Vectra NDR and Network Identity Architecture
Vectra NDR and Network Identity Architecture
Definitions / Deployment
Definitions
• When used with network Sensors, it communicates with • Serves as communications broker between Vectra’s cloud
Brain appliance(s) deployed in customer premises. and local integration points for RUX deployments.
• Quadrant UX (QUX) - The Vectra UI is served from Brain • Sensor Appliance - vSensor is a virtual Sensor (for hypervisors
appliance(s). Not shown in diagram on next page. or IaaS cloud), Sensor is a physical Sensor.
• The Brain appliance processes the metadata locally to • Vectra Stream sends network metadata to the customer’s
create detections. data lake for both RUX and QUX deployments.
• The Brain sends metadata and detections to the Vectra cloud • Logs are analyzed by the Brain to link remote workers with
for presentation in the Respond UX. traffic seen by app connectors in the data center.
• For QUX deployments, the UI is local, and metadata can be • SOAR/SIEM integration uses API connections to communicate
sent to Vectra Recall. with the Vectra cloud.
East/West Recon, Lateral Movement Server to Server, User to Server, User to User
Important to Capture Should be Excluded from Capture What Helps Improve Vectra’s
HostID
DCE/RPC Core routing protocols
See Understanding Vectra Detect Host
Naming for additional information.
DHCP High-bandwidth backup data
HTTP Kerberos
HPC workloads that are well isolated
LDAP Storage network file systems (SMB is ok) EDR Integration, VWware integration,
SIEM event forwarding,
NTLM Video Multicast Windows Event Log Ingestion
Radius
Supported Encapsulations Typical Traffic Capture Sources
RDP
Vectra NDR for Cloud (Gigamon)
GENEVE
SMB
Generic Routing Encapsulation (GRE) SPAN/COPY/MIRROR Ports
SMTP
Encrypted Traffic - Vectra AI models work with encrypted traffic (no decryption required)
Basic Communications/Pairing
Note! - Please see Firewall Requirements for Vectra Deployments for full details. There are additional requirements depending on the
specifics of your deployment, specific integrations, etc.
Note! - Air gapped deployments of Vectra NDR are possible (QUX only). NDR Detections are generated locally on the Brain. Please see
Offline Updates (v8.9+) for details on how updates are easily managed in these situations.
• Users login using their web browser to the Respond UX at the • The Brain appliance is deployed in the customer premises and
URL given in their welcome letter. communicates with the Vectra Cloud over a variety of channels.
These connections are initiated from the Brain.
• Quadrant UX users login to their Vectra UI (served from the
Brain) at the IP or hostname of their Brain. • Updates are served from the Vectra Cloud and installed
• Sensors must be able to reach the Brain over TCP/22 (SSH), and automatically in an update window chosen by the customer.
TCP/443 (HTTPS). Sensor updates are served from the Brain appliance and are
also installed automatically.
• In general, Sensors only communicate with the Brain appliance
• Pairing Sensors or Stream appliances with a Brain is a simple
and DNS. There is only one exception:
process. Some details are below:
• Physical Sensors can retrieve the IP of the Brain they need
• Physical Appliance Pairing Guide
to pair with from the Vectra Cloud at initial boot. With
DHCP enabled, a physical Sensor can automatically begin • vSensor pairing is covered in each vSensor deployment guide
the pairing process with no login required to its CLI. This (see Product Documentation Index for guides)
requires that TCP/443 be open to update2.vectranetworks. • A Sensor registration token, managed in your UI or CLI,
com from the physical Sensor. allows IaaS cloud vSensors or any other Sensor to pair with
a Brain even if it was not originally configured for use with a
specific Brain.
PRODUCT DATASHEET
Appliance Sizing
Note! - Vectra periodically releases new appliances to support new throughput requirements, hypervisors, or cloud providers. Always
refer to Appliance and Sensor Specifications and your Vectra account team for the latest guidance.
Note! - Global View enables maximum scale for the largest global enterprises. The performance guidelines below are for individual
appliances. Please see the Global View detail on the next page for additional detail.
Note! - Performance refers to the amount of network traffic observed by Sensors that a Sensor can produce metadata for, or the
amount of traffic observed by Sensors that a Brain can process metadata for. The performance numbers are based upon average
throughput a given Sensor/Brain can process. Actual performance may vary depending on traffic composition.
• Brain appliances are available in configs that support up to 75 • When running Match and/or Suspect Protocol Anomaly
Gbps of performance and 500 paired Sensors. Detections in addition to Vectra NDR (Detect), Sensor
appliances are available in configuration that support up to 33
• Sensor appliances are available in configs that support up to 50
Gbps of performance.
Gbps of performance.
• Please work with your Vectra account team to determine the
right mix of physical and virtual appliances required.
Global View
• Global View provides a Global Respond view of prioritized entities from child RUX
instances in an anchor instance of RUX.
• Available as a standard feature with any RUX deployment.
• Allows for overlapping IP space in child deployments.
• Enables maximum scale while still providing a single pane of glass.
• The anchor instance retrieves prioritized entities from child instances using an API
client that is assigned the “Global Analyst” role.
• Communications are all encrypted and contained within the Vectra AI Platform.
• Data is not stored in the anchor instance. It is retrieved on demand from
child instances.
PRODUCT DATASHEET
• Detection data (including associated micro pcaps) are generally • Vectra is a very open platform with integration options for SIEM,
retained for 6 months. Metadata retention is dependent on your SOAR, etc.
contracted retention options for Advanced Investigation (RUX)
• API guides are available for Respond UX deployments and
or Recall (QUX). When sending metadata via Stream, retention
Quadrant UX deployments.
is based on the configuration of your downstream data lake.
• Syslog/Kafka is NOT supported in RUX deployments but is
• Vectra Packet Capture allows you to capture PCAPS for available for QUX deployments.
subsequent download and analysis with local tools.
• If you require Syslog for RUX, this can be done through a
• Guidance for optimizing your deployment when used with VPN customer deployed intermediary server with guidance from:
clients is available here. SIEM Connector for the Vectra AI Platform (pulls data via API
• Zscaler specific information: ZPA Log Ingestion and and sends to your SIEM).
Configuration, ZIA Integration and Optimization • MITRE ATT&CK and D3FEND details are available here: Vectra’s
• Response options Coverage of MITRE ATT&CK and D3FEND
• EDR Host Lockdown
• Account Lockdown and Azure AD (Entra ID) Account
Lockdown
• SOAR integration - search for your SOAR vendor on the
Vectra Support Portal
• Vectra Automated Response - Click the link to see the GitHub
repo with dozens of integrations
About Vectra AI
Vectra AI, Inc. is the leader in AI-driven extended detection and response (XDR). The Vectra AI Platform delivers integrated signal across public cloud, SaaS, identity, and data center
networks in a single platform. Vectra AI’s patented Attack Signal Intelligence empowers security teams to rapidly detect, prioritize, investigate and stop the most advanced hybrid
cyber-attacks. With 35 patents in AI-driven detection and the most vendor references in MITRE D3FEND, organizations worldwide rely on the Vectra AI Platform and MXDR services
to move at the speed and scale of hybrid attackers. For more information, visit www.vectra.ai.