Vectra Threat Detection and Response sample event messages

Use these sample event messages to verify a successful integration with the IBM® QRadar® platform.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Vectra Threat Detection and Response Platform sample message when you use the Universal Cloud REST API connector

This sample message is a Suspicious LDAP Query Detection.

{
  "id": 7731,
  "url": "https://<vectra-managementip>/api/v2.5/detections/7731",
  "detection_url": "https://<vectra-managementip>/api/v2.5/detections/7731",
  "category": "RECONNAISSANCE",
  "detection": "Suspicious LDAP Query",
  "detection_category": "RECONNAISSANCE",
  "detection_type": "Suspicious LDAP Query",
  "custom_detection": null,
  "description": null,
  "src_ip": "10.10.10.10",
  "state": "active",
  "t_score": 22,
  "c_score": 17,
  "certainty": 17,
  "threat": 22,
  "created_timestamp": "2022-10-03T08:58:57Z",
  "first_timestamp": "2022-10-03T08:57:03Z",
  "last_timestamp": "2022-10-03T08:57:03Z",
  "targets_key_asset": false,
  "is_targeting_key_asset": false,
  "src_account": null,
  "src_host": {
    "id": 1383,
    "ip": "10.10.10.10",
    "name": "HOSTNAME 10.10.10.10 (USER)",
    "url": "https://<vectra-managementip>/api/v2.5/hosts/1383",
    "is_key_asset": false,
    "groups": [],
    "threat": 68,
    "certainty": 85
  },
  "note": null,
  "notes": [],
  "note_modified_by": null,
  "note_modified_timestamp": null,
  "sensor": "sensor",
  "sensor_name": "sensor_name",
  "tags": [],
  "triage_rule_id": null,
  "assigned_to": null,
  "assigned_date": null,
  "groups": [],
  "is_marked_custom": false,
  "is_custom_model": false,
  "filtered_by_ai": false,
  "filtered_by_user": false,
  "filtered_by_rule": false,
  "grouped_details": [
    {
      "grouping_field": "dst_hosts",
      "first_timestamp": "2022-10-03T08:57:03Z",
      "last_timestamp": "2022-10-03T08:57:03Z",
      "dst_hosts": [
        {
          "id": 1274,
          "ip": "10.10.10.11",
          "name": "HOSTNAME 10.10.10.11 (USER)"
        }
      ],
      "bytes_received": 87865,
      "dst_ips": [
        "10.10.10.11"
      ],
      "events": [
        {
          "base_object": "DC=,DC=",
          "request": "(&(samAccountType=123456789))",
          "response_code": "success",
          "num_response_objects": 48,
          "last_timestamp": "2022-10-03T08:57:03Z"
        }
      ],
      "num_response_objects": 48
    }
  ],
  "summary": {
    "dst_ips": [
      "10.10.10.11"
    ],
    "num_response_objects": 48
  }
}

Table 1. Highlighted fields in the Vectra Threat Detection and Response Platform sample event
QRadar platform field name	Highlighted payload field name
Event Category	detection_category
Event Name	detection_type
Severity	threat
Src IP, Hostname, Username	src_host