Vectra Cognito V2

the vectra cognito v2 connector enables automated interactions with the vectra cognito platform, facilitating advanced threat detection and response capabilities vectra cognito v2 is a cutting edge cyber threat detection and response platform that provides comprehensive visibility into host behaviors and detects threats in real time by integrating vectra cognito v2 with swimlane turbine, users can automate the enrichment of detection data, streamline note taking and tagging on hosts and detections, and efficiently manage threat statuses this connector empowers security teams to rapidly respond to incidents, gain deeper insights into host activities, and maintain an up to date security posture, all within the swimlane turbine low code automation platform prerequisites to utilize the vectra cognito v2 connector within swimlane turbine, ensure you have the following api token authentication with these parameters url endpoint url for vectra cognito v2 api access api token unique token used to authenticate against the vectra cognito v2 api capabilities the vectra cognito connector provides the following capabilities add detection notes add host notes add tags get host by id get hosts get triage rule by id retrieve detections update detection configurations vectra cognito version 2 api key authentication authenticates using an api token configuration parameters parameter description type required url a url to the target host string required api token api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add detection notes append notes to a specific detection identified by its detection id in vectra cognito v2 endpoint url /api/v2 5/detections/{{detection id}}/notes method post input argument name type required description path parameters detection id string required parameters for the add detection notes action note string optional parameter for add detection notes input example {"json body" {"note" "this is a detection note"}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier date created string output field date created date modified object output field date modified created by string output field created by modified by object output field modified by note string output field note output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {"id" 2,"date created" "2021 01 11t14 14 10 527603z","date modified"\ null,"created by" "vadmin","modified by"\ null,"note" "this is a detection note"}} add host notes append notes to a specified host within vectra cognito v2 using the host's unique identifier endpoint url /api/v2 5/hosts/{{host id}}/notes method post input argument name type required description path parameters host id string required parameters for the add host notes action note string optional parameter for add host notes input example {"json body" {"note" "this is a note"}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier date created string output field date created date modified object output field date modified created by string output field created by modified by object output field modified by note string output field note output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {"id" 2,"date created" "2021 01 11t13 54 47 987918z","date modified"\ null,"created by" "vadmin","modified by"\ null,"note" "this is a note"}} add tags adds a new tag to a specified host in vectra cognito v2 using the host's unique identifier endpoint url /api/v2 5/tagging/host/{{host id}} method patch input argument name type required description path parameters host id string required parameters for the add tags action tags array optional parameter for add tags input example {"json body" {"tags" \["test","new tag","this is a tag","we need to follow up on this host "]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {}} get host by id retrieve detailed information for a specific host in vectra cognito v2 using the unique host id endpoint url /api/v2 5/hosts/{{id}} method get input argument name type required description path parameters id string required parameters for the get host by id action input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource active traffic boolean output field active traffic t score number score value c score number score value last source string output field last source previous ips array output field previous ips last detection timestamp string output field last detection timestamp key asset boolean output field key asset state string output field state targets key asset boolean output field targets key asset probable owner string output field probable owner detection set array output field detection set host artifact set array output field host artifact set host artifact set type string type of the resource host artifact set value string value for the parameter sensor object output field sensor tags array output field tags note string output field note note modified by string output field note modified by note modified timestamp string output field note modified timestamp notes array output field notes notes id number unique identifier output example {"status code" 200,"response headers" {"content type" "application/x www form urlencoded","date" "wed, 21 jun 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 1029,"name" "insightws07","active traffic"\ true,"t score" 90,"c score" 99,"last source" "10 16 6 6","previous ips" \["10 16 12 1","10 16 0 1"],"last detection timestamp" "2019 08 28t19 05 12z","key asset"\ false,"state" "active","targets key asset"\ true,"probable owner" "dkelle","detection set" \["https //10 1 6 10/api/v2 5/detections/1354 get hosts retrieve comprehensive information on all hosts from vectra cognito v2 endpoint url /api/v2 5/hosts method get input argument name type required description parameters fields string optional filters objects listed parameters page number optional page number possible values are a positive integer or last parameters page size number optional page size possible values are a positive integer up to 5000 parameters ordering string optional orders records by last timestamp, threat score and certainty score the default out sorts threat and certainty score in ascending order scores can be sorted in descending order by prepending the query with “minus” symbol parameters name string optional filter by name parameters state string optional filter by state active or inactive parameters last source string optional filter by last source (ip address) parameters t score number optional filter by threat score parameters t score gte number optional filter by threat score >= the score provided parameters c score number optional filter by certainty score parameters c score gte number optional filter by certainty score >= the score provided parameters last detection timestamp string optional filter by last detection timestamp parameters last detection timestamp gte string optional filter by last detection timestamp >= timestamp provided parameters last detection timestamp lte string optional filter by last detection timestamp <= timestamp provided parameters tags string optional filter by a tag or a comma separated list of tags (returns hosts that contain any of the tags specified), e g tags=baz tags=foo,bar" parameters key asset boolean optional filter by key asset true, false parameters min id number optional filter hosts have id greater than or equal to min id parameters max id number optional filter hosts have id less than or equal to max id parameters mac address string optional filter by mac address parameters note modified timestamp gte string optional filter by note modified timestamp >= the timestamp provided parameters privilege level number optional filter by exact privilege level of hosts 1 10 parameters privilege level gte number optional filter hosts that have a privilege level greater than or equal to the supplied number 1 10 parameters privilege category string optional filter hosts by privilege category options are ‘low’, ‘medium’ and ‘high’ input example {"parameters" {"fields" "string","page" 123,"page size" 123,"ordering" "string","name" "example name","state" "string","last source" "string","t score" 123,"t score gte" 123,"c score" 123,"c score gte" 123,"last detection timestamp" "string","last detection timestamp gte" "string","last detection timestamp lte" "string","tags" "string","key asset"\ true,"min id" 123,"max id" 123,"mac address" "string","note modified timestamp gte" "string","privilege level" 123,"privilege level gte" 123,"privilege category" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource active traffic boolean output field active traffic t score number score value c score number score value last source string output field last source previous ips array output field previous ips last detection timestamp string output field last detection timestamp key asset boolean output field key asset state string output field state targets key asset boolean output field targets key asset probable owner string output field probable owner detection set array output field detection set host artifact set array output field host artifact set host artifact set type string type of the resource host artifact set value string value for the parameter sensor object output field sensor tags array output field tags note string output field note note modified by string output field note modified by note modified timestamp string output field note modified timestamp notes array output field notes notes id number unique identifier output example {"status code" 200,"response headers" {"content type" "application/x www form urlencoded","date" "wed, 21 jun 2023 20 37 23 gmt"},"reason" "ok","json body" {"id" 1029,"name" "insightws07","active traffic"\ true,"t score" 90,"c score" 99,"last source" "10 16 6 6","previous ips" \["10 16 12 1","10 16 0 1"],"last detection timestamp" "2019 08 28t19 05 12z","key asset"\ false,"state" "active","targets key asset"\ true,"probable owner" "dkelle","detection set" \["https //10 1 6 10/api/v2 5/detections/1354 get triage rule by id retrieve a specific triage rule from vectra cognito v2 using the unique identifier endpoint url /api/v2 5/rules/{{id}} method get input argument name type required description path parameters id string required parameters for the get triage rule by id action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier url string url endpoint for the request description string output field description enabled boolean output field enabled created timestamp string output field created timestamp last timestamp object output field last timestamp is whitelist boolean output field is whitelist priority object output field priority active detections number output field active detections total detections number output field total detections template boolean output field template additional conditions object output field additional conditions additional conditions or array output field additional conditions or additional conditions or and array output field additional conditions or and additional conditions or and any of object output field additional conditions or and any of additional conditions or and any of field string output field additional conditions or and any of field additional conditions or and any of values array value for the parameter additional conditions or and any of groups array output field additional conditions or and any of groups additional conditions or and any of label string output field additional conditions or and any of label source conditions object output field source conditions source conditions or array output field source conditions or source conditions or and array output field source conditions or and source conditions or and any of object output field source conditions or and any of output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {"id" 68,"url" "https //1 1 1 1/api/v2 5/rules/68","description" "expected behavior from these devices","enabled"\ true,"created timestamp" "2019 08 27t20 55 29z","last timestamp"\ null,"is whitelist"\ false,"priority"\ null,"active detections" 2,"total detections" 3,"template"\ true,"additional conditions" {"or" \[]},"source conditions" {"or retrieve detections gather all detection data from vectra cognito v2, providing a comprehensive overview of potential security threats endpoint url /api/v2 5/detections method get input argument name type required description parameters fields string optional filters objects listed parameters page number optional page number possible values are a positive integer or last parameters page size number optional page size possible values are a positive integer, up to 5000 parameters ordering string optional orders records by last timestamp, threat score and certainty score the default sorts threat and certainty score in ascending order scores can be sorted in descending order by prepending the query with “minus” symbol parameters min id number optional greater than or equal to(>=) the id provided parameters max id number optional less than or equal to(<=) the id provided parameters state string optional filter by state active, inactive, ignored, ignored for all parameters category string optional filter by the detection category this performs partial word match for example, you can use recon to query all reconnaissance category detections parameters detection type string optional filter by the name of the threat detected parameters detection category string optional filter by the detection category parameters src ip string optional filter by source (ip address) parameters t score number optional filter by threat score parameters t score gte number optional filter by threat score >= the score provided parameters threat score number optional filter by threat score parameters threat gte number optional filter by threat score >= the score provided parameters c score number optional filter by certainty score parameters c score gte number optional filter by certainty score >= the score provided parameters certainty number optional filter by certainty score parameters certainty gte number optional filter by certainty score >= the score provided parameters last timestamp gte string optional filter by last timestamp >= the date provided parameters last timestamp string optional filter by last timestamp parameters host id number optional filter by id of the host object a detection is attributed to parameters tags string optional filter by a tag or a comma separated list of tags parameters destination string optional filter by destination in the detection detail set parameters proto string optional filter by the protocol in the detection detail set input example {"parameters" {"fields" "string","page" 123,"page size" 123,"ordering" "string","min id" 123,"max id" 123,"state" "string","category" "string","detection type" "string","detection category" "string","src ip" "string","t score" 123,"t score gte" 123,"threat score" 123,"threat gte" 123,"c score" 123,"c score gte" 123,"certainty" 123,"certainty gte" 123,"last timestamp gte" "string","last timestamp" "string","host id" 123,"tags" "string","destination" "string","proto" "string","is targeting key asset"\ true,"note modified timestamp gte" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase last timestamp string output field last timestamp grouped details array output field grouped details grouped details num sessions number output field grouped details num sessions grouped details protocol string output field grouped details protocol grouped details last timestamp string output field grouped details last timestamp grouped details host detection number output field grouped details host detection grouped details accounts array output field grouped details accounts grouped details is host detail boolean output field grouped details is host detail grouped details bytes received number output field grouped details bytes received grouped details dst geo object output field grouped details dst geo grouped details src ip string output field grouped details src ip grouped details dst ips array output field grouped details dst ips grouped details grouping field string output field grouped details grouping field grouped details description object output field grouped details description grouped details is account detail boolean output field grouped details is account detail grouped details dst ports array output field grouped details dst ports grouped details account detection object output field grouped details account detection grouped details first timestamp string output field grouped details first timestamp grouped details dst geo lat object output field grouped details dst geo lat grouped details dst geo lon object output field grouped details dst geo lon grouped details bytes sent number output field grouped details bytes sent grouped details target domains array output field grouped details target domains grouped details account uid object unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {"last timestamp" "2019 08 27t20 13 08z","grouped details" \[{}],"custom detection"\ null,"is custom model"\ false,"detection" "hidden http tunnel","detection type" "hidden http tunnel","is targeting key asset"\ false,"note modified timestamp" "2021 12 15t17 26 41z","c score" 59,"t score" 10,"id" 36,"category" "command & control","src ip" " update detection mark or unmark multiple detections as fixed in vectra cognito v2 using the provided json body endpoint url /api/v2 5/detections method patch input argument name type required description detectionidlist array optional unique identifier mark as fixed string optional parameter for update detection input example {"detectionidlist" \[123],"mark as fixed" "string"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "mon, 15 apr 2024 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 21 jun 2023 20 37 23 gmt