Vectra Respond UX

Deployment Guide

Vectra Respond UX Deployment Guide

Version: November 21, 2024

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Table of Contents
Introduction ...........................................................................................................................................4
Vectra AI Platform Overview ...............................................................................................................5
Appliance Modes (for network data sources only) ................................................................................... 6
Requirements for Network Data Sources .........................................................................................6
General ............................................................................................................................................................. 6
Basic Connectivity Requirements ............................................................................................................... 6
Firewall/Proxy SSL Inspection ..................................................................................................................... 6
Internet Access from Vectra Brain ............................................................................................................... 7
Internet Access to Vectra Appliances (Physical or Virtual) ..................................................................... 7
Avoiding Management Network IP Address Range Conflicts with Remote Support ........................... 7
Connectivity Requirements (Firewall Rules) .............................................................................................. 7
RUX for Network GUI Synchronization ......................................................................................................................... 8
Auth Gateways .............................................................................................................................................................. 8
Metadata Forwarding .................................................................................................................................................... 9
Respond UX (RUX) Analyst/Admin Access ............................................................................................................... 10
Respond UX (RUX) Static Asset CDN........................................................................................................................ 10
Respond UX Customer File Upload ............................................................................................................................ 10
Additional Brain / Sensor Connectivity Requirements: .............................................................................................. 11
Deployment ......................................................................................................................................... 12
Deployment Process Overview .................................................................................................................. 12
Respond UX ................................................................................................................................................... 12
Brain Deployment ......................................................................................................................................... 13
Requirements and Documentation Links.................................................................................................................... 13
Warnings ...................................................................................................................................................................... 13
Proxy Support .............................................................................................................................................................. 14
Updating to version 8.0 or higher................................................................................................................................ 14
Next Steps ................................................................................................................................................................... 16
Configuring Data Sources ........................................................................................................................... 16
Network (Sensors) ....................................................................................................................................................... 16
IDR for Azure AD & CDR for M365 ............................................................................................................................. 17
CDR for AWS ............................................................................................................................................................... 17
Initial Configuration ........................................................................................................................... 18
Settings > General ........................................................................................................................................ 18
Data Sources > Network > Brain Setup ..................................................................................................... 18
Data Sources > Network > Sensors ........................................................................................................... 21
Settings > Notifications ............................................................................................................................... 22
Backing up your Brain ................................................................................................................................. 23
© 2023 Vectra AI, Inc.
 Vectra Respond UX
Deployment Guide

Recommended Next Steps ............................................................................................................... 23

Worldwide Support Contact Information ....................................................................................... 23

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Introduction

This guide is intended to help customers or partners get started with a deployment of Vectra’s Respond User
Experience (Respond UX). The User Interface (UI) for the Respond UX is served from Vectra’s cloud as part of the
overall Vectra AI Platform. For users working with Vectra’s Quadrant UX, the UI is served locally from Vectra Brain
appliance wherever it was installed in your environment. Please refer to the Vectra Quadrant UX Deployment Guide
if you are planning to deploy using the Quadrant UX.
If you are migrating to the Respond UX from the Quadrant UX, please also see the migration guide that is attached to
the Vectra AI Platform KB. In addition to general migration guidance, additional firewall rules will be required to allow
upload of configuration data needed for migration. Those rules are detailed in that guide.
This guide will include an overview of the platform including components and Vectra terminology. It will cover
requirements, deployment, basic initial configuration, and recommended next steps.
This guide is meant to be used in conjunction with related guides that can be found on the Vectra support site. A
good starting point is the Vectra Product Documentation Index. Here you will find guides that are relevant for network
Sensors, Sensors in IaaS clouds, and SaaS data sources used for NDR, CDR, and ITDR.
Please see the table below for additional guidance:
KB Article Link or Index Category Description
Main index that tracks formal product documentation. Use the
Vectra Product Documentation Index
search box to find additional KB articles.
Version of this document intended for customers using Vectra’s
Vectra Quadrant UX Deployment Guide
Quadrant UX.
Guides detailing how to get Vectra’s physical appliances connected
Physical Appliances
to your network.
Platform, Stream, Traditional Hypervisor Guides detailing physical appliance pairing, traditional hypervisor
Deployment vSensor deployment, and Stream deployment.
Guides detailing best practices, Brain and network Sensor
AWS IaaS
deployment in AWS IaaS environments.
Guides detailing Brain and network Sensor deployment in Azure
Azure IaaS
IaaS environments.
Guides detailing network Sensor deployment in GCP IaaS
GCP IaaS
environments.
Guides detailing deployment of Cloud Threat Detection and
CDR for AWS Response (CDR) for AWS using CloudTrail log data as a data
source. This was formerly known as “Detect for AWS”.
Guides detailing deployment of Cloud Threat Detection and
Response (CDR) for Microsoft 365, and Identity Threat Detection
CDR for M365, IDR for Azure AD and Response (ITDR) for Microsoft Azure AD. Uses M365 and
AAD log data as a data source. These were formerly known as
“Detect for M365” and “Detect for Azure AD”

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Vectra AI Platform Overview

A Respond UX deployment typically includes several components of the overall Vectra AI Platform:
 User interface (delivered as SaaS from Vectra’s cloud)
 Data sources such as
o Network (campus, data center, and IaaS clouds)
o Public cloud
o SaaS
o Identity

The above conceptual diagram shows the components of the Vectra AI Platform.
 Admins and analysts can access the Respond UX from anywhere.
 For customers choosing to deploy without network data sources, there is no requirement to deploy a Brain
appliance (physical or virtual) in your premises.
o All functionality can be delivered as SaaS using connections setup to collect log data from your
various non-network data sources.
 When capturing network metadata as part of your Respond UX deployment, a Brain appliance (physical or
virtual) will be installed in your premises (campus, datacenter, or IaaS cloud) and linked to Vectra.
o The Brain’s graphical user interface (GUI) is served from Vectra’s cloud.
▪ The Respond UX communicates with your Brain over a websocket connection.
o Physical or Virtual Sensors will be deployed and paired with your Brain to capture network metadata
across hybrid environments.
▪ Vectra supports IaaS public clouds, datacenters, remote workers, and campuses.
o AI detection algorithms process data locally in your Brain and post Detections and associated
metadata to Vectra’s cloud for further processing and investigation with the Respond UX.
o The Brain will also act as a conduit for services needing to be accessed on your local premises.
▪ AD, vCenter, Stream metadata output to your data lake, etc.
© 2023 Vectra AI, Inc.
 Vectra Respond UX
Deployment Guide

Appliance Modes (for network data sources only)

The 3 modes are Brain, Sensor, and Mixed. S-series appliances and virtual Sensors function only as Sensors. B-
series appliances and virtual Brains function only as Brains. X-series appliances can be configured as Brains or
Sensors. The X29 appliance can also function in mixed mode.
Brain Mode
 The Brain serves as the communications broker between Vectra’s cloud and any local integration points.
 The Brain pairs with Sensors (network data sources) and processes / deduplicates and optionally forwards
the metadata received from Sensors (when licensed for Stream).

Sensor Mode
 Must be paired to a Brain.
 Captures / deduplicates raw network traffic.
 Forwards metadata to the Brain.
 Houses rolling capture buffer to enable PCAP retrieval when requested from the Brain.

Mixed Mode
 Performs both Brain and Sensor functions.

Requirements for Network Data Sources

General
The following are general requirements for a deployment of the Vectra Respond UX that utilizes network data
sources:
 A Brain appliance and at least one Sensor to provide network metadata to the Brain for analysis.
o A mixed mode Brain can serve as both the Brain and Sensor for smaller environments.
 Brain software should be updated to version 8.0 or later.
o Additional guidance for updating to v8.0 will be given in the Brain Deployment section.
 A login to the Vectra’s cloud to access the Respond UX.

Basic Connectivity Requirements

The Vectra AI Platform uses several TCP/UDP ports for different communication purposes. This document details
basic connectivity requirements for initial setup and pairing. Many features and integrations are optional and not in
scope for this document. For full detail on all possible firewall rules that might be required in your environment please
see the following Vectra support portal article:
 Firewall requirements for Vectra appliances

Firewall/Proxy SSL Inspection

Please note that Vectra appliances validate SSL certificates for all HTTPS connections. For this reason, SSL/TLS
inspection on firewall and proxy appliances must be disabled for these connections to work.
We have also identified that some firewall software transparently enables SSL inspection if certain filters (DNS
hostname filtering for example) are enabled. This is not necessarily obvious to the administrator and should be
investigated if connectivity issues are being observed.

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Internet Access from Vectra Brain

The Vectra Brain requires connectivity to the automatic update service. This connectivity is used for automatic
(including security) updates and to synchronize keys for cryptographic authentication of Sensors.
The Brain requires Internet DNS resolution to obtain the IP addresses for these requests. The customer may choose
public/Internet DNS servers or internal DNS servers; however, Internet DNS entries must be resolvable by the Brain.
Please note that DNS is often considered to be a UDP-only protocol, however, TCP may be used depending on the
type of DNS transaction. Both UDP and TCP use port 53 and should be permitted to all configured DNS servers.

Internet Access to Vectra Appliances (Physical or Virtual)

As with all security infrastructure Vectra appliances should be blocked from being access from the Internet and
internal network access should only be granted from trusted workstations and/or authenticated sources.

Avoiding Management Network IP Address Range Conflicts with Remote Support

Customers should note that the following IP ranges will conflict with remote support capability:
 192.168.72.0/21
 192.168.80.0/21

If you may ever need Vectra to assist remotely (outside of screen sharing sessions), care should be taken to number
the management network interface (MGT) used on any appliance (physical, virtual, or cloud - Brains and Sensors)
outside of the above ranges. If your management network interface (MGT) is numbered in either of these ranges,
remote support access will not function. Remote support connectivity with Vectra all goes through the Brain (even to
access other appliances in your deployment) so firewall rules for remote support functionality only need to allow
connectivity from the Brain to the Vectra cloud (Sensors must still allow connectivity to the Brain).

Connectivity Requirements (Firewall Rules)

 For this document, the portions of the Vectra AI Platform that reside in Vectra’s cloud are referred to as the
Vectra cloud.
o This does not refer to any specific service offering.
 Please check each category below to see if it is applicable to your deployment and if rules are required in
your environment to enable the required connectivity.
o For rule categories that have multiple region options, it is only necessary to put rules in place to allow
connectivity to the region that your Vectra tenant is deployed in. This region should be visible in the
URL used to access the Respond UX.
▪ i.e. [tenant_id].ew1.prod.vectra-svc.ai is used for EU deployments (ew1).
 RUX for Network refers to a RUX deployment that has enabled network data sources (sensors).
o This means you have a Brain somewhere in your premises (data center or public cloud) that is paired
with network sensors (virtual or physical) to capture network traffic and distill a metadata stream for
processing by the Brain appliance.
o Please refer to the Vectra Respond UX Deployment Guide for more details.
 Please refer to the table below to see applicability of the various categories.
 The “Brain or User’s Web Browser” column should be interpreted as follows:
o Brain – Rules required for the Brain to the Vectra Cloud.
o User’s Web Browser – Rules required for the User’s Web Browser to the Vectra cloud.

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Rule Category Required For Brain or User’s Web Browser

RUX for Network GUI Synchronization RUX for Network Deployments Brain
RUX for Network Deployments

Auth Gateways Quadrant UX deployments of Brain

CDR for M365, IDR for Azure AD,
and CDR for AWS.
Metadata Forwarding RUX for Network Deployments Brain
Respond UX (RUX) Analyst/Admin Access All RUX Deployments User’s Web Browser
Respond UX (RUX) Static Asset CDN All RUX Deployments User’s Web Browser
Respond UX Customer File Upload All RUX Deployments User’s Web Browser
Additional Brain/Sensor Connectivity RUX for Network Deployments Varies and described in table
Requirements

RUX for Network GUI Synchronization

 Required for:
o All RUX for Network deployments.
 This is used to synchronize configurations between the Brain appliance and your Vectra tenant.
 This communications channel is initiated from the Brain to the endpoint in your Vectra tenant’s region.
 The protocol and ports in use for each entry is the same: Websocket and HTTPS over TCP/443

Fully Qualified Domain Name (FQDN) IP(s) Region Initiated From

main-cbi-tunnel-uw2.app.prod.vectra-svc.ai Dynamic US Brain
main-cbi-tunnel-ew1.app.prod.vectra-svc.ai Dynamic EU Brain
main-cbi-tunnel-ec2.app.prod.vectra-svc.ai Dynamic Switzerland Brain
main-cbi-tunnel-cc1.app.prod.vectra-svc.ai Dynamic Canada Brain
main-cbi-tunnel-as2.app.prod.vectra-svc.ai Dynamic Australia Brain

Auth Gateways

 Required for:
o All Respond UX for Network Deployments.
o Quadrant UX deployments of CDR for M365, IDR for Azure AD, and CDR for AWS.
▪ Your Brain must be able to securely access the Vectra cloud over TCP/443 HTTPS
connections to enable detection events from these products to be reported to your UI.
 In Respond UX for Network deployments, the Brain forwards network detections, entities, host sessions, and
any selective PCAPs (Vectra Packet Capture) to your Vectra tenant via this connection.
 This communications channel is initiated from your Brain to the endpoint in your Vectra tenant’s region.

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Protocol /
Fully Qualified Domain Name (FQDN) IP(s) Region Initiated From
Ports
54.245.33.175
52.42.70.176 HTTPS
authgateway.uw2.public.app.prod.vectra-svc.ai US Brain
100.21.109.72 TCP/443
52.26.91.157
54.171.40.108
HTTPS
authgateway.ew1.public.app.prod.vectra-svc.ai 54.246.213.148 EU Brain
TCP/443
54.75.47.147
16.62.18.237
HTTPS
authgateway.ec2.public.app.prod.vectra-svc.ai 16.62.142.98 Switzerland Brain
TCP/443
51.96.54.201
3.96.112.208
HTTPS
authgateway.cc1.public.app.prod.vectra-svc.ai 52.60.211.221 Canada Brain
TCP/443
15.222.69.161
13.54.11.66
HTTPS
authgateway.as2.public.app.prod.vectra-svc.ai 13.55.79.24 Australia Brain
TCP/443
13.55.106.102

Metadata Forwarding

 Required for:
o All Respond UX for Network Deployments.
 Network metadata is forwarded to AWS S3 buckets and processed to make it available for features such as
Instant Investigation and Advanced Investigation in the Respond UX.
 This communications channel is initiated from your Brain to the endpoint in your Vectra tenant’s region.
 The protocol and ports in use for each entry is the same: HTTPS over TCP/443

Initiated
Fully Qualified Domain Name (FQDN) IP(s) Region
From
cbo-upload-network-metadata-forwarder-uswt2-371371611652.s3-
Dynamic US Brain
accesspoint.us-west-2.amazonaws.com
cbo-upload-network-metadata-forwarder-euwt1-371371611652.s3-
Dynamic EU Brain
accesspoint.eu-west-1.amazonaws.com
cbo-upload-network-metadata-forwarder-eucl2-371371611652.s3-
Dynamic Switzerland Brain
accesspoint.eu-central-2.amazonaws.com
cbo-upload-network-metadata-forwarder-cacl1-371371611652.s3-
Dynamic Canada Brain
accesspoint.ca-central-1.amazonaws.com
cbo-upload-network-metadata-forwarder-apse2-371371611652.s3-
Dynamic Australia Brain
accesspoint.ap-southeast-2.amazonaws.com

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Respond UX (RUX) Analyst/Admin Access

 Required for:
o All Respond UX deployments.
 Any analyst or admin that wishes to access the Respond UX will need to ensure that their browser can reach
their Vectra tenant to login and access the UI.
 This communications channel is initiated from the user’s web browser.
 The protocol and ports in use for each entry is the same: HTTPS over TCP/443

Fully Qualified Domain Name (FQDN) IP(s) Region Initiated From

[tenant_id].uw2.portal.vectra.ai Dynamic US User’s Web Browser
[tenant_id].ew1.portal.vectra.ai Dynamic EU User’s Web Browser
[tenant_id].ec2.portal.vectra.ai Dynamic Switzerland User’s Web Browser
[tenant_id].cc1.portal.vectra.ai Dynamic Canada User’s Web Browser
[tenant_id].as2.portal.vectra.ai Dynamic Australia User’s Web Browser

Respond UX (RUX) Static Asset CDN

 Required for:
o All Respond UX deployments.
 The Respond UX has certain static assets (HTML, CSS, JS) that are required to serve the web application
hosted by a CDN (Content Delivery Network).
 This communications channel is initiated from the user’s web browser.

Fully Qualified Domain Name (FQDN) Protocol / Ports IP(s) Region Initiated From
dd6462tdmvp79.cloudfront.net HTTPS
Dynamic All User’s Web Browser
dpew7prsvwbf0.cloudfront.net TCP/443

Respond UX Customer File Upload

 Required for:
o All Respond UX deployments.
 This communications channel is used for:
o Vectra Match deployments and will allow upload of rulesets.
o PCAP download from the Vectra Cloud for Selective PCAP (Vectra Packet Capture)
o Additional capabilities are planned for future releases.
▪ It is recommended to put rules in place even if you don’t use Match or Selective PCAP.
 This communications channel is initiated from the user’s web browser.

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Fully Qualified Domain Name (FQDN) Protocol / Ports IP(s) Region Initiated From

prd-main-customerfiles-580786928539- HTTPS
Dynamic US User’s Web Browser
uswt2.s3.amazonaws.com TCP/443

prd-main-customerfiles-580786928539- HTTPS
Dynamic EU User’s Web Browser
euwt1.s3.amazonaws.com TCP/443

prd-main-customerfiles-580786928539- HTTPS
Dynamic Switzerland User’s Web Browser
eucl2.s3.amazonaws.com TCP/443

prd-main-customerfiles-580786928539- HTTPS
Dynamic Canada User’s Web Browser
cacl1.s3.amazonaws.com TCP/443

prd-main-customerfiles-580786928539- HTTPS
Dynamic Australia User’s Web Browser
apse2.s3.amazonaws.com TCP/443

Additional Brain / Sensor Connectivity Requirements:

Source Destination Protocol/Port Description

Admin Hosts Brain / Sensors TCP/22 (SSH) CLI access to Brains and Sensors
Admin Hosts Brain TCP/443 (HTTPS) Shows status of Brain after being linked to the Respond
UX. vSensor images and Detection PCAPs download
from the Brain after redirect from Respond UX.
Brain update2.vectranetworks.com TCP/443 (HTTPS) Automatic updates and pairing key retrieval for physical
(54.200.156.238) Sensors
Brain api.vectranetworks.com TCP/443 (HTTPS) Health monitoring, algorithm support, reverse lookups for
(54.200.5.9) external IPs, Vectra Threat Intelligence, additional
Detection context.
Brain (Cloud) rp.vectranetworks.com TCP/443 (HTTPS) Used only for Brains deployed in IaaS clouds. Used for
(54.200.156.238) authentication and verification (integrity check of the file
system).
Brain/Sensors DNS servers (as configured) TCP/53 DNS resolution, see above note for details regarding
UDP/53 using both TCP and UDP
Brain NTP servers (as configured) UDP/123 Time synchronization
Default is ntp.ubuntu.com
Brain Sensors TCP/22 (SSH) Remote management and troubleshooting
Sensors Brain TCP/22 (SSH) Pairing, metadata transfer, and ongoing communication
TCP/443 (HTTPS)
Brain rs.vectranetworks.com TCP/443 and Optional Remote Support VPN for remote troubleshooting.
(74.201.86.229) UDP/9970 OpenVPN type if using firewall with App ID rules.

 When also deploying Vectra Stream, please see the Stream Deployment Guide for additional guidance.
 This above tables detail basic requirements for initial setup and pairing. Many features and integrations are
optional and not in scope for this document. For full detail on all possible firewall rules that might be required
in your environment please see the Firewall requirements for Vectra deployments.

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Deployment

Deployment Process Overview

 A decision is made to engage in a Vectra Respond UX trial or purchase.

 A welcome email will be sent after Vectra deploys a customer specific tenant where you can access the
Respond UX.
o The customer admin should validate access and configure additional user accounts and/or set up
SAML SSO and role mapping for additional users as required. See Respond UX for details.
o Non network data sources can be configured at any time.
 For network data sources
o A Vectra Brain appliance is deployed by the customer or with the assistance of Vectra or a partner.
▪ The Brain should be updated to version 8.0 or higher. See Updating to version 8.0 or higher.
o After the Brain is updated, Vectra links the Brain with your Vectra tenant.
o All network data sources and graphical functionality are managed though the Respond UX.
▪ There should be no requirement to access the Quadrant UX GUI before your Brain is linked to
your Vectra tenant. The Quadrant UX is served from a Brain appliance locally before it is
linked with Vectra for a Respond UX for Network deployment (using network data sources
with the Respond UX).
▪ Please see: Warnings in the Brain deployment section for additional detail.
o Sensors are added and network traffic capture is initiated.
▪ This should be done AFTER linking your Brain with Vectra.
o Backup configuration (required for network data sources)
▪ Some parts of your deployment (metadata, detections, triage rules, etc) are backed up in
Vectra’s cloud but the Brain appliance must still be backed up locally in your environment.
▪ Please see Backing up your Brain for additional guidance.

Respond UX

Once your Vectra tenant has been created, you will receive a welcome email from [email protected] with initial login
details for the Respond UX. This will include a temporary password that expires in 7 days.
 Please login within 7 days and create a permanent password.
 If SAML SSO is desired for admin and analyst access, please see either of the following articles to configure
SAML 2.0 based SSO.
o Setup SAML SSO with any IdP (Respond UX)
o Setup SAML SSO with Azure AD (Respond UX)
o Setup SAML SSO with Okta (Respond UX)

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Brain Deployment

Requirements and Documentation Links

Per the Vectra AI Platform Overview earlier, when using network data sources, a Brain appliance will need to be
deployed in your environment. The Brain appliance can be physical or virtual.
 For physical Brain appliances
o You will need CLI (Command Line Interface) access to the appliance.
o The initial configuration at the CLI is covered in the Quick Start Guide for your appliance.
o Please refer to that guide to configure an IP address, network mask, default gateway, and proxy (if
required) on the Brain.
o Current quick start guides for physical appliances that can support Brain or Mixed mode use are listed
here:
▪ X29 Quick Start Guide
▪ B101 Quick Start Guide
▪ The quick start physical appliance guides are meant just for getting the appliance installed
and available on your network.

 For virtual Brains deployed in IaaS clouds:

o CLI access will be required if a proxy needs to be set for the Brain to communicate with Vectra.
o Please see the appropriate deployment guide below for your supported IaaS cloud:
▪ AWS Brain Deployment Guide
▪ Azure Brain Deployment Guide

 For virtual Brains deployed in VMware:

o This will require CLI access to set a static IP and DNS if you used DHCP for the initial boot process or
plan to use a proxy for Brain to Vectra communications.
o You can set an IP and DNS statically during OVA deployment.
o Please see the VMware Brain Deployment Guide

Any deployment guides not linked above are in the Vectra Product Documentation Index.
You may have already configured DNS following the quickstart for your physical appliance or the deployment guide
for your virtual Brain. If you did not configure DNS as part of your initial Brain deployment, this guide will cover
configuration of DNS later in the Data Sources > Network > Brain Setup section. It is recommended to have your
Brain registered in your DNS to make failover scenarios easier to deal with.

Warnings
 Do NOT pair network Sensors or forward traffic to the Brain before it has been linked to the Vectra cloud.
o If you go into the Quadrant UX on your Brain locally to pair network Sensors before it has been linked
with Vectra’s cloud, it is possible for state information to become out of sync between the local Brain
and Vectra’s cloud during the linking process.
o As part of the linking process, a factory reset is issued to ensure that there will be no state sync
issues.
 If a factory reset is issued (this is the standard procedure), all data on the local Brain that hasn’t been backed
up elsewhere, will be lost.
o IP configuration and remote support VPN state will be kept during a factory reset.
o !! Any proxy configuration will be cleared as part of this reset process.
▪ If Vectra engineering issues a factory reset, proxy settings will need to be reconfigured.

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Proxy Support
If a proxy is required in your environment to communicate with Vectra from your Brain, in versions 7.9 and above, this
can be set at the CLI of your Brain. Login to your Brain’s CLI is done using the “vectra” user account. The default
password is “changethispassword” for a newly deployed Brain. For Brains deployed in IaaS clouds (AWS,
Azure), part of the deployment process includes creating an SSH key pair for login as the “vectra” user. The
deployment guides for Brains in IaaS clouds include instructions for how to create and use those key pairs to log in to
the Brain’s CLI.
 Proxy commands (v7.9+)
o “show proxy”
o “set proxy config [IP or Hostname] [port] [USERNAME] [PASSWORD]”
o “set proxy enable [on|off]”
o Any of these with “-h” option will show command help with syntax.

Examples:
vscli > set proxy config 1.1.1.1 80 testuser testpass
Saving proxy config...
Proxy config updated

vscli > show proxy

Enabled: True
Host: 1.1.1.1
Port: 80
Authentication:
Authentication enabled: True
User: testuser
Password: **********
Method: basic

vscli > set proxy enable on

Updating proxy config...
Proxy enabled

Updating to version 8.0 or higher

Some base Brain images will not be at v8.0 or higher when first deployed due to processes required to provide new
image types in IaaS clouds, validation processes and imaging of physical appliances in the supply chain, etc. Vectra’s
process to link Brain appliances with Vectra’s cloud as part of your overall Respond UX deployment requires version
8.0 during general availability of Respond UX for Network (using network sensors with the Respond UX).
Vectra engineering will convert your Brain into a different state from the base state (where it serves the Quadrant UX
locally) into a state where it is linked to the Vectra cloud. This conversion/linking is kicked off by Vectra engineering
after your Brain checks in with Vectra. After linking, the Respond UX (served from Vectra’s cloud) communicates with
your locally installed Brain.
Once your Brain is installed (following the instructions from your Brain Quick Start or Deployment Guide, see links in
the Requirements and Documentation Links above), please ensure it can communicate with Vectra and see that it
gets updated to v8.0 or higher.
Guidance:
 Ensure that if a proxy is required for communication with Vectra, it is configured per Proxy Support earlier.
 Use the “debug connectivity” command at your Brain’s CLI to check connectivity to the following
endpoints (from the Connectivity Requirements (Firewall Rules) section earlier):
o update2.vectranetworks.com
o api.vectranetworks.com
o The Vectra Cloud Gateway and Interim Vectra Cloud Gateway corresponding to the region where
your Respond UX tenant was deployed into (US, EU, Canada, Australia, etc).
© 2023 Vectra AI, Inc.
 Vectra Respond UX
Deployment Guide

o rp.vectranetworks.com
o rs.vectranetworks.com
 Use the “show version” command at your Brain’s CLI to see the current version and whether an upgrade
is currently being applied.
o New Brain versions may be in the process of downloading and preparing to be installed even while
the result of the show version command shows “Upgrading: False”.
o Please work with your Vectra team for additional detail. If your Brain is successful in communicating
with Vectra, additional detail about the current state will be available to Vectra team members.

Examples:
vscli > debug connectivity -h
Usage: debug connectivity [OPTIONS] HOST PORT

Test TCP connectivity to destination host or IP through proxy if configured

Options:
--bypass-proxy / --dont-bypass-proxy
Bypass proxy while testing connectivity if
proxy is configured
--ssl / --no-ssl Test connectivity to host using SSL
--timeout FLOAT Seconds to attempt a connection to host and
proxy if configured [default: 5]
-h, --help Show this message and exit.

vscli > debug connectivity api.vectranetworks.com 443 --ssl

Connectivity: Success
Proxy: False
SSL: True

vscli > debug connectivity update2.vectranetworks.com 443 --ssl

Connectivity: Success
Proxy: False
SSL: True

vscli > debug connectivity authgateway.uw2.public.app.prod.vectra-svc.ai 443 --ssl

Connectivity: Success
Proxy: False
SSL: True

vscli > debug connectivity main-authgateway-uw2.app.prod.vectra-svc.ai 443 --ssl

Connectivity: Success
Proxy: False
SSL: True

vscli > debug connectivity rp.vectranetworks.com 443 --ssl

Connectivity: Success
Proxy: False
SSL: True

vscli > debug connectivity rs.vectranetworks.com 443

Connectivity: Success
Proxy: False
SSL: False

vscli > debug connectivity rs.vectranetworks.com 9970

Connectivity: Success
Proxy: False
SSL: False

vscli > show version

Upgrading: False
Version: 8.0.0-12-32

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Next Steps

Please continue configuring data sources such as Network (Sensors), IDR for Azure AD & CDR for M365, or CDR for
AWS at your convenience. You may also choose to move on to Initial Configuration settings for the platform.

Configuring Data Sources

Network (Sensors)
Physical and Virtual Sensors (vSensors) collect raw traffic from your network, store it in a rolling capture buffer, and
generate a metadata stream that the Brain processes further. When detections are created by the Brain, a PCAP (if
enabled) is requested from the Sensor that saw the traffic in question so that it can be attached to the detection for
viewing by the analyst.
Sensor deployment and pairing with the Brain is covered in the following guides:
 Physical appliance deployment quick start guides:
o S11 Sensor Quick Start Guide
o S101 Sensor Quick Start Guide
o X29 Quick Start Guide
o For other physical Sensors not listed, please go to the Vectra Product Documentation Index and then
the Physical Appliances section.
 Vectra Physical Appliance Pairing Guide
o Covers pairing of physical appliances and the Stream M29 appliance to your Brain.
 Traditional Hypervisor vSensor Deployment and Pairing:
o VMware vSensor Deployment Guide
o Hyper-V vSensor Deployment Guide
o KVM vSensor Deployment Guide
o Nutanix vSensor Deployment Guide
 Cloud IaaS vSensor Deployment and Pairing:
o AWS Sensor Deployment Guide
o Azure Sensor Deployment Guide
o GCP Sensor Deployment Guide

Traffic Validation
Once you have deployed and added network Sensors to your environment, the next step is to direct traffic at those
Sensors so they can produce metadata for analysis by the Brain appliance. This is typically done via
SPAN/COPY/MIRROR ports on switches, network TAPs, or packet brokers. Please see the following Vectra support
article for recommendations on network traffic that should be examined and excluded from analysis:
 Vectra Platform Network Traffic Recommendations

After sending traffic to your Sensors, it is a best practice to validate that the traffic observed meets quality standards
required for accurate detection and processing. Vectra’s Enhanced Network Traffic Validation feature provides
alarms and metrics that can be used to validate the quality of your traffic. Please see the following Vectra support
article for details:
 Enhanced Network Traffic Validation (CLI)

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

IDR for Azure AD & CDR for M365

IDR for Azure AD and CDR for M365 can be deployed at any time once you are able to access the Vectra Respond
UX. Some capabilities after enabling a connection to Azure AD and M365 are:
 See and stop attackers targeting Federated applications, the Azure AD backend and all your M365
applications like SharePoint, Exchange and Teams.
 Respond to threats immediately with zero-query investigations.
 See through the chaos and understand how attackers could be bypassing MFA and accessing your tenant.

To enable this data source in your Cloud UI, navigate to Data Sources > Azure AD & M365 and click the “Get Started”
button in the top right. The Vectra IDR for Azure AD and CDR for M365 Quickstart Guide is also linked from this
page:

CDR for AWS

CDR for AWS can be deployed at any time once you are able to access the Vectra Respond UX. Some capabilities
after enabling an AWS CloudTrail connection are:
 Monitor AWS CloudTrail Management and Data events to detect changes to your AWS environment which
malicious actors can exploit to impact your org.
 Rapidly detect threats against AWS infrastructure without relying on signatures, agents, V -Taps, or static
policies.
 Agentless monitoring of applications, users, roles, serverless compute, and storage, through AWS CloudTrail
logs.
 Automate response to attacks with native integrations into AWS and 3rd party solutions to automatically stop
attacks without impact to service.

To enable this data source in your Respond UX, navigate to Data Sources > AWS CloudTrail and click the “Get
Started” button in the top right. The CDR for AWS Deployment Guide is also linked from this page:

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Initial Configuration

Settings > General

This area contains settings that apply to your entire installation of the Vectra cloud platform.

Settings > General > Account Association

When using CDR for M365 & IDR for Azure AD, this area will allow you to manually map network realms to cloud
domains. We recommend using automatic mapping by linking your Active Directory instance to your Vectra Brain, as
this will link more robustly and with a greater success rate than manual mapping.

Settings > General > Auto-Refresh Security Dashboard

This setting determines if the Security Dashboard auto-refreshes itself every 10 min. This might be useful in a SOC if
a monitor is dedicated for displaying this dashboard.

GUI Access Timeout

There is a 24-hour limit enforced before the user must re-authenticate to access the Respond UX UI. Session tokens
and CSRF Tokens have an 8-hour life, but the user will not need to authenticate again for 24 hours after the initial
login.

Settings > General > Metadata Configuration

This setting allows you to configure behavior for connection state logging. This impacts the detail level of the
“conn_state” field shown in Advanced Investigation / Stream metadata. You can also control the volume of DNS
metadata generated by logging or not logging DNS metadata only when a reply is observed in response to a request.

Settings > General > Remote Support

This is optional and allows Vectra Support access to command line shell for remote support, debugging, address
potential performance problems, verify software updates, and perform troubleshooting.
 Utilizes Open VPN on TCP:443 and UDP:9970.
 Access to the shell is two factor secured, requires a support ticket to be logged, and is audited.
 Please note that this can be toggled on and off as required if you would prefer to not leave it enabled.

For additional detail, please see the How do I ensure a Brain has remote support enabled? Vectra support article for
additional detail regarding this feature.

Settings > General > Timezone

This setting is not configurable in the Respond UX but shows that the time zone configured for the Vectra cloud
platform is Etc/UTC.

Data Sources > Network > Brain Setup

This area contains settings that are specific to your Vectra Brain.
© 2023 Vectra AI, Inc.
 Vectra Respond UX
Deployment Guide

Data Sources > Network > Brain Setup > Brain

This area of the GUI displays various Brain specific settings and information, and also has “Restart” and “Shut Down”
links.
 DNS Name
o FQDN (Fully Qualified Domain Name) that can be used to pair Sensors and/or Stream to this Brain.
o To use this value for pairing, change the pairing setting under Data Sources > Network > Sensors >
Sensor Configuration > Sensor Pairing and Registration to “DNS Name”.
▪ Additional guidance for pairing via IP or DNS will be given later in this document.
o In general, it is recommended to configure your DNS with a proper hostname for the Brain.
 Alias
o The label for this Brain within various areas of the Vectra platform.
 For linking in alerts/notifications (except AWS SecurityHub):
o Choose either “DNS Name” or “Management IP Address”.
o This will determine the format of links in alerts/notifications.

Data Sources > Network > Brain Setup > CLI Password (Brain)
This setting allows you to set the password for the “vectra” user used to access the CLI of the Brain via SSH.
 Please note that accessing the CLI of a Brain deployed in an IaaS cloud requires authentication of SSH using
the private key corresponding to the public key that was provided during deployment.
 Physical appliances and virtual Brains can authenticate using password.

Data Sources > Network > Brain Setup > DNS Entries
These DNS settings apply to the Brain only. Sensor DNS is set individually at the CLI or via a configuration string
when deploying vSensors using the command line from the Brain.
 If you have not already configured DNS for the Brain at the CLI, please do so in this section of the UI.
 It is also highly recommended to enable Reverse DNS Lookup to improve host identification and context.
o This is done by checking the checkbox in this area.

Data Sources > Network > Brain Setup > IP Address Classification
For proper algorithm operation and recognition of traffic directionality within Stream or Recall metadata it is
mandatory to accurately identify internal vs external IP space. By default, all RFC-1918 IP space is considered
“internal”.
 RFC-1918 (Address Allocation for Private Internets) IP space
o https://tools.ietf.org/html/rfc1918
o 10.0.0.0 - 10.255.255.255 (10/8 prefix)
o 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
o 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
o fd00::/8 (IPv6)
 Internal IP Addresses (CIDR)
o IP addresses or CIDR blocks entered here will be considered internal to your network.
o Everything else will be considered external.
 Exclude a Subset of Internal IP Addresses (CIDR)
o Use this area if you have a subset of internal IP addresses listed above you want to be considered as
external to your network.
© 2023 Vectra AI, Inc.
 Vectra Respond UX
Deployment Guide

o For example, if you were going to simulate Command and Control behavior from an internal lab, you
should configure the lab IP space as external (by adding it to this section). This allows Detect models
properly identify the behavior.
 Drop IP Addresses (CIDR)
o IP addresses or CIDR blocks entered here will be ignored.
o Any traffic to or from these addresses will not be analyzed by your platform.
o Ignoring traffic by VLAN is supported at the CLI using the “set capture-vlan” command.
 Internal VPN IP Addresses (CIDR)
o Enter any IP ranges allocated to your VPN servers for remote end users’ connections.
o This will improve identification and detection model coverage for hosts connecting in via VPN by
altering some characteristics of underlying models.
 Static IP Addresses (CIDR)
o In many customer environments, Vectra’s automated Host Identification (Host ID) is all that is
required for customers to have all the pertinent hosts in their environment named and tracked.
Generic hosts (IP-x.x.x.x) will inevitably be observed when a host first comes into the environment,
but not enough artifacts have been observed to create a stable named host object or attribute its
traffic to a previously created host. This can commonly happen when a user plugs in a laptop for the
day, but the host is not recognized immediately. Vectra manages this on its own and will attribute
traffic for this generic host to the real named host object once it is recognized.
o Many customers also have statically assigned hosts and may not have hostnames in the customer
DNS. Additionally, Vectra may not directly observe enough artifacts of other types to name the host.
If a stable host object never gets created, learning for several models cannot be anchored to generic
hosts. This means that some Detections cannot fire and features such as the Host Role cannot
function on these generic hosts.
o Enter IP addresses or CIDR blocks representing the statically assigned hosts in your environment in
this area.
o Hosts on these IPs or ranges will show as STATIC-x.x.x.x in the Vectra UI and will no longer be
generic hosts.
o These hosts will have full support for learning and all Detections and features.
o Statically defined hosts will not change name based on observed artifacts - they will remain static until
they are no longer configured as such.
o You are free to rename statically assigned hosts as you wish.

Data Sources > Network > Brain Setup > NTP Entries
Vectra provides defaults but please set your preferred time synchronization sources (up to 5) here.

Data Sources > Network > Brain Setup > PCAP Generation
PCAPs provide great value to analysts in a number of scenarios. PCAPs are assembled from the Sensor’s rolling
capture buffer upon request from the Brain during the publishing of Detection alerts. In some circumstances,
customers may not want to have PCAPs generated at all, or from certain Sensors that may be deployed in areas with
stricter privacy controls that don’t allow for PCAP.
 Edit in this area to turn off PCAP generation entirely.
 To turn off PCAP generation on an individual Sensor go to Data Sources > Network > Sensor, select the
Sensor you wish to edit, click the edit pencil, and then deselect the “Capture PCAPs for this Sensor” checkbox
and “Save” your setting.

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Data Sources > Network > Brain Setup > Proxy & Status
Edit this area to add or change proxy settings if required for your environment. Also shows the status of connections.
 Please note that if you see green checkmarks for both the Statistics Destination and the Updater Destination,
even if a warning stating “No proxy configured” is displayed, you do not need to setup a proxy for your
platform.
 Proxy settings can also be configured at the CLI. See Proxy Support for details.

Data Sources > Network > Brain Setup > Version

Information about the version of your Vectra cloud platform will be displayed in this area.

Data Sources > Network > Sensors

In this area you can pair and manage network sensors, configure a number of options related to Sensor pairing and
registration, and change the password for paired devices (Sensors or Stream).

Data Sources > Network > Sensors > Network Sensors

Sensor management and pairing is accomplished in this area. For details on pairing, please see either the Vectra
Physical Appliance Pairing Guide for physical Sensors and the Stream appliance, or see the guide specific to the
vSensor you are pairing. vSensor guides are available for deploying in IaaS clouds, or other hypervisor
environments. Please see the Vectra Product Documentation Index on the Vectra support site to easily locate the
guide for your vSensor.

Data Sources > Network > Sensors > Sensor Configuration > Sensor Pairing and Registration
Editing this area will allow you to alter the default way a Sensor will attempt to pair with a Vectra Brain and allow you
to enable or disable Virtual Sensor Automatic Pairing. Additionally, this area provides a link to generate a new
Sensor Registration Token
 Pair using the Detect Brain
o If you have a DNS name configured in Data Sources > Network > Brain Setup > Brain, then the “Pair
using the Detect brain” area will provide a choice between the configured DNS name and the
Management IP (MGT1).
o If you do not have a DNS name configured, there will only be one option present using the configured
IP.
▪ It may take a few minutes after adding a DNS name in your Brain setup for the choice to
appear in this area.
o Pairing via the Brain DNS Name makes Brain replacement or IP Address change events easier to
manage.
o This setting only affects the default pairing mode for Sensors used in future pairing operations.
▪ Any previously paired devices will remain paired regardless of how they were paired.
▪ Regardless of setting, the “set brain” command available at the CLI of the Sensor will
allow you to attempt pairing via hostname or IP.
o Should you choose to change the pairing method for previously paired devices, you will need to
unpair the previously paired devices and re-pair them.
 Virtual Sensor Automatic Pairing
o This setting allows you to choose if you want to automatically pair with virtual Sensors when they
announce their availability.
o It is recommended to allow auto pairing during initial setup or during large virtual Sensor rollouts.
© 2023 Vectra AI, Inc.
 Vectra Respond UX
Deployment Guide

o When you are done deploying virtual Sensors, you may turn this off to enhance security posture.
 Sensor Registration Token
o This is used to validate devices attempting to register to this Brain and resets after 24 hours.
o It is used in the Registration Token field in the Sensor deployment template for cloud Sensors.
o While the Sensor Registration Token (SRT) is required for cloud Sensor deployment, it is optional for
physical Sensors and virtual Sensors.
o Use of the SRT will allow you to pair a Sensor with any Brain in your organization. This can be useful
for disaster recovery scenarios where a device may have been paired to another Brain previously.
o After a Sensor registers with this Brain, it will appear in the Sensor list in Data Sources > Network >
Sensors where its pairing can be managed.
o Stream devices will show paring status in Settings > Stream > Pairing Status.

Data Sources > Network > Sensors > Sensor Configuration > CLI Password (Sensors)
In this area you can change the password for all paired Sensor or Stream appliances to easily keep passwords in
sync.
 If you require separate passwords for each Sensor or Stream appliance, the password for the “vectra” user
may be changed individually using the “set password” command at the CLI of your Sensor.

Settings > Notifications

In this area you can configure email notifications.

Settings > Notifications > Alert Emails

Alert emails can be sent to email addresses or aliases. Enter the desired recipients in the top box. Alert types:
 Send entity alerts
o These alerts are sent when an entity (host or account) crosses the configured scoring threshold.
o The Urgency Score Threshold is configurable and is set independently from the Priority Threshold
that you may have set under Settings > Priority Threshold.
 Send detection alerts
o These alerts are sent when any selected Detection occurs.
o Some customers may want Detection alerts for specific Detections that they consider critical, such as
Ransomware, regardless of the current Entity score.
 Send system alerts
o Alerts related to system operations are sent.
o Examples are when there is a change in Sensor connectivity, capture interface health, or disk health.
 Send vCenter alerts
o Alert related to changes in vCenter, such as new physical hosts being spun up that do not have
vSensor coverage.
o This requires vCenter integration to be setup.

© 2023 Vectra AI, Inc.

 Vectra Respond UX
Deployment Guide

Backing up your Brain

As discussed earlier in the Deployment Process Overview, the Brain appliance should be backed up by the customer.
The Vectra cloud platform stores detections, metadata, and triage filters but the configuration of the Brain is not
backed up by Vectra. Care should be taken to ensure backup to a Windows server, SFTP/SCP, or AWS S3 bucket.
Please see the following Vectra support portal articles for more details:
 Backup and Restore for Vectra Brain Appliances (v8.5+)
 Vectra Brain Appliance Disaster Recovery (DR) / Migration Recommendations (v8.5+)

Recommended Next Steps

Vectra offers a variety of deployment services, consulting, or full MDR options for customers that need more help or
expert analyst assistance. Please work with your Vectra account team for additional details.
This guide covered initial configuration of basic settings. There are several other settings and options that you should
consider examining and implementing:

 Work on traffic engineering and getting traffic flowing to your Sensors or mixed mode Brain.
 Integrations that help with HostID such as:
o vCenter integration if you have a VMware environment.
o SIEM/DHCP and Windows Event Log ingestion.
o EDR integration.
 Integrations that bring additional context to analysts.
o The integrations listed above to help with HostID also bring additional context.
o AD integration.
 Integrations to enable taking action.
o AD and EDR integration bring host and account Lockdown capability.
o Azure AD Account Lockdown works with and Azure AD data source.
 Enabling Stream.
 Setting up SSO using SAML if you have not already done so.
 Building groups and triage rules to suppress unwanted detections for authorized behaviors.

Please note the following best practices:

 Change default passwords for the “admin” (GUI) and “vectra” (CLI and IPMI/iDRAC) users to strong versions.
 IPMI / iDRAC interfaces should be on their own isolated networks when possible.

Worldwide Support Contact Information

 Support portal: https://support.vectra.ai/
 Email: [email protected] (preferred contact method)
 Additional information: https://www.vectra.ai/support

© 2023 Vectra AI, Inc.