disabled detection expand coverage to include deletion of logging extensions for both Windows and Linux VMs. This provides broader visibility into suspicious activities that may indicate attempts to disable security monitoring.

hashtag
Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:

  • NDR-251: Adds detection coverage for suspicious Mimikatz access over SMB traffic. This enhances our ability to spot potential credential theft techniques commonly used in attacks.

  • NDR-117: Expands coverage for the Remote Desktop Protocol (RDP) admin activity algorithm for better security coverage.

  • NDR-241: Adds detection coverage to identify NTLM authentication brute force attacks, helping stop attackers from breaking into accounts through repeated login attempts.

hashtag
Bug Fixes

CS-9701: Group Changes Impact Triage Ruleset

Resolved an issue where changes to group entries were not correctly reflected in the triage ruleset. This issue has been addressed.

ANVIL-2084: Match Integrated Ruleset

Resolves an issue when migrating from an existing ruleset to the Vectra Curated Ruleset. If an existing ruleset is present when you upload to the Vectra Curated Ruleset option, the file name will not update — it will retain the old name instead of showing curated.rules. This issue has been addressed.

Appendix:

Will this upgrade perform a reboot of the Brain or Sensors?

No, a reboot is not required as part of the 9.4 update.

Previousv9.5 Release Notes (QUX)Nextv9.3 Release Notes (QUX)

Last updated

Was this helpful?