> For the complete documentation index, see [llms.txt](https://docs.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vectra.ai/release-notes/respond-ux-rux/2025-rux-release-notes.md). # 2025 RUX Release Notes {% updates format="full" %} {% update date="2025-12-31" tags="coverage,2025.12" %} ## 2025.12 - Coverage ### Rapid Release Improvements The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release: * Vectra AI continues its transition of detections previously delivered through the Suricata engine into native detections running directly on the Vectra flow engine. This ongoing effort ensures advanced attacker behavior coverage is available to all customers, without requiring Suspect Protocol Activity (SPA) or reliance on signature-based detection logic. * This release introduces additional detections for Cobalt Strike, Brute Ratel, and PowerShell Empire. * Vectra AI has improved the Smash and Grab detection accuracy by ensuring destination domain names update correctly when observed later in a session. This enhancement allows whitelist logic to function as intended, reducing unnecessary alerts and improving the fidelity of Smash and Grab detections. * Vectra AI has improved information-level detections for Remote Management and Monitoring (RMM) tools by correctly populating application protocol details in detection metadata. This enhancement provides clearer context on Host pages when RMM activity is observed, improving investigative clarity while maintaining a low-noise, non-scoring alerting experience. * Vectra AI has refined its **Mythic C2 detection** logic to reduce false positives by tightening how server certificate fields are evaluated. This update narrows overly broad pattern matching, preventing benign domains containing similar terms from triggering alerts and improving overall detection fidelity. {% endupdate %} {% update date="2025-12-31" tags="clarity,2025.12" %} ## 2025.12 - Clarity ### EDR process correlation (Private Preview) Vectra AI has released CrowdStrike EDR process correlation for private preview customers. This capability streamlines investigations by automatically finding the probable process related to a NDR detection and presenting it alongside the detection in the platform and when the event is collected via API. This result is a more powerful detection and response, less manual work, and better outcomes for security teams. It eliminates the need for custom SIEM or SOAR correlation logic and can save up to 30 minutes per detection. What was the process driving C2 a browser or a PowerShell script, is it expected, or does it stand out, these are questions analysts must answer immediately, and this capability makes that instant. Contact your Vectra AI account team to join the private preview and visit [Crowdstrike EDR Integration FAQ for instructions on how to support this integration.](https://support.vectra.ai/vectra/article/KB-VS-1143) Learn more about how Vectra AI works with CrowdStrike in this podcast: {% embed url="" %} {% endupdate %} {% update date="2025-12-31" tags="control,2025.12" %} ## 2025.12 - Control ### Vectra 360 Response Enhancement for Cloud Identity Vectra AI’s Account Lockdown now includes Password Reset for Azure AD/Entra ID, providing customers with a stronger, more reliable way to proactively stop identity-based attacks, particularly token theft. By revoking sessions and forcing a password reset, Vectra AI instantly removes attacker access while letting legitimate users log back in with minimal friction. This expands Vectra AI’s 360 Response capability which enables proactive response across traffic, devices and identity. To read more about the feature visit the support article, To hear about the feature more watch: {% embed url="" %} {% endupdate %} {% update date="2025-11-30" tags="coverage,2025.11" %} ## 2025.11 - Coverage ### Rapid Release Improvements The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release: * Vectra AI is reimagining several Cobalt Strike Suricata signatures as native Python detections. By moving these detections into Vectra’s Python-based engine, all customers now benefit from this Cobalt Strike activity coverage without reliance on signature-based logic. * Vectra AI has refined its Kali Repo Usage detection to improve accuracy and reduce false positives by tightening how Kali-related user agents are identified. This enhancement focuses the match criteria on true Kali Linux activity, ensuring higher-fidelity alerts and more reliable insights when investigating potential attacker tooling. * Vectra AI has introduced new information-level detections for Remote Management and Monitoring (RMM) tools observed within customer environments. As RMM utilities are increasingly leveraged in cyberattacks, these alerts provide visibility into their usage without generating noise or affecting scoring. The notifications appear on individual Host pages—one per host session—while remaining hidden from the main Detections page unless filters are adjusted. This update gives customers clearer insight into potentially sensitive administrative activity while maintaining a low-impact alerting experience. {% endupdate %} {% update date="2025-11-30" tags="clarity,2025.11" %} ## 2025.11 - Clarity ### Traffic Lockdown: Automated Network Defense via Firewall Integration (Public Preview) Vectra AI now empowers customers to take instant action on detected threats with Traffic Lockdown, a new capability that automatically blocks malicious hosts at the firewall level. By integrating directly with supported firewalls, Vectra AI dynamically publishes threat feed IPs for immediate enforcement with no manual rules or complex setup required. Security teams gain faster containment, cleaner workflows, and stronger protection where it matters most: at the network edge. Visit [Traffic Lockdown](/configuration/response/lockdown/traffic-lockdown.md) for configuration instructions.
To hear more about Vectra's Response capabilites, watch this podcast: {% embed url="" %} ### Operational Overview Report Introducing the Operational Overview Report — your SOC’s new command view for performance and impact. This report brings together key metrics like Mean Time to Assignment, Mean Time to Investigate, and Mean Time to Resolve, alongside top detections, MITRE ATT\&CK mappings, and prioritized entities in one clear, visual dashboard. It quantifies how Vectra AI drives faster investigations, sharper triage, and measurable efficiency gains. With powerful insights for business reviews, executive reporting, and daily operations, it turns performance data into proof of value.
For more information about reporting, watch this podcast: {% embed url="" %} {% endupdate %} {% update date="2025-11-30" tags="platform,2025.11" %} ## 2025.11 - Platform ### Navigational Change: Configuration We’ve streamlined how you manage your environment in the Vectra AI Platform. The new Configuration tab unifies the Manage & Settings options to bring all configuration and control settings into one clear, intuitive view, so you can find what you need faster and act with confidence. This update eliminates friction and simplifies navigation. Less searching. More doing.
### REST API (Respond UX) The Vectra AI team continues to update the RUX API with new functionality every month. To stay up to date with the latest functionality, visit our [API documentation site](https://apidocs.vectra.ai/changelog). ### Multi-SAML Support The Respond UX platform currently supports single sign-on (SSO) through integration with a customer’s identity provider (IDP) using a configured SAML profile. Until now, only a single SAML profile can be defined, which restricts integration to one IDP at a time. To tackle this, we are introducing support for multiple SAML profiles. This enhancement will enable customers and MSSPs to configure and manage integrations with multiple IDPs simultaneously, providing greater flexibility and alignment with complex identity environments. ### Support Access to RUX tenants  We’ve introduced the ability for Vectra AI’s authorized employees to securely access RUX tenant UIs when needed. Customers can now configure an expiration date for this access, ensuring it remains time-bound and fully under your control.  To enable support, visit [Vectra Remote Support](/configuration/access/vectra-remote-support.md).
{% endupdate %} {% update date="2025-10-31" tags="coverage,2025.10" %} ## 2025.10 - Coverage ### Rapid Release Improvements The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:  * Vectra AI now detects LDAP queries targeting Active Directory accounts that lack Kerberos pre-authentication — a common step in AS-REP roasting attacks. This enhancement delivers earlier visibility into credential reconnaissance, helping security teams stop attackers before credential abuse begins  * Vectra AI has updated the description of its RDP brute-force and password-spray detection to better align with its detection behavior. While the underlying logic remains unchanged, the revised description clarifies how password-spray activity is represented in the UI, helping analysts interpret alerts with greater precision.  * Vectra AI has improved LDAP analytics to identify reconnaissance of AD users with servicePrincipalNames (SPNs) — a precursor to Kerberoasting. This update provides faster detection of credential-targeted attacks, giving customers deeper visibility into stealthy Active Directory threats  {% endupdate %} {% update date="2025-10-31" tags="clarity,2025.10" %} ## 2025.10 - Clarity ### Introducing AI-Assisted Search We’re making threat hunting and investigation faster and smarter. With AI-Assisted Search, you can ask questions in plain language — in any major language — and instantly get context-rich answers, visual insights, and recommended next steps. No query syntax, no guesswork — just actionable intelligence at your fingertips. Early users have cut investigation time by up to three hours per case, uncovering exposures they might have missed. Available now for RUX customers with at least 14 days of metadata.
#### AI Scoring Prioritization Agent The AI Prioritization Agent now detects when attackers deploy new systems - from rogue laptops to Raspberry Pis - and factors that into threat scoring. It also learns from historical trends to flag key rare detect types across your environment, delivering faster, more accurate prioritization with less noise. Customer may see a small number of host with updated scores. For more information watch this podcast: {% embed url="" %} {% endupdate %} {% update date="2025-10-31" tags="platform,2025.10" %} ## 2025.10 - Platform ### Groups Based on Active Directory Membership Seamlessly bring your existing AD groups into Vectra and keep them perfectly in sync—no more manual recreations or tedious upkeep. Bulk import eliminates repetitive admin work, so your teams can focus on threat hunting, not group management. By streamlining triage rules and reducing noise, you’ll act faster on the alerts that truly matter. This is efficiency and signal clarity, built right in. Visit [Active Directory (AD) Groups](https://support.vectra.ai/s/article/KB-VS-2876) for more information.
### New REST API Documentation Is Live API We’re excited to introduce the new Vectra REST API Documentation portal — your one-stop destination for building, testing, and integrating with Vectra APIs faster than ever. Developers can now explore, validate, and generate integrations seamlessly — ensuring faster automation, fewer errors, and greater confidence in securing your environment.\ Starting with API v3.5, all documentation will be delivered exclusively through the REST API Documentation portal: [https://apidocs.vectra.ai](https://apidocs.vectra.ai/) {% embed url="" %} {% endupdate %} {% update date="2025-09-30" tags="coverage,2025.09" %} ## 2025.09 - Coverage ### Sliver Command and Control Coverage Vectra AI has expanded coverage to include Sliver’s English HTTP Channel, which disguises command-and-control traffic as strings of random English words to appear legitimate. This enhancement improves detection of obfuscated Sliver activity within normal HTTP traffic, strengthening visibility into advanced C2 evasion techniques. ### TCP Command and Control Coverage Vectra AI has enhanced detection coverage for plain-text TCP communications, identifying suspicious command activity hidden in unencrypted, text-based traffic. This update detects subtle behavioral patterns—such as abnormal packet flow and payload structure—to uncover covert command channels that evade traditional inspection. It expands visibility beyond encrypted traffic, strengthening detection across all communication types. ### New Detection: Azure Suspect VM Logging Change Vectra AI has introduced a new detection that surfaces suspicious behaviors tied to modification of logging extensions for Window sand Linux VMs, Virtual Machine Scale Sets and Hybrid machines. This provides deeper visibility into suspicious activities that may indicate attempts to tamper with security monitoring (degraded vs fully disabled logs).  ### Detection Enhancement: Azure Cryptomining Enhancements have been introduced to the Azure Cryptomining detection to filter out behaviors tied to modification of existing compute instances. This improvement improves the fidelity of the alerting around creation of new compute instances. Customer should expect fewer alerts tied to this behavior in their environment.  ### Expansion of Resource Logging for Storage Account (CDR for Azure) Vectra AI will now consume Azure resource logs tied to Storage Accounts in support of new and upcoming detection use-cases. These new logs will allow Vectra to detect against impact and exfiltration behaviors observed in the latter stages of the cloud kill-chain. All new CDR for Azure connectors will automatically accrue the logs as part of connector setup. For existing CDR for Azure customers, the automated deployment scripts associated with CDR for Azure will have to be re-run. Vectra account teams will be making contact to facilitate the expansion of logging for existing customers. ### M365 Detection Enhancements Enhancements have been introduced across the following detections to improve breadth of coverage:  * M365 Suspicious mailbox Rule Creation and M365 Suspicious Mail Forwarding: These detections have been enhanced to include coverage for behaviors surrounding UpdateInboxRule. As a result of this enhancement, customers may observe a mild increase in the volumes tied to these alerts.  ### Rapid Release Improvements The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:  * NDR-242: Vectra AI has expanded its current beaconing Command & Control algorithms to detect advanced C2 beaconing techniques that use data and time jitter to evade traditional network monitoring. The result is improved visibility into stealthy C2 behavior and earlier detection of sophisticated threats attempting to hide within normal network activity.  * NDR-302: Vectra AI has enhanced detection coverage for plain-text TCP communications, identifying suspicious command activity hidden in unencrypted, text-based traffic. This update detects subtle behavioral patterns—such as abnormal packet flow and payload structure—to uncover covert command channels that evade traditional inspection. It expands visibility beyond encrypted traffic, strengthening detection across all communication types.  * NDR-314: Vectra AI has expanded coverage to include Sliver’s English HTTP Channel, which disguises command-and-control traffic as strings of random English words to appear legitimate. This enhancement improves detection of obfuscated Sliver activity within normal HTTP traffic, strengthening visibility into advanced C2 evasion techniques.  {% endupdate %} {% update date="2025-09-30" tags="clarity,2025.09" %} ## 2025.09 - Clarity ### API Improvements for CDR for Azure Alerts Vectra AI has introduced API enhancements to include enriched Human Readable context (identity and application ID names) to the CDR for Azure alerts consumed via API. These support investigative workflows significantly reducing the time required by an analyst to gather key context. Previously, these enriched values were available only in the Vectra platform. The new enhancements ensure these values are now present in API-centric workflows that customers may have in place. ### Reduced Alert Volume with Enhanced AI-Triage Vectra’s AI-Triage now delivers expanded capabilities across the kill chain and modern networks, cutting detection volumes significantly. It automatically investigates and resolves benign alerts, reducing alert fatigue while preserving full visibility into real threats. This custom-built, rigorously tested capability identifies low-risk patterns that consistently appear in your environment and resolves them automatically, keeping your team focused on meaningful risk. Expect fewer benign detections across network C2, recon, Azure AD, M365, Copilot for M365, and AWS. Visibility is never lost — resolved detections remain searchable, auditable, and fully traceable. No actions are taken on your behalf beyond resolution. ### Attack Graph: Focused View Introducing Focused View, a new way to cut through the noise in complex attack graphs. Instead of overwhelming analysts with every node and edge, Focused View filters out low-priority detections and surfaces only the most critical links and progression paths. The result: less clutter, less confusion, and a clear perspective on how an attack unfolded. With clarity instead of clutter, security teams can accelerate investigations while still toggling to the full graph when needed. For more Attack Graph information, [read the FAQ](https://support.vectra.ai/vectra/article/KB-VS-2662).
{% endupdate %} {% update date="2025-08-31" tags="2025.08" %} ## 2025.08 ### **Stronger Context with New Attack Graph Upgrades** Vectra AI has enhanced the Attack Graph with two powerful new capabilities. First, analysts can now see detections directly targeting the entity they’re investigating, making it easier to answer the question: “How did this entity get compromised?” This helps quickly pinpoint “patient zero” even in complex lateral movement scenarios. Second, the Attack Graph now visualizes the blast radius of command-and-control (C2) channels, automatically expanding to show all entities tied to the same malicious domain or IP. Together, these upgrades accelerate investigations, reveal hidden links, and give teams complete context to stop attacks faster. ### **Accelerate Investigations with Five Minute Hunts** We’re excited to share that Five Minute Hunts are now live in Advanced Investigations. These guided hunts surface meaningful insights in metadata without requiring customers to master SQL or specialized terminology. Security teams can quickly uncover attacker patterns, demonstrate proactive “peace-time” value, and boost efficiency with just a few clicks. Behind the scenes, the feature is powered by our flexible content delivery framework—complete with adaptive layouts, smooth animations, and engaging visuals for a seamless analyst experience. ### **External App Alerts (Webhook Notifications)** With External App Alerts, Vectra AI delivers instant notifications to your team’s collaboration tools when critical security events occur, such as high-priority hosts or accounts and key system alerts. No more screen-watching or delayed responses — you get real-time intel that drives faster action. Available now with direct Microsoft Teams integration and Slack support coming soon. See [External App Alerts](/configuration/response/notifications/external-app-alerts-webhook.md) for implementation details. ### **JA4+ Fingerprints** Vectra AI now includes JA4, JA4S, JA4L, JA4X, and JA4H fingerprints in metadata—bringing next-gen fingerprinting to encrypted traffic analysis. This powerful framework reduces collisions, links related sessions, and makes it easier to spot attacker infrastructure hiding behind common protocols. Analysts get clearer, faster insights with less noise and better context across detections. JA4+ is supported in Investigate (RUX), Stream, and Recall. Read more about the [new attributes here](https://support.vectra.ai/vectra/article/KB-VS-1245). ### **Simpler Investigations with Human-Readable Azure CDR Data** Vectra AI has made Azure CDR easier to use by replacing confusing UUIDs with clear, human-readable names. Account names in the REST API now reflect recognizable Entra IDs, while detection activity surfaces intuitive object and application names. Analysts no longer need to decode raw IDs—making triage faster, investigations smoother, and dashboards more actionable. {% endupdate %} {% update date="2025-07-31" tags="2025.07" %} ## 2025.07 ### **Zscaler Internet Access SSE Integration in Public Preview** Vectra AI and Zscaler have teamed up to eliminate blind spots in encrypted and direct-to-cloud traffic. Through integration with Zscaler Internet Access (ZIA), Vectra replays user traffic from secure PCAPs for full-spectrum threat detection—uncovering advanced C2 and exfiltration that traditional tools miss. It’s a game-changer for securing remote and cloud-first environments. For information see Vectra’s [Press Release](https://www.vectra.ai/about/news/vectra-ai-and-zscaler-expand-their-alliance-to-unlock-unprecedented-visibility-into-sase-traffic) and [Podcast](https://www.youtube.com/watch?v=YlwGoJQuVw4). Please contact your Vectra account team if you are interested in enabling Vectra’s ZIA integration. See [Zscaler ZIA Integration and Optimization](https://support.vectra.ai/vectra/article/KB-VS-1006) for implementation details. ### **Deeper Executive Insight with Signal Efficacy in CISO Reports** Vectra AI now brings signal efficacy metrics directly into CISO reports—showing how detections and entities were resolved as benign, remediated, or unclassified. This added context proves the value of detections that mattered most to analysts and highlights remediation outcomes at a glance. Executives get clear visibility into threat quality, empowering smarter security decisions and demonstrating measurable value from Vectra. ### **Smarter Visibility with the Network Discovery Dashboard** Vectra AI introduces the Network Discovery Dashboard, a powerful new way to explore your environment with an interactive network map. Analysts can now trace hosts and IPs visually, spot anomalies in context, and accelerate investigations with intuitive navigation. This dashboard simplifies complex environments, turning raw network data into actionable insights for faster, more confident threat response. {% endupdate %} {% update date="2025-06-30" tags="2025.06" %} ## 2025.06 ### **AI-Triage Now Auto-Resolves More Benign Threats** Vectra AI’s proprietary agentic AI just got smarter. Our upgraded AI-Triage algorithm now automatically investigates and resolves 50% of benign C\&C and 25% of benign Recon detections—dramatically reducing benign events. It leverages both local patterns and global insights to deliver the clearest signal yet.  For more details on AI-Triage, see the [AI-Triage KB](https://support.vectra.ai/vectra/article/KB-VS-1582) and [our recent update video](https://www.youtube.com/watch?v=DvsvR57xCS8). ### **New Detection Suite: AWS Bedrock Detections** Vectra AI has introduced four new detections to surface suspicious behaviors surrounding the use of AWS Bedrock, a fully managed service offered by AWS that simplifies building and deploying generative AI applications. * AWS Bedrock Logging Configuration Disabled: This detection highlights instances where a principal was observed disabling prompt logging for AWS Bedrock at the regional level. Disabling prompt logging stops the capture of all prompt and response activity across AWS Bedrock models and may indicate an attempt to impair defenses or hide malicious usage. * AWS Bedrock Novel Model Enabled: This detection identifies suspicious activity related to the enablement of an AWS Bedrock Model by an identity that has no prior history of performing such actions. It flags potential unauthorized access to generative AI services that may be security-sensitive and associated with high-cost. * AWS Suspicious Bedrock Activity: This detection identifies suspicious activity related to the enablement and invocation of an AWS Bedrock Model by an identity that have no prior history of performing such actions. The combination of enablement followed by invocation of a model suggests an attacker is both testing and using the model, generating responses at the victim’s expense. * AWS Bedrock Novel Enabled: It detects every instance when an AWS Bedrock foundational model is enabled, as this action is uncommon and may have cost or security implications. This is an informational detection and does not contribute to scoring or prioritization of the entity. It is meant to be a security relevant insight and may not be deemed immediately suspicious. ### **New Detection Suite: AWS S3** Vectra AI has introduced three new detections to surface suspicious behaviors surrounding the use of AWS S3 in the impact and exfil stages of the cloud kill chain: * AWS Suspicious S3 Batch Deletion: This detection surfaces behaviors associated with large-scale downloads and deletions associated with multiple files. This behavior may indicate the destructive manipulation phase of ransomware activity in the environment. * AWS Suspicious S3 Object Deletion: Like the new S3 Batch Deletion detection, this detection highlights behaviors where individual objects were downloaded and then deleted from a S3 bucket in a way that may indicate the destructive manipulation phase of ransomware activity in the environment. * AWS Suspicious S3 Encryption: This detection highlights unusual encryption activities that could indicate a ransomware encryption phase in progress. It is designed to surface encryption of many S3 objects using either an external KMS key (SSE-KMS) or a client-controlled key (SSE-C). ### **Seamless Azure CDR Enablement** Vectra AI has streamlined Azure CDR enablement with a new Redirector Service fix. Customers can now seamlessly deploy Azure CDR without VPN or IP restrictions blocking the setup. This removes friction in onboarding cloud telemetry, ensuring faster time-to-value and immediate visibility into Azure threats. Security teams get quicker coverage with less hassle. ### **Vectra Match Integrated Ruleset Management** Vectra Match now makes it easier to detect known Indicators of Compromise (IOCs) with Suricata-compatible signatures—no external tools required. As of 9.3, you can manage, modify, enable, or disable rules directly in the platform, and your changes persist even after Emerging Threats updates. It’s faster to set up, simpler to maintain, and puts full control of detection logic in your hands. For more information visit [M](/deployment/match/managing-rulesets.md) {% endupdate %} {% update date="2025-05-31" tags="2025.05" %} ## 2025.05 ### **Introducing: Executive Overview Report** Vectra is introducing the Executive Overview report on the Vectra AI Platform. This report is catered to CISOs and security executives who need to bring high-level metrics to their board or executive-level meetings. Metrics include noise to signal tunnel, investigation time saved with Vectra, attack trends, and more. This report allows executives to make strategic decisions and evaluate how Vectra reduces security breach risk for their organization. ### **Introducing: Global View** Global View enables large enterprises and MSSPs to centrally manage and investigate threats across multiple Brains and tenants from a single RUX deployment—making it ideal for global operations with complex environments. ### **Introducing: Attack Graphs** The new Attack Graph brings instant clarity to active threats by visually mapping how attackers move across your network, cloud, and identity environments. Powered by Vectra’s AI-Prioritization, each threat is now displayed directly on the host or account page—giving you immediate insight into where the attack started, what systems it interacted with, and how its risk level evolved over time. Security teams can choose from three intuitive views to investigate threats in the way that best suits their workflow: * Connectivity Graph – See how different entities are linked during the attack. * Tree Graph – View the sequence of attacker actions in a structured path. * Historical Score Over Time – Understand how the threat’s risk changed and escalated. This capability empowers SOC teams to act quickly and confidently by surfacing context and urgency in a single, actionable view. ### **Traffic Validation Report Download Issue Resolved** We've resolved an issue that prevented some customers—particularly those in large RUX environments—from downloading the Network Traffic Validation Report when its size exceeded approximately 6MB. The workflow has been enhanced to support larger report downloads, ensuring reliable access to traffic validation data regardless of report size. {% endupdate %} {% update date="2025-04-30" tags="2025.04" %} ## 2025.04 ### **Improved Search by Sensor Name** We've enhanced the search functionality on the Detections page to support searching by Sensor Name instead of the internal Sensor LUID. This update addresses customer feedback and makes it easier to find detections associated with specific sensors using recognizable names. ### **Enhanced Detection for Copilot Abuse in M365** In response to strong customer interest, we’re expanding protection against potential abuse of Microsoft Copilot. In addition to the existing M365 Suspicious Copilot Access detection (which flags access from unusual locations), we’re introducing a new detection: M365 Copilot Sensitive Data Discovery. This identifies attacker behavior attempting to locate sensitive documents through Copilot in Microsoft 365. {% endupdate %} {% update date="2025-03-31" tags="2025.03" %} ## 2025.03 ### **Enriching AI Prioritization Context** Vectra now surfaces tailored attack profiles when detections span multiple attack surfaces, helping to identify complex threats with greater clarity. Two new profile types have been introduced: * Hybrid Network Adversary: Indicates an attacker active in both network identity and cloud identity environments, suggesting coordinated activity across on-premises and cloud infrastructure. * Multi-Cloud Service Adversary: Represents an attacker operating across multiple cloud-based services—such as identity providers, SaaS platforms, or public cloud environments—without direct engagement with network identity systems. These profiles are designed to reflect the nature of hybrid threats and enhance threat context in the UI. ### **Support AI Triage for Azure Detections** Vectra is enhancing support for Azure detections by enabling AI Triage for Azure CDR (Cloud Detection and Response) alerts. For each existing Azure detection type, we are evaluating and applying appropriate AI distillation algorithms, defining relevant context fields, and addressing any specific handling requirements. This will help surface high-fidelity insights more efficiently and improve detection clarity within the platform. {% endupdate %} {% update date="2025-02-28" tags="2025.02" %} ## 2025.02 ### **Provide Support for Authentication via OAuth** Vectra supports both the existing Personal Access Token (PAT) and Oauth2 flow in v2.x. The Oauth2 access token will be valid for 6 hours after which it will expire, and a new token will need to be requested using the API client credentials. API client creation must be done in the Vectra UI only. Accessing v2.x APIs older than v2.5 works the same way it does for v2.5. The public postman collection has been updated for all v2.x versions. ### **M365 GCC Support** Vectra now supports Microsoft 365 Government Community Cloud (GCC) environments. While support previously existed for GCC-High and Azure AD customers, this update extends coverage to customers operating in GCC environments—commonly used by U.S. state, local, and federal agencies. By integrating with Microsoft’s GCC-specific endpoints, Vectra AI ensures secure and compliant log aggregation to provide complete visibility and threat detection across all Microsoft government cloud tiers. ### **Cybereason EDR Support** Vectra added support for ingesting EDR alerts from Cybereason. Customers using Cybereason can now configure their integration within Cantina to enable alert ingestion and visibility. ### **Altering Group Type** Starting in 9.1, Vectra supports conversion between static and dynamic group types for QUX deployments. Existing triage filters that reference a static group, will continue to function without requiring any change after the group is redefined using a regex in the dynamic group configuration. This should allow for greater flexibility and ease of implementation as customers move to dynamic groups. For more information on dynamic groups see the [Dynamic Groups FAQ](https://support.vectra.ai/vectra/article/KB-VS-1839). {% endupdate %} {% update date="2025-01-31" tags="2025.01" %} ## 2025.01 ### **Support Disabling DNS Detection** Users can now disable DNS reply packet inspection within the Settings page. A warning message will appear if selected to inform users that disabling DNS reply packet logging may impact related detections. ### **Investigate from Anywhere: Last Seen IP** Users can now pivot into Advanced Investigations from key data points outside the Advanced Investigations page. This update introduces a new menu to the Last Seen IP field within the Host cards on the Respond page. When hovering over the Last Seen IP field, users can select a query containing the IP address and pivot directly into the results of the query on the Advanced investigations page. ### **Improved Main Navigation** To support the growing number of dashboards, the navigation has been updated from horizontal tabs to a collapsible vertical sidebar. This redesign offers a more scalable and user-friendly way for users to access and manage dashboards. ### **Federated Account Reconciliation Enhancements** This update adds support for reconciling Federated accounts in EntraID with their corresponding User Principal Names (UPNs), including alignment with matching Azure CDR entities and M365/AzureAD accounts. {% endupdate %} {% endupdates %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vectra.ai/release-notes/respond-ux-rux/2025-rux-release-notes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.