|
| 1 | +# Vectra RUX |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +[Vectra AI](https://www.vectra.ai/) is a provider of cybersecurity solutions, including threat detection and response solutions. Vectra AI also provides cloud security, detects ransomware, secures remote workplaces, hunts and investigates threats, and offers investigations, risk and compliance services. |
| 6 | + |
| 7 | +This integration enables to collect, parse Audit, Detection Event, Entity Event, Health and Lockdown data via [Vectra RUX REST API](https://support.vectra.ai/vectra/article/KB-VS-1835), then visualise the data in Kibana. |
| 8 | + |
| 9 | +## Data streams |
| 10 | + |
| 11 | +The Vectra RUX integration collects logs for five types of events. |
| 12 | + |
| 13 | +**Audit:** Audit allows collecting Audit Log Events, which are recorded whenever a user performs an action on the system. These events are sequential and provide a reliable audit trail of user activity. |
| 14 | + |
| 15 | +**Detection Event:** Detection Event allows collecting Detection Events, which are generated upon the initial detection and each subsequent update. |
| 16 | + |
| 17 | +**Entity Event:** Entity Event allows collecting Entity scoring events, which are generated whenever an entity's score changes, such as during initial threat detection, the discovery of additional detections, or updates to existing ones. |
| 18 | + |
| 19 | +**Health:** Health allows collecting system health data, with API responses that may vary based on product subscriptions such as Network, AWS, or M365. |
| 20 | + |
| 21 | +**Lockdown:** Lockdown allows collecting entities lockdown status for accounts and hosts type, that are currently in lockdown mode. |
| 22 | + |
| 23 | +## Requirements |
| 24 | + |
| 25 | +### Agentless enabled integration |
| 26 | +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). |
| 27 | + |
| 28 | +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. |
| 29 | + |
| 30 | +### Agent based installation |
| 31 | +Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). |
| 32 | +You can install only one Elastic Agent per host. |
| 33 | +Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. |
| 34 | + |
| 35 | +## Compatibility |
| 36 | + |
| 37 | +For Rest API, this module has been tested against the **v3.4** version. |
| 38 | + |
| 39 | +## Setup |
| 40 | + |
| 41 | +### To collect data from the Vectra RUX API: |
| 42 | + |
| 43 | +1. Navigate to **Manage > API Clients** in Vectra Console. |
| 44 | +2. Click on **Add API Client**. |
| 45 | +3. Add **Client Name**, **Description** and select the appropriate **Role** based on the endpoint, as outlined in the below table: |
| 46 | + | Endpoint | Role | |
| 47 | + | -----------------------| -------------------| |
| 48 | + | Audit | Auditor | |
| 49 | + | Detection Event | Read-Only | |
| 50 | + | Entity Event | Read-Only | |
| 51 | + | Health | Auditor | |
| 52 | + | Lockdown | Read-Only | |
| 53 | +4. Click **Generate Credentials**. |
| 54 | +5. Copy **Client ID** and **Secret Key**. |
| 55 | + |
| 56 | +For more details, see [Documentation](https://support.vectra.ai/vectra/article/KB-VS-1572). |
| 57 | + |
| 58 | +### Enabling the integration in Elastic: |
| 59 | + |
| 60 | +1. In Kibana navigate to Management > Integrations. |
| 61 | +2. In "Search for integrations" top bar, search for `Vectra RUX`. |
| 62 | +3. Select the "Vectra RUX" integration from the search results. |
| 63 | +4. Select "Add Vectra RUX" to add the integration. |
| 64 | +5. Add all the required integration configuration parameters, including the URL, Client ID, Client Secret, Interval, and Initial Interval, to enable data collection for REST API input type. |
| 65 | +6. Select "Save and continue" to save the integration. |
| 66 | + |
| 67 | +## Logs reference |
| 68 | + |
| 69 | +### Audit |
| 70 | + |
| 71 | +This is the `Audit` dataset. |
| 72 | + |
| 73 | +#### Example |
| 74 | + |
| 75 | +{{event "audit"}} |
| 76 | + |
| 77 | +{{fields "audit"}} |
| 78 | + |
| 79 | +### Detection Event |
| 80 | + |
| 81 | +This is the `Detection Event` dataset. |
| 82 | + |
| 83 | +#### Example |
| 84 | + |
| 85 | +{{event "detection_event"}} |
| 86 | + |
| 87 | +{{fields "detection_event"}} |
| 88 | + |
| 89 | +### Entity Event |
| 90 | + |
| 91 | +This is the `Entity Event` dataset. |
| 92 | + |
| 93 | +#### Example |
| 94 | + |
| 95 | +{{event "entity_event"}} |
| 96 | + |
| 97 | +{{fields "entity_event"}} |
| 98 | + |
| 99 | +### Health |
| 100 | + |
| 101 | +This is the `Health` dataset. |
| 102 | + |
| 103 | +#### Example |
| 104 | + |
| 105 | +{{event "health"}} |
| 106 | + |
| 107 | +{{fields "health"}} |
| 108 | + |
| 109 | +### Lockdown |
| 110 | + |
| 111 | +This is the `Lockdown` dataset. |
| 112 | + |
| 113 | +#### Example |
| 114 | + |
| 115 | +{{event "lockdown"}} |
| 116 | + |
| 117 | +{{fields "lockdown"}} |
0 commit comments