Vectra provides automated threat detection; thereby empowers threat hunting and exposes hidden attackers.
This document provides information about the Vectra connector, which facilitates automated interactions with Vectra using FortiSOAR™ playbooks. Add the Vectra connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving host details and reports from Vectra.
Connector Version: 3.0.1
FortiSOAR™ Version Tested on: 7.0.0-480
Authored By: Fortinet
Certified: Yes
Following enhancements have been made in the Vectra connector in version 3.0.1:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-vectra
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Vectra connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Vectra server to which you will connect and perform the automated operations. |
| API Token | API token that is configured for your account to access the Vectra REST APIs. |
| Port | Port number used to access the Vectra server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Hosts | Retrieves details of hosts from Vectra based on the input parameters specified. | get_hosts Investigation |
| Get Detections | Retrieves detections from Vectra based on the input parameters specified. | get_detections Investigation |
| Get Rules | Retrieves rules from Vectra based on the input parameters specified. | get_rules Investigation |
| Get All Traffic Stats | Retrieves all traffic stats from Vectra. | get_all_traffic_stats Investigation |
| Get Threat Feeds | Retrieves a list of all currently configured threat feeds from Vectra. | get_feeds Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Certainty Score | Certainty score based on which you want to retrieve host details from Vectra. |
| Certainty Score GTE | Certainty score that is Greater Than or Equal To the input value of the host whose details you want to retrieve from Vectra. |
| Fields | Comma-seperated list of fields based on which you want to retrieve host details from Vectra. You can enter the following possible values: id, name, active_traffic, has_active_traffic, t_score,threat, c_score, certainty, severity, last_source, ip, previous_ips, last_detection_timestamp, key_asset, is_key_asset, state, targets_key_asset, is_targeting_key_asset, detection_set, host_artifact_set, sensor, sensor_name, tags, note, note_modified_by, note_modified_timestamp, url, host_url, last_modified,assigned_to, assigned_date,groups, has_custom_model, privilege_level, privilege_category, probable_owner, detection_profile. |
| Has Active Traffic | Select this option to return hosts that have active traffic. |
| Include Detection Summaries | Select this option to include detection summaries in the response retrieved from Vectra. |
| Host Is Key Asset | Select this option to retrieve details of the host that is a key asset. |
| Host Is Targeting Key Asset | Select this option to retrieve details of the host that target a key asset. |
| Privilege Category | Privilege category of the host (low, medium, or high) based on which you want to retrieve host details from Vectra. |
| Last Source | Registered IP address of the hosts based on which you want to retrieve host details from Vectra. |
| Mac Address | Registered MAC address of the hosts based on which you want to retrieve host details from Vectra. |
| Name | Registered name of the hosts based on which you want to retrieve host details from Vectra. |
| Ordering | Field(s) using which you want to order responses retrieved from Vectra. You can order records by last timestamp, threat score, or certainty score. The default order for threat and certainty score is the 'ascending' order. Scores can be sorted in descending order by prepending the query with the “minus” symbol. |
| Last Timestamp | Timestamp of the last detection on the host, based on which you want to retrieve host details from Vectra. |
| Page Number | Page number from which you want to retrieve records. |
| Number Of Items To Return In Response | Maximum number of hosts that you want this operation to return in the response. By default this is set as 50. |
| State | State, either Active or Inactive, based on which you want to retrieve host details from Vectra. |
| Threat Score | Threat Score based on which you want to retrieve host details from Vectra. |
| Threat Score GTE | Threat score that is Greater Than or Equal To the input value of the host whose details you want to retrieve from Vectra. |
| Tags | Tags that are assigned to the host whose details you want to retrieve from Vectra. |
| Other Filter Parameters | Parameters based on which you want to retrieve host details from Vectra. You can enter the following parameters: all, active_traffic, c_score, c_score_gte, certainty, certainty_gte, fields, has_active_traffic, include_detection_summaries, is_targeting_key_asset, key_asset, last_detection_timestamp, last_source, mac_address, max_id, min_id, name, note_modified_timestamp_gte, ordering, page, page_size, privilege_category, privilege_level, privilege_level_gte, state, t_score, t_score_gte, tags, targets_key_asset, threat, threat_gte. Note: If you have included a parameter in the "Filter Parameter" field, then only this parameter definition is considered; and any previous definitions of the same parameter gets ignored. |
The output contains the following populated JSON schema:
{
"count": "",
"next": "",
"previous": "",
"results": [
{
"id": "",
"name": "",
"active_traffic": "",
"has_active_traffic": "",
"t_score": "",
"threat": "",
"c_score": "",
"certainty": "",
"severity": "",
"last_source": "",
"ip": "",
"previous_ips": [],
"last_detection_timestamp": "",
"key_asset": "",
"is_key_asset": "",
"state": "",
"targets_key_asset": "",
"is_targeting_key_asset": "",
"detection_set": [],
"host_artifact_set": [],
"sensor": "",
"sensor_name": "",
"tags": [],
"note": "",
"note_modified_by": "",
"note_modified_timestamp": "",
"url": "",
"host_url": "",
"last_modified": "",
"assigned_to": "",
"assigned_date": "",
"groups": [],
"has_custom_model": "",
"privilege_level": "",
"privilege_category": "",
"probable_owner": "",
"detection_profile": "",
"host_session_luids": [],
"host_luid": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Certainty Score | Certainty score based on which you want to retrieve detections from Vectra. |
| Certainty Score GTE | Certainty score that is Greater Than or Equal To the input value of the detections whose details you want to retrieve from Vectra. |
| Detection | Name of the detection based on which you want to retrieve detections from Vectra. |
| Detection Type | Type of the detection based on which you want to retrieve detections from Vectra. |
| Detection Category | Category of the detection based on which you want to retrieve detections from Vectra. |
| Fields | Comma-seperated list of fields based on which you want to retrieve detection details from Vectra. You can enter the following possible values: id, name, active_traffic, has_active_traffic, t_score,threat, c_score, certainty, severity, last_source, ip, previous_ips, last_detection_timestamp, key_asset, is_key_asset, state, targets_key_asset, is_targeting_key_asset, detection_set, host_artifact_set, sensor, sensor_name, tags, note, note_modified_by, note_modified_timestamp, url, host_url, last_modified, assigned_to, assigned_date, groups, has_custom_model, privilege_level, privilege_category, probable_owner, detection_profile. |
| Detection Is Targeting Key Asset | Select this option to return detections that target a key asset. |
| Detection Is Triaged | Select this option to return detections that are triaged. |
| Ordering | Field(s) using which you want to order responses retrieved from Vectra. You can order records by last timestamp, threat score, or certainty score. The default order for threat and certainty score is the 'ascending' order. Scores can be sorted in descending order by prepending the query with the “minus” symbol. |
| Last Timestamp | Timestamp of the last detection based on which you want to retrieve detection details from Vectra. |
| Source IP | Source IP address of the host attributed to detection whose details you want to retrieve from Vectra. |
| State | State, either Active or Inactive, based on which you want to retrieve detections from Vectra. |
| Tags | Tags that are assigned to the detections whose details you want to retrieve from Vectra. |
| Threat Score | Threat Score based on which you want to retrieve detections from Vectra. |
| Threat Score GTE | Threat score that is Greater Than or Equal To the input value of the detections whose details you want to retrieve from Vectra. |
| Page Number | Page number from which you want to retrieve records. |
| Number Of Items To Return In Response | Maximum number of detections that you want this operation to return in the response. By default, this is set as 50. |
| Other Filter Parameters | Parameters based on which you want to retrieve detections from Vectra. You can enter the following parameters: fields, page,page_size, ordering, min_id, max_id, state, type_vname, category, source, t_score, t_score_gte, c_score, c_score_gte, last_timestamp, host_id, tags, destination, proto, dst_port, inbound_ip, inbound_proto, inbound_port, inbound_dns, outbound_ip, outbound_proto, outbound_port, outbound_dns, dns_ip, dns_request, resp_code, resp. Note: If you have included a parameter in the "Filter Parameter" field, then only this parameter definition is considered; and any previous definitions of the same parameter gets ignored. |
The output contains the following populated JSON schema:
{
"count": "",
"next": "",
"previous": "",
"results": [
{
"sensor": "",
"summary": {
"src_hosts": [
{
"id": "",
"privilege_category": "",
"privilege_level": "",
"name": ""
}
],
"src_accounts": [
{
"privilege_level": "",
"name": "",
"id": "",
"privilege_category": ""
}
],
"services_accessed": [
{
"id": "",
"privilege_category": "",
"privilege_level": "",
"name": ""
}
]
},
"detection": "",
"state": "",
"last_timestamp": "",
"url": "",
"src_ip": "",
"detection_category": "",
"custom_detection": "",
"note_modified_timestamp": "",
"note": "",
"grouped_details": [
{
"grouping_field": "",
"service_accesses": [
{
"privilege_category": "",
"privilege_level": "",
"normal_service_behavior": [
{
"host_luid": "",
"account_details": {
"id": "",
"uid": ""
},
"count": "",
"account_uid": ""
}
],
"name": "",
"last_seen": "",
"first_seen": ""
}
],
"count": "",
"normal_account_behavior": "",
"first_seen": "",
"src_account": {
"id": "",
"privilege_level": "",
"privilege_category": "",
"name": ""
},
"service_accessed": {
"privilege_level": "",
"privilege_category": "",
"name": ""
},
"detection_slug": "",
"src_host": {
"privilege_level": "",
"name": "",
"id": "",
"privilege_category": "",
"ip": ""
},
"normal_host_behavior": "",
"last_seen": "",
"detection_source": ""
}
],
"is_marked_custom": "",
"assigned_date": "",
"groups": [],
"src_host": {
"is_key_asset": "",
"url": "",
"threat": "",
"name": "",
"id": "",
"certainty": "",
"ip": "",
"groups": []
},
"assigned_to": "",
"is_targeting_key_asset": "",
"certainty": "",
"targets_key_asset": "",
"detection_url": "",
"id": "",
"is_custom_model": "",
"sensor_name": "",
"threat": "",
"category": "",
"c_score": "",
"note_modified_by": "",
"triage_rule_id": "",
"src_account": "",
"first_timestamp": "",
"detection_type": "",
"tags": [],
"description": "",
"t_score": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Contains | Enter the text using which you want to retrieve rules from Vectra. |
| Fields | Comma-seperated list of fields based on which you want to retrieve rules from Vectra. You can enter the following possible values: active_detections, all_hosts, category, created_timestamp, description, enabled, flex1, flex2, flex3, flex4, flex5, flex6, host, host_group, id, identity, ip,ip_group, is_whitelist, last_timestamp, priority, remote1_dns, remote1_dns_groups, remote1_ip, remote1_ip_groups, remote1_kerb_account, remote1_kerb_service, remote1_port, remote1_proto, remote2_dns, remote2_dns_groups, remote2_ip, remote2_ip_groups, remote2_port, remote2_proto, sensor_luid, smart_category, template, total_detections, type_vname, url. |
| Include Templates | Select this option to include the rule template in the response retrieved from Vectra. By default, this is unchecked, i.e., set to False. |
| Page Number | Page number from which you want to retrieve records. |
| Number Of Items To Return In Response | Maximum number of hosts that you want this operation to return in the response. |
The output contains the following populated JSON schema:
{
"count": "",
"next": "",
"previous": "",
"results": [
{
"id": "",
"url": "",
"description": "",
"enabled": "",
"created_timestamp": "",
"last_timestamp": "",
"host": [],
"host_group": [],
"ip_group": [],
"all_hosts": "",
"is_whitelist": "",
"sensor_luid": "",
"ip": "",
"priority": "",
"remote1_ip": "",
"remote1_ip_groups": [],
"remote1_port": "",
"remote1_dns": "",
"remote1_dns_groups": [],
"remote2_ip": "",
"remote2_ip_groups": [],
"remote2_port": "",
"remote2_dns": "",
"remote2_dns_groups": [],
"active_detections": "",
"total_detections": "",
"template": "",
"ext_proxy_dest_ip": "",
"detection": "",
"triage_category": "",
"detection_category": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"count": "",
"next": "",
"previous": "",
"results": []
}
None.
The output contains the following populated JSON schema:
{
"threatFeeds": [
{
"lastUpdated": "",
"name": "",
"id": "",
"lastUpdatedBy": "",
"defaults": {
"certainty": "",
"duration": "",
"indicatorType": "",
"category": ""
},
"uploadResults": "",
"version": "",
"uploadDate": "",
"type": "",
"_rev": ""
}
],
"meta": {
"count": ""
}
}
The Sample - Vectra - 3.0.1 playbook collection comes bundled with the Vectra connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Vectra connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Vectra provides automated threat detection; thereby empowers threat hunting and exposes hidden attackers.
This document provides information about the Vectra connector, which facilitates automated interactions with Vectra using FortiSOAR™ playbooks. Add the Vectra connector as a step in FortiSOAR™ playbooks and perform automated operations, such as retrieving host details and reports from Vectra.
Connector Version: 3.0.1
FortiSOAR™ Version Tested on: 7.0.0-480
Authored By: Fortinet
Certified: Yes
Following enhancements have been made in the Vectra connector in version 3.0.1:
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-vectra
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Vectra connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | URL of the Vectra server to which you will connect and perform the automated operations. |
| API Token | API token that is configured for your account to access the Vectra REST APIs. |
| Port | Port number used to access the Vectra server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Hosts | Retrieves details of hosts from Vectra based on the input parameters specified. | get_hosts Investigation |
| Get Detections | Retrieves detections from Vectra based on the input parameters specified. | get_detections Investigation |
| Get Rules | Retrieves rules from Vectra based on the input parameters specified. | get_rules Investigation |
| Get All Traffic Stats | Retrieves all traffic stats from Vectra. | get_all_traffic_stats Investigation |
| Get Threat Feeds | Retrieves a list of all currently configured threat feeds from Vectra. | get_feeds Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Certainty Score | Certainty score based on which you want to retrieve host details from Vectra. |
| Certainty Score GTE | Certainty score that is Greater Than or Equal To the input value of the host whose details you want to retrieve from Vectra. |
| Fields | Comma-seperated list of fields based on which you want to retrieve host details from Vectra. You can enter the following possible values: id, name, active_traffic, has_active_traffic, t_score,threat, c_score, certainty, severity, last_source, ip, previous_ips, last_detection_timestamp, key_asset, is_key_asset, state, targets_key_asset, is_targeting_key_asset, detection_set, host_artifact_set, sensor, sensor_name, tags, note, note_modified_by, note_modified_timestamp, url, host_url, last_modified,assigned_to, assigned_date,groups, has_custom_model, privilege_level, privilege_category, probable_owner, detection_profile. |
| Has Active Traffic | Select this option to return hosts that have active traffic. |
| Include Detection Summaries | Select this option to include detection summaries in the response retrieved from Vectra. |
| Host Is Key Asset | Select this option to retrieve details of the host that is a key asset. |
| Host Is Targeting Key Asset | Select this option to retrieve details of the host that target a key asset. |
| Privilege Category | Privilege category of the host (low, medium, or high) based on which you want to retrieve host details from Vectra. |
| Last Source | Registered IP address of the hosts based on which you want to retrieve host details from Vectra. |
| Mac Address | Registered MAC address of the hosts based on which you want to retrieve host details from Vectra. |
| Name | Registered name of the hosts based on which you want to retrieve host details from Vectra. |
| Ordering | Field(s) using which you want to order responses retrieved from Vectra. You can order records by last timestamp, threat score, or certainty score. The default order for threat and certainty score is the 'ascending' order. Scores can be sorted in descending order by prepending the query with the “minus” symbol. |
| Last Timestamp | Timestamp of the last detection on the host, based on which you want to retrieve host details from Vectra. |
| Page Number | Page number from which you want to retrieve records. |
| Number Of Items To Return In Response | Maximum number of hosts that you want this operation to return in the response. By default this is set as 50. |
| State | State, either Active or Inactive, based on which you want to retrieve host details from Vectra. |
| Threat Score | Threat Score based on which you want to retrieve host details from Vectra. |
| Threat Score GTE | Threat score that is Greater Than or Equal To the input value of the host whose details you want to retrieve from Vectra. |
| Tags | Tags that are assigned to the host whose details you want to retrieve from Vectra. |
| Other Filter Parameters | Parameters based on which you want to retrieve host details from Vectra. You can enter the following parameters: all, active_traffic, c_score, c_score_gte, certainty, certainty_gte, fields, has_active_traffic, include_detection_summaries, is_targeting_key_asset, key_asset, last_detection_timestamp, last_source, mac_address, max_id, min_id, name, note_modified_timestamp_gte, ordering, page, page_size, privilege_category, privilege_level, privilege_level_gte, state, t_score, t_score_gte, tags, targets_key_asset, threat, threat_gte. Note: If you have included a parameter in the "Filter Parameter" field, then only this parameter definition is considered; and any previous definitions of the same parameter gets ignored. |
The output contains the following populated JSON schema:
{
"count": "",
"next": "",
"previous": "",
"results": [
{
"id": "",
"name": "",
"active_traffic": "",
"has_active_traffic": "",
"t_score": "",
"threat": "",
"c_score": "",
"certainty": "",
"severity": "",
"last_source": "",
"ip": "",
"previous_ips": [],
"last_detection_timestamp": "",
"key_asset": "",
"is_key_asset": "",
"state": "",
"targets_key_asset": "",
"is_targeting_key_asset": "",
"detection_set": [],
"host_artifact_set": [],
"sensor": "",
"sensor_name": "",
"tags": [],
"note": "",
"note_modified_by": "",
"note_modified_timestamp": "",
"url": "",
"host_url": "",
"last_modified": "",
"assigned_to": "",
"assigned_date": "",
"groups": [],
"has_custom_model": "",
"privilege_level": "",
"privilege_category": "",
"probable_owner": "",
"detection_profile": "",
"host_session_luids": [],
"host_luid": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Certainty Score | Certainty score based on which you want to retrieve detections from Vectra. |
| Certainty Score GTE | Certainty score that is Greater Than or Equal To the input value of the detections whose details you want to retrieve from Vectra. |
| Detection | Name of the detection based on which you want to retrieve detections from Vectra. |
| Detection Type | Type of the detection based on which you want to retrieve detections from Vectra. |
| Detection Category | Category of the detection based on which you want to retrieve detections from Vectra. |
| Fields | Comma-seperated list of fields based on which you want to retrieve detection details from Vectra. You can enter the following possible values: id, name, active_traffic, has_active_traffic, t_score,threat, c_score, certainty, severity, last_source, ip, previous_ips, last_detection_timestamp, key_asset, is_key_asset, state, targets_key_asset, is_targeting_key_asset, detection_set, host_artifact_set, sensor, sensor_name, tags, note, note_modified_by, note_modified_timestamp, url, host_url, last_modified, assigned_to, assigned_date, groups, has_custom_model, privilege_level, privilege_category, probable_owner, detection_profile. |
| Detection Is Targeting Key Asset | Select this option to return detections that target a key asset. |
| Detection Is Triaged | Select this option to return detections that are triaged. |
| Ordering | Field(s) using which you want to order responses retrieved from Vectra. You can order records by last timestamp, threat score, or certainty score. The default order for threat and certainty score is the 'ascending' order. Scores can be sorted in descending order by prepending the query with the “minus” symbol. |
| Last Timestamp | Timestamp of the last detection based on which you want to retrieve detection details from Vectra. |
| Source IP | Source IP address of the host attributed to detection whose details you want to retrieve from Vectra. |
| State | State, either Active or Inactive, based on which you want to retrieve detections from Vectra. |
| Tags | Tags that are assigned to the detections whose details you want to retrieve from Vectra. |
| Threat Score | Threat Score based on which you want to retrieve detections from Vectra. |
| Threat Score GTE | Threat score that is Greater Than or Equal To the input value of the detections whose details you want to retrieve from Vectra. |
| Page Number | Page number from which you want to retrieve records. |
| Number Of Items To Return In Response | Maximum number of detections that you want this operation to return in the response. By default, this is set as 50. |
| Other Filter Parameters | Parameters based on which you want to retrieve detections from Vectra. You can enter the following parameters: fields, page,page_size, ordering, min_id, max_id, state, type_vname, category, source, t_score, t_score_gte, c_score, c_score_gte, last_timestamp, host_id, tags, destination, proto, dst_port, inbound_ip, inbound_proto, inbound_port, inbound_dns, outbound_ip, outbound_proto, outbound_port, outbound_dns, dns_ip, dns_request, resp_code, resp. Note: If you have included a parameter in the "Filter Parameter" field, then only this parameter definition is considered; and any previous definitions of the same parameter gets ignored. |
The output contains the following populated JSON schema:
{
"count": "",
"next": "",
"previous": "",
"results": [
{
"sensor": "",
"summary": {
"src_hosts": [
{
"id": "",
"privilege_category": "",
"privilege_level": "",
"name": ""
}
],
"src_accounts": [
{
"privilege_level": "",
"name": "",
"id": "",
"privilege_category": ""
}
],
"services_accessed": [
{
"id": "",
"privilege_category": "",
"privilege_level": "",
"name": ""
}
]
},
"detection": "",
"state": "",
"last_timestamp": "",
"url": "",
"src_ip": "",
"detection_category": "",
"custom_detection": "",
"note_modified_timestamp": "",
"note": "",
"grouped_details": [
{
"grouping_field": "",
"service_accesses": [
{
"privilege_category": "",
"privilege_level": "",
"normal_service_behavior": [
{
"host_luid": "",
"account_details": {
"id": "",
"uid": ""
},
"count": "",
"account_uid": ""
}
],
"name": "",
"last_seen": "",
"first_seen": ""
}
],
"count": "",
"normal_account_behavior": "",
"first_seen": "",
"src_account": {
"id": "",
"privilege_level": "",
"privilege_category": "",
"name": ""
},
"service_accessed": {
"privilege_level": "",
"privilege_category": "",
"name": ""
},
"detection_slug": "",
"src_host": {
"privilege_level": "",
"name": "",
"id": "",
"privilege_category": "",
"ip": ""
},
"normal_host_behavior": "",
"last_seen": "",
"detection_source": ""
}
],
"is_marked_custom": "",
"assigned_date": "",
"groups": [],
"src_host": {
"is_key_asset": "",
"url": "",
"threat": "",
"name": "",
"id": "",
"certainty": "",
"ip": "",
"groups": []
},
"assigned_to": "",
"is_targeting_key_asset": "",
"certainty": "",
"targets_key_asset": "",
"detection_url": "",
"id": "",
"is_custom_model": "",
"sensor_name": "",
"threat": "",
"category": "",
"c_score": "",
"note_modified_by": "",
"triage_rule_id": "",
"src_account": "",
"first_timestamp": "",
"detection_type": "",
"tags": [],
"description": "",
"t_score": ""
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Contains | Enter the text using which you want to retrieve rules from Vectra. |
| Fields | Comma-seperated list of fields based on which you want to retrieve rules from Vectra. You can enter the following possible values: active_detections, all_hosts, category, created_timestamp, description, enabled, flex1, flex2, flex3, flex4, flex5, flex6, host, host_group, id, identity, ip,ip_group, is_whitelist, last_timestamp, priority, remote1_dns, remote1_dns_groups, remote1_ip, remote1_ip_groups, remote1_kerb_account, remote1_kerb_service, remote1_port, remote1_proto, remote2_dns, remote2_dns_groups, remote2_ip, remote2_ip_groups, remote2_port, remote2_proto, sensor_luid, smart_category, template, total_detections, type_vname, url. |
| Include Templates | Select this option to include the rule template in the response retrieved from Vectra. By default, this is unchecked, i.e., set to False. |
| Page Number | Page number from which you want to retrieve records. |
| Number Of Items To Return In Response | Maximum number of hosts that you want this operation to return in the response. |
The output contains the following populated JSON schema:
{
"count": "",
"next": "",
"previous": "",
"results": [
{
"id": "",
"url": "",
"description": "",
"enabled": "",
"created_timestamp": "",
"last_timestamp": "",
"host": [],
"host_group": [],
"ip_group": [],
"all_hosts": "",
"is_whitelist": "",
"sensor_luid": "",
"ip": "",
"priority": "",
"remote1_ip": "",
"remote1_ip_groups": [],
"remote1_port": "",
"remote1_dns": "",
"remote1_dns_groups": [],
"remote2_ip": "",
"remote2_ip_groups": [],
"remote2_port": "",
"remote2_dns": "",
"remote2_dns_groups": [],
"active_detections": "",
"total_detections": "",
"template": "",
"ext_proxy_dest_ip": "",
"detection": "",
"triage_category": "",
"detection_category": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"count": "",
"next": "",
"previous": "",
"results": []
}
None.
The output contains the following populated JSON schema:
{
"threatFeeds": [
{
"lastUpdated": "",
"name": "",
"id": "",
"lastUpdatedBy": "",
"defaults": {
"certainty": "",
"duration": "",
"indicatorType": "",
"category": ""
},
"uploadResults": "",
"version": "",
"uploadDate": "",
"type": "",
"_rev": ""
}
],
"meta": {
"count": ""
}
}
The Sample - Vectra - 3.0.1 playbook collection comes bundled with the Vectra connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Vectra connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
