Vectra Cognito v2

the vectra cognito v2 connector enables automated interactions with the vectra cognito platform, facilitating advanced threat detection and response capabilities vectra cognito v2 is a cutting edge cyber threat detection and response platform that provides comprehensive visibility into host behaviors and detects threats in real time by integrating vectra cognito v2 with swimlane turbine, users can automate the enrichment of detection data, streamline note taking and tagging on hosts and detections, and efficiently manage threat statuses this connector empowers security teams to rapidly respond to incidents, gain deeper insights into host activities, and maintain an up to date security posture, all within the swimlane turbine low code automation platform prerequisites to utilize the vectra cognito v2 connector within swimlane turbine, ensure you have the following api token authentication with these parameters url endpoint url for vectra cognito v2 api access api token unique token used to authenticate against the vectra cognito v2 api capabilities the vectra cognito connector provides the following capabilities add detection notes add host notes add tags get host by id get hosts get triage rule by id retrieve detections update detection configurations vectra cognito version 2 api key authentication authenticates using an api token configuration parameters parameter description type required url a url to the target host string required api token api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add detection notes append notes to a specific detection identified by its detection id in vectra cognito v2 endpoint url /api/v2 5/detections/{{detection id}}/notes method post input argument name type required description detection id string required unique identifier note string optional parameter for add detection notes output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier date created string output field date created date modified object output field date modified created by string output field created by modified by object output field modified by note string output field note example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 15 apr 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "id" 2, "date created" "2021 01 11t14 14 10 527603z", "date modified" null, "created by" "vadmin", "modified by" null, "note" "this is a detection note" } } ] add host notes append notes to a specified host within vectra cognito v2 using the host's unique identifier endpoint url /api/v2 5/hosts/{{host id}}/notes method post input argument name type required description host id string required unique identifier note string optional parameter for add host notes output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier date created string output field date created date modified object output field date modified created by string output field created by modified by object output field modified by note string output field note example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 15 apr 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "id" 2, "date created" "2021 01 11t13 54 47 987918z", "date modified" null, "created by" "vadmin", "modified by" null, "note" "this is a note" } } ] add tags adds a new tag to a specified host in vectra cognito v2 using the host's unique identifier endpoint url /api/v2 5/tagging/host/{{host id}} method patch input argument name type required description host id string required unique identifier tags array optional parameter for add tags output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 15 apr 2024 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] get host by id retrieve detailed information for a specific host in vectra cognito v2 using the unique host id endpoint url /api/v2 5/hosts/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource active traffic boolean output field active traffic t score number score value c score number score value last source string output field last source previous ips array output field previous ips last detection timestamp string output field last detection timestamp key asset boolean output field key asset state string output field state targets key asset boolean output field targets key asset probable owner string output field probable owner detection set array output field detection set host artifact set array output field host artifact set type string type of the resource value string value for the parameter sensor object output field sensor tags array output field tags note string output field note note modified by string output field note modified by note modified timestamp string output field note modified timestamp notes array output field notes id number unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/x www form urlencoded", "date" "wed, 21 jun 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "id" 1029, "name" "insightws07", "active traffic" true, "t score" 90, "c score" 99, "last source" "10 16 6 6", "previous ips" \[], "last detection timestamp" "2019 08 28t19 05 12z", "key asset" false, "state" "active", "targets key asset" true, "probable owner" "dkelle", "detection set" \[], "host artifact set" \[], "sensor" null } } ] get hosts retrieve comprehensive information on all hosts from vectra cognito v2 endpoint url /api/v2 5/hosts method get input argument name type required description fields string optional filters objects listed page number optional page number possible values are a positive integer or last page size number optional page size possible values are a positive integer up to 5000 ordering string optional orders records by last timestamp, threat score and certainty score the default out sorts threat and certainty score in ascending order scores can be sorted in descending order by prepending the query with “minus” symbol name string optional filter by name state string optional filter by state active or inactive last source string optional filter by last source (ip address) t score number optional filter by threat score t score gte number optional filter by threat score >= the score provided c score number optional filter by certainty score c score gte number optional filter by certainty score >= the score provided last detection timestamp string optional filter by last detection timestamp last detection timestamp gte string optional filter by last detection timestamp >= timestamp provided last detection timestamp lte string optional filter by last detection timestamp <= timestamp provided tags string optional filter by a tag or a comma separated list of tags (returns hosts that contain any of the tags specified), e g tags=baz tags=foo,bar" key asset boolean optional filter by key asset true, false min id number optional filter hosts have id greater than or equal to min id max id number optional filter hosts have id less than or equal to max id mac address string optional filter by mac address note modified timestamp gte string optional filter by note modified timestamp >= the timestamp provided privilege level number optional filter by exact privilege level of hosts 1 10 privilege level gte number optional filter hosts that have a privilege level greater than or equal to the supplied number 1 10 privilege category string optional filter hosts by privilege category options are ‘low’, ‘medium’ and ‘high’ output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource active traffic boolean output field active traffic t score number score value c score number score value last source string output field last source previous ips array output field previous ips last detection timestamp string output field last detection timestamp key asset boolean output field key asset state string output field state targets key asset boolean output field targets key asset probable owner string output field probable owner detection set array output field detection set host artifact set array output field host artifact set type string type of the resource value string value for the parameter sensor object output field sensor tags array output field tags note string output field note note modified by string output field note modified by note modified timestamp string output field note modified timestamp notes array output field notes id number unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/x www form urlencoded", "date" "wed, 21 jun 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "id" 1029, "name" "insightws07", "active traffic" true, "t score" 90, "c score" 99, "last source" "10 16 6 6", "previous ips" \[], "last detection timestamp" "2019 08 28t19 05 12z", "key asset" false, "state" "active", "targets key asset" true, "probable owner" "dkelle", "detection set" \[], "host artifact set" \[], "sensor" null } } ] get triage rule by id retrieve a specific triage rule from vectra cognito v2 using the unique identifier endpoint url /api/v2 5/rules/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier url string url endpoint for the request description string output field description enabled boolean output field enabled created timestamp string output field created timestamp last timestamp object output field last timestamp is whitelist boolean output field is whitelist priority object output field priority active detections number output field active detections total detections number output field total detections template boolean output field template additional conditions object output field additional conditions or array output field or and array output field and any of object output field any of field string output field field values array value for the parameter groups array output field groups label string output field label source conditions object output field source conditions or array output field or and array output field and any of object output field any of example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 15 apr 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "id" 68, "url" "https //1 1 1 1/api/v2 5/rules/68", "description" "expected behavior from these devices", "enabled" true, "created timestamp" "2019 08 27t20 55 29z", "last timestamp" null, "is whitelist" false, "priority" null, "active detections" 2, "total detections" 3, "template" true, "additional conditions" {}, "source conditions" {}, "detection category" "reconnaissance", "triage category" "expected ipam behavior" } } ] retrieve detections gather all detection data from vectra cognito v2, providing a comprehensive overview of potential security threats endpoint url /api/v2 5/detections method get input argument name type required description fields string optional filters objects listed page number optional page number possible values are a positive integer or last page size number optional page size possible values are a positive integer, up to 5000 ordering string optional orders records by last timestamp, threat score and certainty score the default sorts threat and certainty score in ascending order scores can be sorted in descending order by prepending the query with “minus” symbol min id number optional greater than or equal to(>=) the id provided max id number optional less than or equal to(<=) the id provided state string optional filter by state active, inactive, ignored, ignored for all category string optional filter by the detection category this performs partial word match for example, you can use recon to query all reconnaissance category detections detection type string optional filter by the name of the threat detected detection category string optional filter by the detection category src ip string optional filter by source (ip address) t score number optional filter by threat score t score gte number optional filter by threat score >= the score provided threat score number optional filter by threat score threat gte number optional filter by threat score >= the score provided c score number optional filter by certainty score c score gte number optional filter by certainty score >= the score provided certainty number optional filter by certainty score certainty gte number optional filter by certainty score >= the score provided last timestamp gte string optional filter by last timestamp >= the date provided last timestamp string optional filter by last timestamp host id number optional filter by id of the host object a detection is attributed to tags string optional filter by a tag or a comma separated list of tags destination string optional filter by destination in the detection detail set proto string optional filter by the protocol in the detection detail set output parameter type description status code number http status code of the response reason string response reason phrase last timestamp string output field last timestamp grouped details array output field grouped details num sessions number output field num sessions protocol string output field protocol last timestamp string output field last timestamp host detection number output field host detection accounts array output field accounts is host detail boolean output field is host detail bytes received number output field bytes received dst geo object output field dst geo src ip string output field src ip dst ips array output field dst ips grouping field string output field grouping field description object output field description is account detail boolean output field is account detail dst ports array output field dst ports account detection object output field account detection first timestamp string output field first timestamp dst geo lat object output field dst geo lat dst geo lon object output field dst geo lon bytes sent number output field bytes sent target domains array output field target domains account uid object unique identifier example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 15 apr 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "last timestamp" "2019 08 27t20 13 08z", "grouped details" \[], "custom detection" null, "is custom model" false, "detection" "hidden http tunnel", "detection type" "hidden http tunnel", "is targeting key asset" false, "note modified timestamp" "2021 12 15t17 26 41z", "c score" 59, "t score" 10, "id" 36, "category" "command & control", "src ip" "1 1 1 1", "detection category" "command & control", "note" "this is a second note by admin " } } ] update detection mark or unmark multiple detections as fixed in vectra cognito v2 using the provided json body endpoint url /api/v2 5/detections method patch input argument name type required description detectionidlist array optional unique identifier mark as fixed string optional parameter for update detection output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 15 apr 2024 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 21 jun 2023 20 37 23 gmt