Vectra Cognito

the vectra cognito connector enables automated threat detection and response by integrating vectra's ai driven security capabilities with swimlane turbine vectra cognito is an ai driven threat detection and response platform that provides real time attack visibility and non stop automated threat hunting the vectra cognito connector for swimlane turbine enables users to automate the retrieval of detailed detection information, support packet capture downloads, and ingest the latest detection data for enhanced analysis and response by integrating with vectra cognito, swimlane turbine users can streamline their security operations, reduce response times, and leverage ai to identify and mitigate threats more effectively prerequisites to utilize the vectra cognito connector within swimlane turbine, ensure you have the following oauth 2 0 client credentials for authentication with these parameters url endpoint url for vectra cognito api access client id unique identifier for oauth 2 0 authentication client secret confidential key for oauth 2 0 authentication capabilities the vectra cognito connector provides the following capabilities get all detections get detection by id get detection to support downloads of pcap configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id the client id string required client secret the client secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get detection by id retrieve detailed information for a specific detection by providing its unique id in vectra cognito endpoint url api/v3 2/detections/{{id}} method get input argument name type required description path parameters id string required parameters for the get detection by id action input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase summary object output field summary summary user type string type of the resource summary azure ad privilege object output field summary azure ad privilege summary azure ad privilege privilege number output field summary azure ad privilege privilege summary azure ad privilege privilegecategory string output field summary azure ad privilege privilegecategory summary num events number output field summary num events summary operations array output field summary operations summary src ips array output field summary src ips summary src ips file name string name of the resource summary src ips file string output field summary src ips file summary target entities array output field summary target entities summary description string output field summary description threat number output field threat note modified by object output field note modified by detection category string output field detection category is marked custom boolean output field is marked custom detection type string type of the resource note modified timestamp object output field note modified timestamp assigned to object output field assigned to detection string output field detection note object output field note groups array output field groups groups file name string name of the resource output example {"status code" 200,"response headers" {"content type" "application/x www form urlencoded","date" "wed, 21 jun 2023 20 37 23 gmt"},"reason" "ok","json body" {"summary" {"user type" "regular","azure ad privilege" {},"num events" 2,"operations" \[],"src ips" \[],"target entities" \[],"description" "this account was seen using an operation associated with ahigh privilege admin a "},"threat" 0,"note modified by"\ null,"detection category" "lateral movement","is marked custom"\ false,"detection type" "az get detection to support downloads of pcap retrieve packet capture data for a specific detection id in vectra cognito endpoint url api/v3 3/detections/{{id}}/pcap method get input argument name type required description path parameters id string required parameters for the get detection to support downloads of pcap action input example {"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase file object attachments file file string output field file file file file name string name of the resource output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 5 jun 2024 20 37 23 gmt"},"reason" "ok","file" \[]} get detections retrieve and ingest the latest detection data from vectra cognito for analysis and response automation endpoint url api/v3 2/detections method get input argument name type required description parameters fields array optional parameters for the get detections action parameters page number optional parameters for the get detections action parameters page size number optional parameters for the get detections action parameters ordering array optional parameters for the get detections action parameters min id number optional parameters for the get detections action parameters max id number optional parameters for the get detections action parameters state string optional parameters for the get detections action parameters category string optional parameters for the get detections action parameters detection type string optional parameters for the get detections action parameters detection category string optional parameters for the get detections action parameters src ip string optional parameters for the get detections action parameters t score number optional parameters for the get detections action parameters t score gte number optional parameters for the get detections action parameters threat score number optional parameters for the get detections action parameters threat gte number optional parameters for the get detections action parameters c score number optional parameters for the get detections action parameters c score gte number optional parameters for the get detections action parameters tags array optional parameters for the get detections action parameters destination string optional parameters for the get detections action parameters proto string optional parameters for the get detections action parameters is targeting key asset boolean optional parameters for the get detections action parameters note modified timestamp gte number optional parameters for the get detections action parameters src account string optional parameters for the get detections action parameters id number optional parameters for the get detections action input example {"parameters" {"fields" \["a","c"],"page" 10,"page size" 23,"ordering" \["minus"],"min id" 1,"max id" 1000,"state" "inactive","category" "lateral movement","detection type" "o365 internal spearphishing","detection category" "lateral movement","src ip" "null","t score" 68,"t score gte" 1000,"threat score" 280,"threat gte" 2000,"c score" 0,"c score gte" 1000,"tags" \["newticket","under investigation"],"destination" "abc","proto" "abc","is targeting key asset"\ true,"note modified timestamp gte" 34,"src account" "o365\ do not reply\@vectra ai","id" 2}} output parameter type description status code number http status code of the response reason string response reason phrase summary object output field summary summary user type string type of the resource summary azure ad privilege object output field summary azure ad privilege summary azure ad privilege privilege number output field summary azure ad privilege privilege summary azure ad privilege privilegecategory string output field summary azure ad privilege privilegecategory summary num events number output field summary num events summary operations array output field summary operations summary src ips array output field summary src ips summary src ips file name string name of the resource summary src ips file string output field summary src ips file summary target entities array output field summary target entities summary description string output field summary description threat number output field threat note modified by object output field note modified by detection category string output field detection category is marked custom boolean output field is marked custom detection type string type of the resource note modified timestamp object output field note modified timestamp assigned to object output field assigned to detection string output field detection note object output field note groups array output field groups groups file name string name of the resource output example {"status code" 200,"response headers" {"content type" "application/x www form urlencoded","date" "wed, 21 jun 2023 20 37 23 gmt"},"reason" "ok","json body" {"summary" {"user type" "regular","azure ad privilege" {},"num events" 2,"operations" \[],"src ips" \[],"target entities" \[],"description" "this account was seen using an operation associated with ahigh privilege admin a "},"threat" 0,"note modified by"\ null,"detection category" "lateral movement","is marked custom"\ false,"detection type" "az response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 2 may 2024 20 37 23 gmt