Vectra AI integration
You can integrate Vectra AI with Sophos Central so that it sends alerts to Sophos for analysis.
This page gives you an overview of the integration.
Vectra AI product overview
Vectra AI specializes in network protection. Vectra AI focuses on identifying hidden and unknown attackers by analyzing network traffic, user behaviors, and relevant patterns. It simplifies network security by providing a centralized system for threat detection and response.
Sophos documents
What we ingest
Sample alerts we see:
Brute-ForceCustom model dcerpc lateral_movementCustom model kerberos_txn botnet_activityCustom model ssh command_and_controlRDP Recon
Alerts ingested in full
We ingest the following categories configured in Vectra:
- Account Detections
- Host Detections
We apply filtering to make sure we ingest only new events.
Filtering
We filter alerts as follows.
Allow
Valid format (Modified CEF)
We check formatting but syslog generated by Vectra isn't compliant with the standard. The header is non-compliant.
Drop
These entries are related to routine system health checks and administrative operations that are generally non-critical and don't necessitate logging. Dropping these log messages helps in minimizing unnecessary clutter and conserves log storage resources.
Regex Patterns
\|heartbeat_check\|Device heartbeat success\|campaigns\|\|Host Score Change\|.*cs3Label=scoreDecreases cs3=True\|Account Score Change\|.*cs3Label=scoreDecreases cs3=True
Sample threat mappings
{"alertType": "Ransomware File Activity", "threatId": "T1486", "threatName": "Data Encrypted for Impact"}
{"alertType": "SMB Brute-Force", "threatId": "T1110", "threatName": "Brute Force"}
{"alertType": "Suspicious Relay", "threatId": "T1090", "threatName": "Proxy"}
{"alertType": "Custom model rdp exfiltration", "threatId": "T1048", "threatName": "Exfiltration Over Alternative Protocol"}
{"alertType": "Custom model dcerpc info", "threatId": "T1133", "threatName": "External Remote Services"}