v9.5 Release Notes (QUX)

Vectra AI Platform – 9.5 Release Notes

The Vectra® X-series appliances, B-series appliances, S-series sensors, VM and Cloud Brain, VM and Cloud Sensors, are scheduled to be updated to Vectra Network software release version 9.5. This release delivers SHA256 File Verification, reduced alert volume in AI-Triage, and major Attack Graph enhancements. It also expands cloud coverage with a new Azure detection, improved Azure and M365 detections, plus API upgrades and expanded CDR logging for Azure alerts.

9.5 will have the following release schedule:

Customers with Remote Support Enabled: Customers who have remote support enabled will receive the update starting today.
- You can check if you have remote support enabled under Settings > General with Remote Support set to Enabled.
- If you plan to enable or disable Remote Support in the near future, please reach out to Support to confirm if you will receive or skip the upgrade.
Customers Connected to Updater: Assuming a smooth rollout, customers who do not have remote support enabled but are connected to Updater will receive updates on or after October 14^(th), 2025.
- You can check if you are connected to Updater under Data Source > Brain-Setup > Proxy & Status and see that Updater Destination shows as connected, while Remote Support shows disabled.
All Other Customers*: Assuming a smooth rollout, all customers will be able to download the update on or after October 14^(th), 2025.
- *Note: This does not impact customers that have requested they be pinned to a specific release from support.

Platform

SHA256 File Verification for Support Portal

All current and future files in Additional Resources > Downloads on our Support Portal now include a SHA256 hash to validate the file downloaded is the same as what was served from the Support Portal. Today this applies to OVA and Vectra Match file downloads.

Expanded TLS/SSL Cipher Recognition

Vectra AI has expanded its TLS/SSL cipher suite mapping to include the latest TLS 1.3 and modern cipher suites, ensuring encrypted sessions are accurately identified and displayed with clear, human-readable names. This update enhances visibility and accuracy in encrypted traffic analysis across Recall and Stream, with Advanced Investigations support planned for a future release.

Reduced Alert Volume with Enhanced AI-Triage

Vectra’s AI-Triage now delivers expanded capabilities across the kill chain and modern networks, cutting detection volumes significantly. It automatically investigates and resolves benign alerts, reducing alert fatigue while preserving full visibility into real threats.

This custom-built, rigorously tested capability identifies low-risk patterns that consistently appear in your environment and resolves them automatically, keeping your team focused on meaningful risk.

Expect fewer benign detections across network C2, recon, Azure AD, M365, Copilot for M365, and AWS.

Visibility is never lost — resolved detections remain searchable, auditable, and fully traceable. No actions are taken on your behalf beyond resolution.

Attack Graph Enhancements

Vectra AI’s Attack Graph just got smarter with two powerful updates. C2 Blast Radius instantly reveals all hosts communicating with the same command-and-control endpoint, eliminating manual cross-referencing and speeding triage. Targeted Detections trace the initial point of compromise and attacker movement, giving analysts a clear lineage of how each host or account was reached. Together, these enhancements deliver sharper visibility, faster investigations, and more precise responses. Explore the Attack Graph FAQ for more capabilities.

API Improvements for CDR for Azure Alerts

Vectra AI has introduced API enhancements to include enriched Human Readable context (identity and application ID names) to the CDR for Azure alerts consumed via API. These support investigative workflows significantly reducing the time required by an analyst to gather key context. Previously, these enriched values were available only in the Vectra platform. The new enhancements ensure these values are now present in API-centric workflows that customers may have in place.

Expansion of Resource Logging for Storage Account (CDR for Azure)

Vectra AI will now consume Azure resource logs tied to Storage Accounts in support of new and upcoming detection use-cases. These new logs will allow Vectra to detect against impact and exfiltration behaviors observed in the latter stages of the cloud kill-chain. All new CDR for Azure connectors will automatically accrue the logs as part of connector setup. For existing CDR for Azure customers, the automated deployment scripts associated with CDR for Azure will have to be re-run. Vectra account teams will be making contact to facilitate the expansion of logging for existing customers.

Coming Soon: Expanded EDR Process Context

In November, Vectra will release Vectra AI Stitching with CrowdStrike EDR for all customers. This capability streamlines investigations by automatically finding the probable process related to a NDR detection and presenting it alongside the detection in the platform and when the event is collected via API.

This result is a more powerful NDR, less manual work, and better outcomes for security teams. What was the process driving C2 a browser or a PowerShell script, is it expected, or does it stand out, these are questions analysts must answer immediately, and this capability makes that instant.

To ensure smooth delivery of this capability we encourage all Crowdstrike customers to provide NGSIEM Read / NGSIEM Write permissions to support future collection of this information. Visit Crowdstrike EDR Integration FAQ for instructions on how to grant these permissions.

Detections

Sliver Command and Control Coverage

Vectra AI has introduced new detection coverage for Sliver Command & Control (C2) activity, an advanced framework used by red teams and threat actors to evade traditional defenses. Sliver’s use of encryption, layered encoders, and variable timing and data patterns allows it to disguise malicious beaconing within normal encrypted traffic. Vectra’s deep learning model identifies these subtle patterns without relying on payload inspection, leveraging the industry’s largest dataset of network behavior. This update enhances our current beaconing C2 algorithms, delivering stronger visibility into evasive C2 channels and helping security teams detect sophisticated adversary activity earlier in the attack chain.

New Detection: Azure Suspect VM Logging Change

Vectra AI has introduced a new detection that surfaces suspicious behaviors tied to modification of logging extensions for Window sand Linux VMs, Virtual Machine Scale Sets and Hybrid machines. This provides deeper visibility into suspicious activities that may indicate attempts to tamper with security monitoring (degraded vs fully disabled logs).

Detection Enhancement: Azure Cryptomining

Enhancements have been introduced to the Azure Cryptomining detection to filter out behaviors tied to modification of existing compute instances. This improvement improves the fidelity of the alerting around creation of new compute instances. Customer should expect fewer alerts tied to this behavior in their environment.

M365 Detection Enhancements

Enhancements have been introduced across the following detections to improve breadth of coverage:

M365 Suspicious mailbox Rule Creation and M365 Suspicious Mail Forwarding: These detections have been enhanced to include coverage for behaviors surrounding UpdateInboxRule. As a result of this enhancement, customers may observe a mild increase in the volumes tied to these alerts.

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:

NDR-242: Vectra AI has expanded its current beaconing Command & Control algorithms to detect advanced C2 beaconing techniques that use data and time jitter to evade traditional network monitoring. The result is improved visibility into stealthy C2 behavior and earlier detection of sophisticated threats attempting to hide within normal network activity.
NDR-302: Vectra AI has enhanced detection coverage for plain-text TCP communications, identifying suspicious command activity hidden in unencrypted, text-based traffic. This update detects subtle behavioral patterns—such as abnormal packet flow and payload structure—to uncover covert command channels that evade traditional inspection. It expands visibility beyond encrypted traffic, strengthening detection across all communication types.
NDR-314: Vectra AI has expanded coverage to include Sliver’s English HTTP Channel, which disguises command-and-control traffic as strings of random English words to appear legitimate. This enhancement improves detection of obfuscated Sliver activity within normal HTTP traffic, strengthening visibility into advanced C2 evasion techniques.

Appendix

Will this upgrade perform a reboot of the Brain or Sensors?

No, a reboot is not required as part of the 9.5 update.

Previousv9.6 Release Notes (QUX)Nextv9.4 Release Notes (QUX)

Last updated 24 days ago

Was this helpful?

Good evening

hashtagPlatform

hashtagSHA256 File Verification for Support Portal

hashtagExpanded TLS/SSL Cipher Recognition

hashtagReduced Alert Volume with Enhanced AI-Triage

hashtagAttack Graph Enhancements

hashtagAPI Improvements for CDR for Azure Alerts

hashtagExpansion of Resource Logging for Storage Account (CDR for Azure)

hashtagComing Soon: Expanded EDR Process Context

hashtagDetections

hashtagSliver Command and Control Coverage

hashtagNew Detection: Azure Suspect VM Logging Change

hashtagDetection Enhancement: Azure Cryptomining

hashtagM365 Detection Enhancements

hashtagRapid Release Improvements

hashtagAppendix