Vectra Cognito

the vectra cognito connector enables automated threat detection and response by integrating vectra's ai driven security capabilities with swimlane turbine vectra cognito is an ai driven threat detection and response platform that provides real time attack visibility and non stop automated threat hunting the vectra cognito connector for swimlane turbine enables users to automate the retrieval of detailed detection information, support packet capture downloads, and ingest the latest detection data for enhanced analysis and response by integrating with vectra cognito, swimlane turbine users can streamline their security operations, reduce response times, and leverage ai to identify and mitigate threats more effectively prerequisites to utilize the vectra cognito connector within swimlane turbine, ensure you have the following oauth 2 0 client credentials for authentication with these parameters url endpoint url for vectra cognito api access client id unique identifier for oauth 2 0 authentication client secret confidential key for oauth 2 0 authentication capabilities the vectra cognito connector provides the following capabilities get all detections get detection by id get detection to support downloads of pcap configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get detection by id retrieve detailed information for a specific detection by providing its unique id in vectra cognito endpoint url api/v3 2/detections/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase summary object output field summary user type string type of the resource azure ad privilege object output field azure ad privilege privilege number output field privilege privilegecategory string output field privilegecategory num events number output field num events operations array output field operations src ips array output field src ips file name string name of the resource file string output field file target entities array output field target entities description string output field description threat number output field threat note modified by object output field note modified by detection category string output field detection category is marked custom boolean output field is marked custom detection type string type of the resource note modified timestamp object output field note modified timestamp assigned to object output field assigned to detection string output field detection note object output field note groups array output field groups file name string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/x www form urlencoded", "date" "wed, 21 jun 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "summary" {}, "threat" 0, "note modified by" null, "detection category" "lateral movement", "is marked custom" false, "detection type" "azure ad privilege operation anomaly", "note modified timestamp" null, "assigned to" null, "detection" "azure ad privilege operation anomaly", "note" null, "groups" \[], "tags" \[], "assigned date" null, "src ip" null, "certainty" 0 } } ] get detection to support downloads of pcap retrieve packet capture data for a specific detection id in vectra cognito endpoint url api/v3 3/detections/{{id}}/pcap method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase file object attachments file string output field file file name string name of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 5 jun 2024 20 37 23 gmt" }, "reason" "ok", "file" \[] } ] get detections retrieve and ingest the latest detection data from vectra cognito for analysis and response automation endpoint url api/v3 2/detections method get input argument name type required description fields array optional parameter for get detections page number optional parameter for get detections page size number optional parameter for get detections ordering array optional parameter for get detections min id number optional unique identifier max id number optional unique identifier state string optional parameter for get detections category string optional parameter for get detections detection type string optional type of the resource detection category string optional parameter for get detections src ip string optional parameter for get detections t score number optional score value t score gte number optional parameter for get detections threat score number optional score value threat gte number optional parameter for get detections c score number optional score value c score gte number optional parameter for get detections tags array optional parameter for get detections destination string optional parameter for get detections proto string optional parameter for get detections is targeting key asset boolean optional parameter for get detections note modified timestamp gte number optional parameter for get detections src account string optional count value id number optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase summary object output field summary user type string type of the resource azure ad privilege object output field azure ad privilege privilege number output field privilege privilegecategory string output field privilegecategory num events number output field num events operations array output field operations src ips array output field src ips file name string name of the resource file string output field file target entities array output field target entities description string output field description threat number output field threat note modified by object output field note modified by detection category string output field detection category is marked custom boolean output field is marked custom detection type string type of the resource note modified timestamp object output field note modified timestamp assigned to object output field assigned to detection string output field detection note object output field note groups array output field groups file name string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/x www form urlencoded", "date" "wed, 21 jun 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "summary" {}, "threat" 0, "note modified by" null, "detection category" "lateral movement", "is marked custom" false, "detection type" "azure ad privilege operation anomaly", "note modified timestamp" null, "assigned to" null, "detection" "azure ad privilege operation anomaly", "note" null, "groups" \[], "tags" \[], "assigned date" null, "src ip" null, "certainty" 0 } } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 5 jun 2024 20 37 23 gmt