Sep 2025 Release Notes (RUX)

🛡️ Coverage

Sliver Command and Control Coverage

Vectra AI has expanded coverage to include Sliver’s English HTTP Channel, which disguises command-and-control traffic as strings of random English words to appear legitimate. This enhancement improves detection of obfuscated Sliver activity within normal HTTP traffic, strengthening visibility into advanced C2 evasion techniques.

TCP Command and Control Coverage

Vectra AI has enhanced detection coverage for plain-text TCP communications, identifying suspicious command activity hidden in unencrypted, text-based traffic. This update detects subtle behavioral patterns—such as abnormal packet flow and payload structure—to uncover covert command channels that evade traditional inspection. It expands visibility beyond encrypted traffic, strengthening detection across all communication types.

New Detection: Azure Suspect VM Logging Change

Vectra AI has introduced a new detection that surfaces suspicious behaviors tied to modification of logging extensions for Window sand Linux VMs, Virtual Machine Scale Sets and Hybrid machines. This provides deeper visibility into suspicious activities that may indicate attempts to tamper with security monitoring (degraded vs fully disabled logs). 

Detection Enhancement: Azure Cryptomining

Enhancements have been introduced to the Azure Cryptomining detection to filter out behaviors tied to modification of existing compute instances. This improvement improves the fidelity of the alerting around creation of new compute instances. Customer should expect fewer alerts tied to this behavior in their environment. 

Expansion of Resource Logging for Storage Account (CDR for Azure)

Vectra AI will now consume Azure resource logs tied to Storage Accounts in support of new and upcoming detection use-cases. These new logs will allow Vectra to detect against impact and exfiltration behaviors observed in the latter stages of the cloud kill-chain. All new CDR for Azure connectors will automatically accrue the logs as part of connector setup. For existing CDR for Azure customers, the automated deployment scripts associated with CDR for Azure will have to be re-run. Vectra account teams will be making contact to facilitate the expansion of logging for existing customers.

M365 Detection Enhancements

Enhancements have been introduced across the following detections to improve breadth of coverage: 

• M365 Suspicious mailbox Rule Creation and M365 Suspicious Mail Forwarding: These detections have been enhanced to include coverage for behaviors surrounding UpdateInboxRule. As a result of this enhancement, customers may observe a mild increase in the volumes tied to these alerts. 

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release: 

• NDR-242: Vectra AI has expanded its current beaconing Command & Control algorithms to detect advanced C2 beaconing techniques that use data and time jitter to evade traditional network monitoring. The result is improved visibility into stealthy C2 behavior and earlier detection of sophisticated threats attempting to hide within normal network activity. 

• NDR-302: Vectra AI has enhanced detection coverage for plain-text TCP communications, identifying suspicious command activity hidden in unencrypted, text-based traffic. This update detects subtle behavioral patterns—such as abnormal packet flow and payload structure—to uncover covert command channels that evade traditional inspection. It expands visibility beyond encrypted traffic, strengthening detection across all communication types. 

• NDR-314: Vectra AI has expanded coverage to include Sliver’s English HTTP Channel, which disguises command-and-control traffic as strings of random English words to appear legitimate. This enhancement improves detection of obfuscated Sliver activity within normal HTTP traffic, strengthening visibility into advanced C2 evasion techniques. 

🔎 Clarity

API Improvements for CDR for Azure Alerts

Vectra AI has introduced API enhancements to include enriched Human Readable context (identity and application ID names) to the CDR for Azure alerts consumed via API. These support investigative workflows significantly reducing the time required by an analyst to gather key context. Previously, these enriched values were available only in the Vectra platform. The new enhancements ensure these values are now present in API-centric workflows that customers may have in place.

Reduced Alert Volume with Enhanced AI-Triage

Vectra’s AI-Triage now delivers expanded capabilities across the kill chain and modern networks, cutting detection volumes significantly. It automatically investigates and resolves benign alerts, reducing alert fatigue while preserving full visibility into real threats.

This custom-built, rigorously tested capability identifies low-risk patterns that consistently appear in your environment and resolves them automatically, keeping your team focused on meaningful risk.

Expect fewer benign detections across network C2, recon, Azure AD, M365, Copilot for M365, and AWS.

Visibility is never lost — resolved detections remain searchable, auditable, and fully traceable. No actions are taken on your behalf beyond resolution.

Attack Graph: Focused View

Introducing Focused View, a new way to cut through the noise in complex attack graphs. Instead of overwhelming analysts with every node and edge, Focused View filters out low-priority detections and surfaces only the most critical links and progression paths. The result: less clutter, less confusion, and a clear perspective on how an attack unfolded. With clarity instead of clutter, security teams can accelerate investigations while still toggling to the full graph when needed. For more Attack Graph information, read the FAQ.