-
Notifications
You must be signed in to change notification settings - Fork 601
[vectra_cloud] Initial release of the Vectra Cloud #13646
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
ad037ad
Initial release
janvi-elastic 2a302e2
Update changelog
janvi-elastic 367a9af
Update integration name to Vectra RUX from Vectra Cloud and resolved …
janvi-elastic b399545
Add observer.* fields into ecs.yml as constant_keyword
janvi-elastic d7e33ea
Resolve review comments
janvi-elastic File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| dependencies: | ||
| ecs: | ||
| reference: git@v8.17.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,132 @@ | ||
| # Vectra Cloud | ||
|
|
||
| ## Overview | ||
|
|
||
| [Vectra AI](https://www.vectra.ai/) is a provider of cybersecurity solutions, including threat detection and response solutions. Vectra AI also provides cloud security, detects ransomware, secures remote workplaces, hunts and investigates threats, and offers investigations, risk and compliance services. | ||
|
|
||
| This integration enables to collect, parse Audit, Detection Event, Entity Event, Health and Lockdown data via [Vectra Cloud REST API](https://support.vectra.ai/vectra/article/KB-VS-1835), then visualise the data in Kibana. | ||
|
|
||
| ## Data streams | ||
|
|
||
| The Vectra Cloud integration collects logs for five types of events. | ||
|
|
||
| **Audit:** Audit allows collecting Audit Log Events, which are recorded whenever a user performs an action on the system. These events are sequential and provide a reliable audit trail of user activity. | ||
|
|
||
| **Detection Event:** Detection Event allows collecting Detection Events, which are generated upon the initial detection and each subsequent update. | ||
|
|
||
| **Entity Event:** Entity Event allows collecting Entity scoring events, which are generated whenever an entity's score changes, such as during initial threat detection, the discovery of additional detections, or updates to existing ones. | ||
|
|
||
| **Health:** Health allows collecting system health data, with API responses that may vary based on product subscriptions such as Network, AWS, or M365. | ||
|
|
||
| **Lockdown:** Lockdown allows collecting entities lockdown status for accounts and hosts type, that are currently in lockdown mode. | ||
|
|
||
| ## Agentless Enabled Integration | ||
| Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). | ||
|
|
||
| Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. | ||
|
|
||
| ## Requirements | ||
|
|
||
| Unless you choose `Agentless` deployment, the Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). | ||
|
|
||
| ### Installing and managing an Elastic Agent: | ||
|
|
||
| There are several options for installing and managing Elastic Agent: | ||
|
|
||
| ### Install a Fleet-managed Elastic Agent (recommended): | ||
|
|
||
| With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. | ||
|
|
||
| ### Install Elastic Agent in standalone mode (advanced users): | ||
|
|
||
| With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. | ||
|
|
||
| ### Install Elastic Agent in a containerized environment: | ||
|
|
||
| You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. | ||
|
|
||
| Please note, there are minimum requirements for running Elastic Agent. For more information, refer to the [Elastic Agent Minimum Requirements](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html#elastic-agent-installation-minimum-requirements). | ||
|
|
||
| ## Compatibility | ||
|
|
||
| For Rest API, this module has been tested against the **v3.4** version. | ||
|
|
||
| ## Setup | ||
|
|
||
| ### To collect data from the Vectra Cloud API: | ||
|
|
||
| 1. Navigate to **Manage > API Clients** in Vectra Console. | ||
| 2. Click on **Add API Client**. | ||
| 3. Add **Client Name**, **Description** and select the appropriate **Role** based on the endpoint, as outlined in the below table: | ||
| | Endpoint | Role | | ||
| | -----------------------| -------------------| | ||
| | Audit | Auditor | | ||
| | Detection Event | Read-Only | | ||
| | Entity Event | Read-Only | | ||
| | Health | Auditor | | ||
| | Lockdown | Read-Only | | ||
| 4. Click **Generate Credentials**. | ||
| 5. Copy **Client ID** and **Secret Key**. | ||
|
|
||
| For more details, see [Documentation](https://support.vectra.ai/vectra/article/KB-VS-1572). | ||
|
|
||
| ### Enabling the integration in Elastic: | ||
|
|
||
| 1. In Kibana navigate to Management > Integrations. | ||
| 2. In "Search for integrations" top bar, search for `Vectra Cloud`. | ||
| 3. Select the "Vectra Cloud" integration from the search results. | ||
| 4. Select "Add Vectra Cloud" to add the integration. | ||
| 5. Add all the required integration configuration parameters, including the URL, Client ID, Client Secret, Interval, and Initial Interval, to enable data collection for REST API input type. | ||
| 6. Select "Save and continue" to save the integration. | ||
|
|
||
| ## Logs reference | ||
|
|
||
| ### Audit | ||
|
|
||
| This is the `Audit` dataset. | ||
|
|
||
| #### Example | ||
|
|
||
| {{event "audit"}} | ||
|
|
||
| {{fields "audit"}} | ||
|
|
||
| ### Detection Event | ||
|
|
||
| This is the `Detection Event` dataset. | ||
|
|
||
| #### Example | ||
|
|
||
| {{event "detection_event"}} | ||
|
|
||
| {{fields "detection_event"}} | ||
|
|
||
| ### Entity Event | ||
|
|
||
| This is the `Entity Event` dataset. | ||
|
|
||
| #### Example | ||
|
|
||
| {{event "entity_event"}} | ||
|
|
||
| {{fields "entity_event"}} | ||
|
|
||
| ### Health | ||
|
|
||
| This is the `Health` dataset. | ||
|
|
||
| #### Example | ||
|
|
||
| {{event "health"}} | ||
|
|
||
| {{fields "health"}} | ||
|
|
||
| ### Lockdown | ||
|
|
||
| This is the `Lockdown` dataset. | ||
|
|
||
| #### Example | ||
|
|
||
| {{event "lockdown"}} | ||
|
|
||
| {{fields "lockdown"}} | ||
15 changes: 15 additions & 0 deletions
15
packages/vectra_cloud/_dev/deploy/docker/docker-compose.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| version: '3.0' | ||
| services: | ||
| vectra_cloud: | ||
| image: docker.elastic.co/observability/stream:v0.17.1 | ||
| hostname: vectra_cloud | ||
| ports: | ||
| - 8090 | ||
| volumes: | ||
| - ./files:/files:ro | ||
| environment: | ||
| PORT: '8090' | ||
| command: | ||
| - http-server | ||
| - --addr=:8090 | ||
| - --config=/files/config.yml | ||
|
efd6 marked this conversation as resolved.
Outdated
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.