Releases and Updates

Copertura

Sliver Command and Control Coverage

Vectra AI has introduced new detection coverage for Sliver Command & Control (C2) activity, an advanced framework used by red teams and threat actors to evade traditional defenses. Sliver’s use of encryption, layered encoders, and variable timing and data patterns allows it to disguise malicious beaconing within normal encrypted traffic. Vectra’s deep learning model identifies these subtle patterns without relying on payload inspection, leveraging the industry’s largest dataset of network behavior. This update enhances our current beaconing C2 algorithms, delivering stronger visibility into evasive C2 channels and helping security teams detect sophisticated adversary activity earlier in the attack chain.

New Detection: Azure Suspect VM Logging Change

Vectra AI has introduced a new detection that surfaces suspicious behaviors tied to modification of logging extensions for Window sand Linux VMs, Virtual Machine Scale Sets and Hybrid machines. This provides deeper visibility into suspicious activities that may indicate attempts to tamper with security monitoring (degraded vs fully disabled logs).

Detection Enhancement: Azure Cryptomining

Enhancements have been introduced to the Azure Cryptomining detection to filter out behaviors tied to modification of existing compute instances. This improvement improves the fidelity of the alerting around creation of new compute instances. Customer should expect fewer alerts tied to this behavior in their environment.

M365 Detection Enhancements

Enhancements have been introduced across the following detections to improve breadth of coverage:

• M365 Suspicious mailbox Rule Creation and M365 Suspicious Mail Forwarding: These detections have been enhanced to include coverage for behaviors surrounding UpdateInboxRule. As a result of this enhancement, customers may observe a mild increase in the volumes tied to these alerts.

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of this release:

• NDR-242: Vectra AI has expanded its current beaconing Command & Control algorithms to detect advanced C2 beaconing techniques that use data and time jitter to evade traditional network monitoring. The result is improved visibility into stealthy C2 behavior and earlier detection of sophisticated threats attempting to hide within normal network activity.
• NDR-302: Vectra AI has enhanced detection coverage for plain-text TCP communications, identifying suspicious command activity hidden in unencrypted, text-based traffic. This update detects subtle behavioral patterns—such as abnormal packet flow and payload structure—to uncover covert command channels that evade traditional inspection. It expands visibility beyond encrypted traffic, strengthening detection across all communication types.
• NDR-314: Vectra AI has expanded coverage to include Sliver’s English HTTP Channel, which disguises command-and-control traffic as strings of random English words to appear legitimate. This enhancement improves detection of obfuscated Sliver activity within normal HTTP traffic, strengthening visibility into advanced C2 evasion techniques.

Chiarezza

Reduced Alert Volume with Enhanced AI-Triage

Vectra’s AI-Triage now delivers expanded capabilities across the kill chain and modern networks, cutting detection volumes significantly. It automatically investigates and resolves benign alerts, reducing alert fatigue while preserving full visibility into real threats.

This custom-built, rigorously tested capability identifies low-risk patterns that consistently appear in your environment and resolves them automatically, keeping your team focused on meaningful risk.

Expect fewer benign detections across network C2, recon, Azure AD, M365, Copilot for M365, and AWS.

Visibility is never lost — resolved detections remain searchable, auditable, and fully traceable. No actions are taken on your behalf beyond resolution.

Coming Soon: Expanded EDR Process Contex

In November, Vectra will release Vectra AI Stitching with CrowdStrike EDR for all customers. This capability streamlines investigations by automatically finding the probable process related to a NDR detection and presenting it alongside the detection in the platform and when the event is collected via API.

This result is a more powerful NDR, less manual work, and better outcomes for security teams. What was the process driving C2 a browser or a PowerShell script, is it expected, or does it stand out, these are questions analysts must answer immediately, and this capability makes that instant.

To ensure smooth delivery of this capability we encourage all Crowdstrike customers to provide NGSIEM Read / NGSIEM Write permissions to support future collection of this information. Visit Crowdstrike EDR Integration FAQ for instructions on how to grant these permissions.

Controllo

Attack Graph Enhancements

Vectra AI’s Attack Graph just got smarter with two powerful updates. C2 Blast Radius instantly reveals all hosts communicating with the same command-and-control endpoint, eliminating manual cross-referencing and speeding triage. Targeted Detections trace the initial point of compromise and attacker movement, giving analysts a clear lineage of how each host or account was reached. Together, these enhancements deliver sharper visibility, faster investigations, and more precise responses. Explore the Attack Graph FAQ for more capabilities.

Architecture / Administration

SHA256 File Verification for Support Portal

All current and future files in Additional Resources > Downloads on our Support Portal now include a SHA256 hash to validate the file downloaded is the same as what was served from the Support Portal. Today this applies to OVA and Vectra Match file downloads.

Expanded TLS/SSL Cipher Recognition

Vectra AI has expanded its TLS/SSL cipher suite mapping to include the latest TLS 1.3 and modern cipher suites, ensuring encrypted sessions are accurately identified and displayed with clear, human-readable names. This update enhances visibility and accuracy in encrypted traffic analysis across Recall and Stream, with Advanced Investigations support planned for a future release.

JA4+ Fingerprints

Vectra AI now includes JA4L, JA4X, and JA4H fingerprints in metadata—bringing next-gen fingerprinting to encrypted traffic analysis. This powerful framework reduces collisions, links related sessions, and makes it easier to spot attacker infrastructure hiding behind common protocols. Analysts get clearer, faster insights with less noise and better context across detections. JA4+ is supported in Investigate (RUX), Stream, and Recall. Read more about the new attributes here.

External App Alerts (Webhook Notifications)

With External App Alerts, the Vectra AI Platform delivers instant notifications to your team’s collaboration tools when critical security events occur, such as high-priority hosts or accounts and key system alerts. No more screen-watching or delayed responses — you get real-time intel that drives faster action. Available now with direct Microsoft Teams integration and Slack support coming soon. See External App Alerts for implementation details.

Azure AD Scripting Engine Usage

Vectra AI has introduced enhancements to improve both the breadth of behaviors and user agents covered by this detection. Updates to the parsing layer now filter user agents more accurately from logs, increasing fidelity, and reducing false positives.

UI Improvements to Entra ID and M365 Detections

Enhancements have been introduced across several detections to provide additional context and streamline investigative workflows:‍

• ‍Azure AD Privilege Operation Anomaly: Now includes user agent details when available.‍
• Azure AD Suspicious Factor Registration: Updated to include the result_reason field from logs.‍
• Azure AD Suspicious Sign In: Updated to display device status for improved context.‍
• M365 Spearphishing: Updated to display filenames, enabling faster triage.

Azure Cloud Detection Model Enhancement

Enhancements to the Azure Diagnostic Logging Disabled detection expand coverage to include deletion of logging extensions for both Windows and Linux VMs. This provides broader visibility into suspicious activities that may indicate attempts to disable security monitoring.

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra AI’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of 9.3:

• NDR-251: Adds detection coverage for suspicious Mimikatz access over SMB traffic. This enhances our ability to spot potential credential theft techniques commonly used in attacks.
• NDR-117: Expands coverage for the Remote Desktop Protocol (RDP) admin activity algorithm for better security coverage.
• NDR-241: Adds detection coverage to identify NTLM authentication brute force attacks, helping stop attackers from breaking into accounts through repeated login attempts.

Zscaler Internet Access SSE Integration in Public Preview

Vectra AI and Zscaler have teamed up to eliminate blind spots in encrypted and direct-to-cloud traffic. Through integration with Zscaler Internet Access (ZIA), Vectra replays user traffic from secure PCAPs for full-spectrum threat detection—uncovering advanced C2 and exfiltration that traditional tools miss. It’s a game-changer for securing remote and cloud-first environments. For information see Vectra AI’s Press Release and Podcast. Please contact your Vectra AI account team if you are interested in enabling Vectra’s ZIA integration. See Zscaler ZIA Integration and Optimization for implementation details.

Vectra Match Integrated Ruleset Management

Vectra Match now makes it easier to detect known Indicators of Compromise (IOCs) with Suricata-compatible signatures—no external tools required. As of 9.3, you can manage, modify, enable, or disable rules directly in the platform, and your changes persist even after Emerging Threats updates. It’s faster to set up, simpler to maintain, and puts full control of detection logic in your hands. For more information visit Managing Vectra AI Match Rulesets.

Executive Overview Report

Vectra AI is introducing the Executive Overview Report—your boardroom-ready security snapshot. Purpose-built for CISOs and security leaders, it delivers clear, high-impact metrics like noise-to-signal trends and evolving attack patterns. In minutes, you’ll have the insights to showcase Vectra’s impact, steer strategic decisions, and prove how you’re reducing breach risk—no deep dives required.

Attack Graphs Visualizations In Quadrant UX

The new Attack Graph brings instant clarity to active threats by visually mapping how attackers move across your network, cloud, and identity environments. Powered by Vectra AI Prioritization, each threat is now displayed directly on the host or account page, giving you immediate insight into where the attack started, what systems it interacted with, and how its risk level evolved over time.

Security teams can choose from three intuitive views to investigate threats in the way that best suits their workflow:

• Attack Graph – See how different entities are linked during the attack.
• Attack Flow – See how sequence of attacker actions in a structured path.
• Attack Timeline – See how the threat risk changed and escalated. 

This capability empowers SOC teams to act quickly and confidently by surfacing context and urgency in a single, actionable view. For more information visit the Attack Graph FAQ.

JA4/JA4S Fingerprints

Vectra AI now includes JA4 and JA4S fingerprints in metadata, bringing next-gen fingerprinting to encrypted traffic analysis. This powerful framework reduces collisions, links related sessions, and makes it easier to spot attacker infrastructure hiding behind common protocols. Analysts get clearer, faster insights with less noise and better context across detections. JA4 is supported in Investigate (RUX), Stream, and Recall, with more from the JA4+ suite coming soon. Read more about the new attributes here.

Network Traffic Validation UI in Quadrant UX

Starting in 9.3, Vectra AI has introduced new Traffic Validation pages. These pages transform the Traffic Validation JSON report into an intuitive dashboard— displaying insights faster and without the hassle of parsing raw data. Key stats are automatically checked against predefined health thresholds, with clear red or yellow indicators highlighting areas that may need attention. For more information read the FAQ.

AI-Triage Now Auto-Resolves More Benign Threats

Vectra AI’s proprietary agentic AI just got smarter. Our upgraded AI-Triage algorithm now automatically investigates and resolves 50% of benign C&C and 25% of benign Recon detections, dramatically reducing benign events. It leverages both local patterns and global insights to deliver the clearest signal yet. For more details on AI-Triage, see the AI-Triage article and video.

Improved Threat Ranking with AI-Prioritization

Vectra AI Prioritization has been enhanced to better surface threats that mirror recent changes in attacker behavior. Expect better separation of high and critical threats, smarter prioritization across your environment and faster prioritization of threats. Note that some host and account’s threat and certainty scores may shift based on the updated scoring logic once your system is updated.

Triage Best Practices

Vectra AI is introducing a new Best Practices series designed to help users get the most out of key features in the Vectra AI Platform. The first release in this series focuses on Triage. The Triage Best Practices guide includes common terminology, when and why to triage, how-to instructions, FAQs, and much more. Visit the Triage Best Practices article to hone your Triage workflow.

VirusTotal Removal

Vectra AI has removed the VirusTotal integration from Quadrant UX due to licensing changes. The External Destination popup no longer displays VirusTotal data, and a full UI cleanup is coming in the next release to avoid confusion. For feedback or questions on this removal, contact your Vectra AI account team.

New Detection Suite: AWS S3

Vectra AI has introduced three new detections to surface suspicious behaviors surrounding the use of AWS S3 in the impact and exfil stages of the cloud kill chain:

• AWS Suspicious S3 Batch Deletion: This detection surfaces behaviors associated with large-scale downloads and deletions associated with multiple files. This behavior may indicate the destructive manipulation phase of ransomware activity in the environment.
• AWS Suspicious S3 Object Deletion: Like the new S3 Batch Deletion detection, this detection highlights behaviors where individual objects were downloaded and then deleted from a S3 bucket in a way that may indicate the destructive manipulation phase of ransomware activity in the environment.
• AWS Suspicious S3 Encryption: This detection highlights unusual encryption activities that could indicate a ransomware encryption phase in progress.It is designed to surface encryption of many S3 objects using either an externalKMS key (SSE-KMS) or aclient-controlled key (SSE-C).

Signal Enhancements to M365, Azure AD and Azure

Enhancements have been introduced to the following AAD, Microsoft 365, and Azure detections to better account for the risk of the underlying behaviors and surface them promptly for review. Introduction of these enhancements may result in changes to the number of entities prioritized within the Vectra AI Platform:

• M365 Suspect Power Automate Activity: This detection alerts on potential exfiltration or C2 behaviors using Power Automate within the environment. The enhancements made to this detection result in significant improvements in the fidelity of this detection and reduction in the rate of false positives observed within this detection and similar detections (M365 Power Automate HTTP Flow Creation and M365 Suspicious Power Automate Flow Creation).
• Azure AD Privilege Operation Anomaly: This detection alerts on anomalous Azure AD operations potentially associated with privilege escalation. Vectra AI is enhancing this detection to sharpen the behaviors considered anomalous. The expected outcome is decreased noise surrounding this detection.
• Risky Exchange Operation: This detection alerts on privileged operations within Exchange that may be abused by an attacker. Vectra AI is enhancing the scope of behaviors under consideration for this alert and removing potentially benign actions in Exchange (such as setting up automated responses). Customers can expect a significant reduction in volume (over 30%) because of these enhancements.
• Azure Diagnostic Logging Disabled: This detection surfaces defense impairment behaviors surrounding deletion of Azure diagnostic logs settings. The detection has been enhanced for broader coverage around deletion of diagnostic logging on Virtual Machine (VMs). Customers may observe a minor increase in detection volumes associated with this enhancement.

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra AI’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of 9.3:

• NDR-222: Updates the title of a Suspect Protocol Activity detection for suspicious usage of Windows Remote Management (WinRM). The new title is "Possible Malicious WinRM Usage" to better reflect the nature of the behavior.
• CS-10426: Resolved an issue affecting some Suspect Protocol Activity detections where source and destination IP addresses were incorrectly attributed due to the client acting as a proxy. This fix has been applied across all relevant detection algorithms.
• NDR-251: Expands detection coverage against penetration techniques used by the Kali Linux Package Repository.
• NDR-251: Expands the Tor Activity detection by identifying destination IPs that match known Tor nodes.

Stronger Context with New Attack Graph Upgrades

‍Vectra AI has enhanced the Attack Graph with two powerful new capabilities. First, analysts can now see detections directly targeting the entity they’re investigating, making it easier to answer the question: “How did this entity get compromised?” This helps quickly pinpoint “patient zero” even in complex lateral movement scenarios. Second, the Attack Graph now visualizes the blast radius of command-and-control (C2) channels, automatically expanding to show all entities tied to the same malicious domain or IP. Together, these upgrades accelerate investigations, reveal hidden links, and give teams complete context to stop attacks faster.

Accelerate Investigations with Five Minute Hunts

‍We’re excited to share that Five Minute Hunts are now live in Advanced Investigations. These guided hunts surface meaningful insights in metadata without requiring customers to master SQL or specialized terminology. Security teams can quickly uncover attacker patterns, demonstrate proactive “peace-time” value, and boost efficiency with just a few clicks. Behind the scenes, the feature is powered by our flexible content delivery framework—complete with adaptive layouts, smooth animations, and engaging visuals for a seamless analyst experience.

External App Alerts (Webhook Notifications)

With External App Alerts, Vectra AI delivers instant notifications to your team’s collaboration tools when critical security events occur, such as high-priority hosts or accounts and key system alerts. No more screen-watching or delayed responses — you get real-time intel that drives faster action. Available now with direct Microsoft Teams integration and Slack support coming soon. See External App Alerts for implementation details.

JA4+ Fingerprints

‍Vectra AI now includes JA4, JA4S, JA4L, JA4X, and JA4H fingerprints in metadata—bringing next-gen fingerprinting to encrypted traffic analysis. This powerful framework reduces collisions, links related sessions, and makes it easier to spot attacker infrastructure hiding behind common protocols. Analysts get clearer, faster insights with less noise and better context across detections. JA4+ is supported in Investigate (RUX), Stream, and Recall. Read more about the new attributes here. ‍

Simpler Investigations with Human-Readable Azure CDR Data

Vectra AI has made Azure CDR easier to use by replacing confusing UUIDs with clear, human-readable names. Account names in the REST API now reflect recognizable Entra IDs, while detection activity surfaces intuitive object and application names. Analysts no longer need to decode raw IDs—making triage faster, investigations smoother, and dashboards more actionable.

Groups Based on Active Directory Membership

Seamlessly bring your existing AD groups into Vectra and keep them perfectly in sync—no more manual recreations or tedious upkeep. Bulk import eliminates repetitive admin work, so your teams can focus on threat hunting, not group management. By streamlining triage rules and reducing noise, you’ll act faster on the alerts that truly matter. This is efficiency and signal clarity, built right in. Visit Active Directory (AD) Groups for more information. 

Zscaler Internet Access SSE Integration in Public Preview

Vectra AI and Zscaler have teamed up to eliminate blind spots in encrypted and direct-to-cloud traffic. Through integration with Zscaler Internet Access (ZIA), Vectra replays user traffic from secure PCAPs for full-spectrum threat detection—uncovering advanced C2 and exfiltration that traditional tools miss. It’s a game-changer for securing remote and cloud-first environments. For information see Vectra’s Press Release and Podcast. Please contact your Vectra account team if you are interested in enabling Vectra’s ZIA integration. See Zscaler ZIA Integration and Optimization for implementation details. 

Deeper Executive Insight with Signal Efficacy in CISO Reports RUX, Platform

Vectra AI now brings signal efficacy metrics directly into CISO reports—showing how detections and entities were resolved as benign, remediated, or unclassified. This added context proves the value of detections that mattered most to analysts and highlights remediation outcomes at a glance. Executives get clear visibility into threat quality, empowering smarter security decisions and demonstrating measurable value from Vectra. 

Smarter Visibility with the Network Discovery Dashboard

Vectra AI introduces the Network Discovery Dashboard, a powerful new way to explore your environment with an interactive network map. Analysts can now trace hosts and IPs visually, spot anomalies in context, and accelerate investigations with intuitive navigation. This dashboard simplifies complex environments, turning raw network data into actionable insights for faster, more confident threat response.

Expanding GCP Brain Offerings

Starting in 9.2, Vectra is introducing additional Brain offerings hosted in Google Cloud Platform, or GCP. The new GCP Brains are capable of handling 5Gb/s and 15Gb/s and support all the same features as other Cloud/Virtual/Hardware Brains. 

Added Group Support Added for v2.x. QUX API

Starting in 9.2, Vectra supports getting group members from the /groups endpoint. For more information see: https://support.vectra.ai/vectra/article/KB-VS-1638

AI-Triage for AWS Cloud and Azure Cloud Detections

Vectra AI has introduced AI Triage, its proprietary agentic AI solution to its AWS and Azure coverage portfolios. AI-Triage now auto-investigates AWS Cloud and Azure Cloud alerts based on factors such as prevalence and threat profiles to filter benign activities in customers' environments. The impact of AI-Triage is a reduction in prioritized entities and corresponding investigation workloads for SOC analysts.

Suspect Protocol Activity: Internal Detections

Vectra AI is expanding the coverage of the Suspect Protocol Activity detections. Now, Suspect Protocol Activity includes detections covering Internal Lateral/Recon attacks and supports LDAP, Kerberos, NTLM, and SMB protocols. This feature is off by default but can be customer enabled and is included as part of the standard Detect product line. For more information on SPA, please see https://support.vectra.ai/s/article/KB-VS-1793.

Suspect Protocol Activity: Brute Force

Vectra AI is expanding the coverage of the Suspect Protocol Activity detections. Now, SPA can detect brute force attempts over all protocols. This rule detects brute force attacks where an attacker attempts multiple authentication requests in a short period. Brute force attacks can target various protocols such as SMB, LDAP, FTP, RDP, SSH, and HTTP, and are often used by adversaries to gain unauthorized access to accounts.

New Detection: NTLM Relay Activity

Vectra AI has introduced a new detection for NTLM Relay Activity. This enhances Vectra’s visibility into lateral movement techniques used by attackers. This detection identifies attempts to exploit NTLM authentication by observing when an attacker queries one host and relays the captured authentication to another host—often as part of privilege escalation or domain compromise efforts.

New Detection: M365 Copilot Sensitive Data Discovery

Vectra AI has introduced a new detection for discovery behaviors surrounding M365 CoPilot. The new M365 CoPilot Sensitive Data Discovery detection where a CoPilot session was leveraged by an identity to access file(s) that may contain sensitive information. This detection aims to surface threat actors that use an account in the environment to discover sensitive information.

New Detection Suite: AWS Bedrock Detections

Vectra AI has introduced four new detections to surface suspicious behaviors surrounding the use of AWS Bedrock, a fully managed service offered by AWS that simplifies building and deploying generative AI applications.

• AWS Bedrock Logging Configuration Disabled: This detection highlights instances where a principal was observed disabling prompt logging for AWS Bedrock at the regional level. Disabling prompt logging stops the capture of all prompt and response activity across AWS Bedrock models and may indicate an attempt to impair defenses or hide malicious usage.
• AWS Bedrock Novel Model Enabled: This detection identifies suspicious activity related to the enablement of an AWS Bedrock Model by an identity that has no prior history of performing such actions. It flags potential unauthorized access to generative AI services that may be security-sensitive and associated with high-cost.
• AWS Suspicious Bedrock Activity: This detection identifies suspicious activity related to the enablement and invocation of an AWS Bedrock Model by an identity that have no prior history of performing such actions. The combination of enablement followed by invocation of a model suggests an attacker is both testing and using the model, generating responses at the victim’s expense.
• AWS Bedrock Novel Enabled: It detects every instance when an AWS Bedrock foundational model is enabled, as this action is uncommon and may have cost or security implications. This is an informational detection and does not contribute to scoring or prioritization of the entity. It is meant to be a security relevant insight and may not be deemed immediately suspicious.

SIGNAL ENHANCEMENTS

Significantly reduced benign prioritization alerts through improvements to Vectra’s AI prioritization algorithm and detection updates. In some cases, customers may see up to 50% fewer prioritized host and account alerts—without sacrificing coverage for real threats.

• Azure AD & M365: Prioritization alerts for accounts with specific detections have been refined, reducing benign alerts while maintaining detection of modern attacks. Affected detections include M365 Suspicious Download Activity, which now incorporates Autonomous System Number (ASN) context and Azure AD Suspicious Scripting Engine, with improved parsing for user ag

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of 9.2:

• NDR-166: This release enhances DNS Tunnel detection by expanding coverage across all DNS response types, providing broader and more accurate threat detection.
• NDR-144: Improves C2 detections against techniques used by the Covenant C2 Framework.
• NDR-202: This release enhances the performance of the algorithm powering our Exfiltration detections, enabling faster threat identification.
• NDR-195: Improves HTTP detections against penetration techniques used by the Kali Linux Package Repository.
• NDR-221: Improves HTTP detections against suspicious usage of Windows Remote Management (WinRM), strengthening visibility into potential abuse of this protocol.
• NDR-232: Enhances Suspect HTTP Activity detections to account for proxy usage, improving detection accuracy in proxied environments.

AI-Triage Now Auto-Resolves More Benign Threats

Vectra AI’s proprietary agentic AI just got smarter. Our upgraded AI-Triage algorithm now automatically investigates and resolves 50% of benign C&C and 25% of benign Recon detections—dramatically reducing benign events. It leverages both local patterns and global insights to deliver the clearest signal yet.  For more details on AI-Triage, see the AI-Triage KB and our recent update video.

New Detection Suite: AWS Bedrock Detections

Vectra AI has introduced four new detections to surface suspicious behaviors surrounding the use of AWS Bedrock, a fully managed service offered by AWS that simplifies building and deploying generative AI applications. 

• AWS Bedrock Logging Configuration Disabled: This detection highlights instances where a principal was observed disabling prompt logging for AWS Bedrock at the regional level. Disabling prompt logging stops the capture of all prompt and response activity across AWS Bedrock models and may indicate an attempt to impair defenses or hide malicious usage. 
• AWS Bedrock Novel Model Enabled: This detection identifies suspicious activity related to the enablement of an AWS Bedrock Model by an identity that has no prior history of performing such actions. It flags potential unauthorized access to generative AI services that may be security-sensitive and associated with high-cost. 
• AWS Suspicious Bedrock Activity: This detection identifies suspicious activity related to the enablement and invocation of an AWS Bedrock Model by an identity that have no prior history of performing such actions. The combination of enablement followed by invocation of a model suggests an attacker is both testing and using the model, generating responses at the victim’s expense.
• AWS Bedrock Novel Enabled: It detects every instance when an AWS Bedrock foundational model is enabled, as this action is uncommon and may have cost or security implications. This is an informational detection and does not contribute to scoring or prioritization of the entity. It is meant to be a security relevant insight and may not be deemed immediately suspicious. 

New Detection Suite: AWS S3 RUX, Detections, Cloud

Vectra AI has introduced three new detections to surface suspicious behaviors surrounding the use of AWS S3 in the impact and exfil stages of the cloud kill chain: 

• AWS Suspicious S3 Batch Deletion: This detection surfaces behaviors associated with large-scale downloads and deletions associated with multiple files. This behavior may indicate the destructive manipulation phase of ransomware activity in the environment. 
• AWS Suspicious S3 Object Deletion: Like the new S3 Batch Deletion detection, this detection highlights behaviors where individual objects were downloaded and then deleted from a S3 bucket in a way that may indicate the destructive manipulation phase of ransomware activity in the environment. 
• AWS Suspicious S3 Encryption: This detection highlights unusual encryption activities that could indicate a ransomware encryption phase in progress. It is designed to surface encryption of many S3 objects using either an external KMS key (SSE-KMS) or a client-controlled key (SSE-C). 
  

Seamless Azure CDR Enablement RUX, Cloud

Vectra AI has streamlined Azure CDR enablement with a new Redirector Service fix. Customers can now seamlessly deploy Azure CDR without VPN or IP restrictions blocking the setup. This removes friction in onboarding cloud telemetry, ensuring faster time-to-value and immediate visibility into Azure threats. Security teams get quicker coverage with less hassle. 

Vectra Match Integrated Ruleset Management RUX , Network

Vectra Match now makes it easier to detect known Indicators of Compromise (IOCs) with Suricata-compatible signatures—no external tools required. As of 9.3, you can manage, modify, enable, or disable rules directly in the platform, and your changes persist even after Emerging Threats updates. It’s faster to set up, simpler to maintain, and puts full control of detection logic in your hands. For more information visit Managing Vectra Match Rulesets.

Introducing: Executive Overview Report

Vectra is introducing the Executive Overview report on the Vectra AI Platform. This report is catered to CISOs and security executives who need to bring high-level metrics to their board or executive-level meetings. Metrics include noise to signal tunnel, investigation time saved with Vectra, attack trends, and more. This report allows executives to make strategic decisions and evaluate how Vectra reduces security breach risk for their organization.

Introducing: Global View

Global View enables large enterprises and MSSPs to centrally manage and investigate threats across multiple Brains and tenants from a single RUX deployment—making it ideal for global operations with complex environments.

Introducing: Attack Graphs

The new Attack Graph brings instant clarity to active threats by visually mapping how attackers move across your network, cloud, and identity environments. Powered by Vectra’s AI-Prioritization, each threat is now displayed directly on the host or account page—giving you immediate insight into where the attack started, what systems it interacted with, and how its risk level evolved over time.

Security teams can choose from three intuitive views to investigate threats in the way that best suits their workflow:

• Connectivity Graph – See how different entities are linked during the attack.
• Tree Graph – View the sequence of attacker actions in a structured path.
• Historical Score Over Time – Understand how the threat’s risk changed and escalated.

This capability empowers SOC teams to act quickly and confidently by surfacing context and urgency in a single, actionable view.

Traffic Validation Report Download Issue Resolved

We've resolved an issue that prevented some customers—particularly those in large RUX environments—from downloading the Network Traffic Validation Report when its size exceeded approximately 6MB. The workflow has been enhanced to support larger report downloads, ensuring reliable access to traffic validation data regardless of report size.

Introduction of Vectra X47/M47 System Network

Starting in 9.1, Vectra is introducing the new X47 and M47 systems. Like other X-series systems, the X47 can be deployed as a Brain, Sensor, or in Mixed mode. The M47 supports Vectra Stream at up to 75 Gbps rates. The hardware features 4x1Gbps Copper and 2 x 10/25 Gbps SFP28. For more information about the appliance specs, please see the Appliance and Sensor Specifications. 

For the deployment guides please see the X47 Quick Start Guide or M47 Quick Start Guide. 

Altering Group Type on Quadrant UX Network

Starting in 9.1, Vectra supports conversion between static and dynamic group types for QUX deployments. Existing triage filters that reference a static group, will continue to function without requiring any change after the group is redefined using a regex in the dynamic group configuration. This should allow for greater flexibility and ease of implementation as customers move to dynamic groups. For more information on dynamic groups see the Dynamic Groups FAQ.

SSL Key Handling Improvements

Starting in 9.1, Vectra AI now supports Elliptic Curve Cryptography (ECC) certificates. Customers can upload their own certificate via the existing commands. Additionally, the commands supporting Certificate Signing Request (CSR) have been updated. Use:

• `certificate replace-key` to generate a new key and self-signed cert for the HTTPS server to use, essentially resetting it to default but allowing the customer to customize the key length.
• `certificate info` to print some information on the current HTTPS certificate for the user to see.

For full certificate installation details, please see: SSL Certificate Installation (Quadrant UX only).

Vectra Match Suricata Version Upgrade

Vectra AI has upgraded the Suricata to support new features in the Suricata engine including JA4 and we have enabled protocol parsing for OT protocols. The suricata.yaml base configuration has also been upgraded to reflect the latest Suricata features. For details on Vectra’s Suricata configuration please see: Vectra Match Suricata Configuration.

Oauth2 Support Added for v2.x. QUX APIs

Vectra ai has updated the QUX v2.x APIs to include support for OAuh2 authentication. Now, both the existing Personal Access Token (PAT) and Oauth2 flow are supported in v2.x. The Oauth2 access token will be valid for 6 hours after which it will expire, and a new token will need to be requested using the API client credentials. API client creation must be done in the Vectra UI only. Accessing v2.x APIs older than v2.5 works the same way it does for v2.5. The public postman collection has been updated for all v2.x versions. For more information see: REST API Quick Start Guide for Postman v2.5 using OAuth2 (QUX).

Hidden Tunnel Detection Improvement

The Hidden Tunnel detection has been improved to identify new beaconless connections which are contacting external systems. This enhancement provides new coverage for hidden tunnel command line based beaconless attack tools. For more information about the Hidden Tunnel detection in general, please see Understanding Vectra AI Detections.

RDP Recon Detection Enhancement

The RDP Recon detection has been enhanced to detect RDP Password Spray attacks which an attacker can attempt to test a small number of passwords against a large number of accounts. The previous version of RDP Recon focused on an attacker attempting to try a large number of passwords against an account, this enhancement extends the RDP Recon to cover scenarios where a very shallow brute force attack is conducted across many accounts.

AWS Detection Enhancements AWS

Enhancements have been introduced to the following AWS detections to improve the fidelity associated with them. Introduction of these enhancements results in broader coverage of malicious behaviors and may be associated with minor increases in prioritized entities within customer environments.

• AWS Cryptomining: This detection alerts on behaviors around multiple high powered compute instances being started. It has been expanded to surface a broader range of cyptomining activity attributed to both human and non-human principals. Customers may observe a small increase in volume of detections.

• AWS Attack Tools: This detection alerts on known attack tools in an AWS environment. It has been improved for fidelity and a lower false positive rate.

Signal Enhancements 

Significantly reduced benign prioritization alerts through improvements to Vectra’s AI prioritization algorithm and detection updates. In some cases, customers may see up to 50% fewer prioritized host and account alerts—without sacrificing coverage for real threats.

• Azure AD & M365: Prioritization alerts for accounts with specific detections have been refined, reducing benign alerts while maintaining detection of modern attacks. Affected detections include M365 DLL Hijacking Activity, Azure AD Suspicious Access from Cloud Provider, and Azure AD Suspicious Sign-on.

• Network: Prioritization alerts for hosts with specific detections have been refined, reducing benign alerts while maintaining detection of modern attacks. Affected detections include exhibiting patterns such as Suspicious Admin activity and co-occurrences of Port Scanning, Darknet Scanning, and Port Sweeps.

Rapid Release Improvements

The following improvements have been made to algorithms since the last software release cycle. Customers that are connected to Vectra’s Update service with Remote Support enabled have received these improvements. All other customers will be receiving the following improvements as part of 9.1:

• NDR-96: This release introduces an improvement to our RDP Recon algorithm, expanding coverage of RDP Sweep attacks where evasions are in place to limit the quantity of passwords attempted per account.
• NDR-106: Improves our C2 detections against techniques used by Mythic C2.
• NDR-104: This release introduces attack coverage for the Apache Camel Case exploit: CVE-2025–27636.
• NDR-73: This release introduces an attack signal improvement for External Remote Access to decrease benign true positive detections to popular destinations.
• NDR-108: This release introduces an improvement to increase the scale and health of Beacon Detector when under heavy load, by limiting beacon metadata for popular benign destinations in the environment.

Improved Search by Sensor Name

We've enhanced the search functionality on the Detections page to support searching by Sensor Name instead of the internal Sensor LUID. This update addresses customer feedback and makes it easier to find detections associated with specific sensors using recognizable names.

Enhanced Detection for Copilot Abuse in M365

In response to strong customer interest, we’re expanding protection against potential abuse of Microsoft Copilot. In addition to the existing M365 Suspicious Copilot Access detection (which flags access from unusual locations), we’re introducing a new detection: M365 Copilot Sensitive Data Discovery. This identifies attacker behavior attempting to locate sensitive documents through Copilot in Microsoft 365.

Enriching AI Prioritization Context

Vectra now surfaces tailored attack profiles when detections span multiple attack surfaces, helping to identify complex threats with greater clarity. Two new profile types have been introduced:

• Hybrid Network Adversary: Indicates an attacker active in both network identity and cloud identity environments, suggesting coordinated activity across on-premises and cloud infrastructure.
• Multi-Cloud Service Adversary: Represents an attacker operating across multiple cloud-based services—such as identity providers, SaaS platforms, or public cloud environments—without direct engagement with network identity systems.

These profiles are designed to reflect the nature of hybrid threats and enhance threat context in the UI.

Support AI Triage for Azure Detections

Vectra is enhancing support for Azure detections by enabling AI Triage for Azure CDR (Cloud Detection and Response) alerts. For each existing Azure detection type, we are evaluating and applying appropriate AI distillation algorithms, defining relevant context fields, and addressing any specific handling requirements. This will help surface high-fidelity insights more efficiently and improve detection clarity within the platform.

Introduction of Dynamic Groups on Quadrant

Starting in 9.0, Vectra AI now supports Dynamic Groups on the Quadrant UX. Dynamic Groups is a feature on the Vectra AI Platform that allows customers to use Regex rules to define what hosts or accounts should belong to each triage group, resulting in entities being automatically sorted into groups as they are detected. This feature will reduce the amount of time customers spend managing and updating groups. Respond UX support for this feature was introduced in December 2024. For more information see: https://support.vectra.ai/s/article/KB-VS-1839.

High Performance GCP Brains Network

Vectra ai has created a new 64 core variant of the GCP Brain and validated the existing 96 core Brain to support higher overall throughput than previously published. Please see the GCP Brain Deployment Guide for details.

Proxy Support for Suspect Protocol Activity and Match

Starting in 9.0, Vectra AI added automatic proxy support for Match and SPA. While no user action is required, additional variables for Match are available. Please see the Match FAQ for more details: https://support.vectra.ai/s/article/KB-VS-1635.

Southside Proxy IPs via CLI

Starting in 9.0, Vectra added support to view the southside learned list proxy IPs via command line. Southside Proxies identify Proxies where Vectra sits between the Client and the Proxy. This differs from Northside proxies which are configured under Manage -> Proxies in the UI. Use “show proxy --southside" to display southside proxies that the system has learned from observing the network traffic.

Improved Traffic Validation Report

Starting in 9.0, Vectra AI has added new fields to the Enhanced Network Traffic Validation report available on the Network Stats page. The new fields include statistics on NIC errors, packet truncation, and drops/holes in traffic. For more information see: https://support.vectra.ais/article/KB-VS-1648.

S1 SFP+ Interfaces Supported for MGT1 or Capture Use

Starting in 9.0, Vectra now supports the use of the S1’s two onboard SFP+ interfaces for capture or management. The command “set management <default|sfp>” will alter the interface configuration for the MGT1 port. The command “set capture <default|sfp>” will alter the interface assignment used for capture. This creates 4 total configurations for management or capture. All options with new interface assignment diagrams for each are detailed in the S1 Quick Start Guide. Please note: The rated throughput of the S1 appliance does not change when using SFP+ ports. This only changes the physical interface assignments. Care should be taken to only forward a supported amount of traffic to the S1.

X29/M29 Appliance – New syntax for using SFP+ for MGT

The X29/M29 appliances have an option to configure one of their SFP+ interfaces to be used as the MGT1 management port. The command has changed in version 9.0 to be consistent with the command syntax that is used now for all appliances that offer options to change similar interface options. The old command was “set management speed <1G|10G>” and the new command is “set management <default|sfp>”. Please see the X29 Quick Start Guide or the M29 Quick Start Guide for details.

Enhancements to AWS Detections

Enhancements have been introduced to the following AWS detections to improve the fidelity associated with them. Introduction of these enhancements results in broader coverage of malicious behaviors and may be associated with minor increases in prioritized entities within customer environments.

• AWS CloudTrail Logging Disabled: This detection alerts on the defense evasion technique of turning off AWS logging. Enhancements have been introduced to the model to broaden the behavioral profile representing this malicious behavior.
• AWS CloudTrail Logging Modified: This detection alerts on the defense evasion technique of downgrading AWS logging. Enhancements have been introduced to the model to broaden the behavioral profile representing this malicious behavior.
• AWS User Hijacking: This detection alerts on persistence techniques surrounding creation of AWS access keys. Additional learning has been introduced in this model to account for repetitive occurrence of behaviors and subsequent impact on volume of alerts surfaced. This enhancement results in improved efficacy of alerting around this risky behavior.

Scoring Enhancements to M365 Detections

Enhancements have been introduced to the following Microsoft 365 detections to better account for the risk of the underlying behaviors and surface them promptly for review. Introduction of these enhancements may result in changes to the number of entities prioritized within the Vectra platform:

• M365 Suspect Power Automate Activity: This detection alerts on potential exfiltration or C2 behaviors using Power Automate within the environment. The enhancements made to this detection result in significant improvements in the fidelity of this detection and reduction in the rate of false positives observed within this detection and similar detections (M365 Power Automate HTTP Flow Creation and M365 Suspicious Power Automate Flow Creation).

Provide Support for Authentication via OAuth

Vectra supports both the existing Personal Access Token (PAT) and Oauth2 flow in v2.x. The Oauth2 access token will be valid for 6 hours after which it will expire, and a new token will need to be requested using the API client credentials. API client creation must be done in the Vectra UI only. Accessing v2.x APIs older than v2.5 works the same way it does for v2.5. The public postman collection has been updated for all v2.x versions.

M365 GCC Support

Vectra now supports Microsoft 365 Government Community Cloud (GCC) environments. While support previously existed for GCC-High and Azure AD customers, this update extends coverage to customers operating in GCC environments—commonly used by U.S. state, local, and federal agencies. By integrating with Microsoft’s GCC-specific endpoints, Vectra AI ensures secure and compliant log aggregation to provide complete visibility and threat detection across all Microsoft government cloud tiers.

Cybereason EDR Support

Vectra added support for ingesting EDR alerts from Cybereason. Customers using Cybereason can now configure their integration within Cantina to enable alert ingestion and visibility.

Altering Group Type

Starting in 9.1, Vectra supports conversion between static and dynamic group types for QUX deployments. Existing triage filters that reference a static group, will continue to function without requiring any change after the group is redefined using a regex in the dynamic group configuration. This should allow for greater flexibility and ease of implementation as customers move to dynamic groups. For more information on dynamic groups see the Dynamic Groups FAQ

Support Disabling DNS Detection

Users can now disable DNS reply packet inspection within the Settings page. A warning message will appear if selected to inform users that disabling DNS reply packet logging may impact related detections.

Investigate from Anywhere: Last Seen IP

Users can now pivot into Advanced Investigations from key data points outside the Advanced Investigations page. This update introduces a new menu to the Last Seen IP field within the Host cards on the Respond page. When hovering over the Last Seen IP field, users can select a query containing the IP address and pivot directly into the results of the query on the Advanced investigations page.

Improved Main Navigation

To support the growing number of dashboards, the navigation has been updated from horizontal tabs to a collapsible vertical sidebar. This redesign offers a more scalable and user-friendly way for users to access and manage dashboards.

Federated Account Reconciliation Enhancements

This update adds support for reconciling Federated accounts in EntraID with their corresponding User Principal Names (UPNs), including alignment with matching Azure CDR entities and M365/AzureAD accounts.

Backup Downtime Enhancements QUX, RUX

Starting in 8.10, Vectra has improved the Backup downtime to take less than ten minutes to complete. The usability of the backup function remains the same, this solution introduces a drastically reduced completion time for backups. 

New VMWare vSensor

Starting in 8.10, Vectra is increasing the bandwidth capabilities of VMWare vSensors.  The VMWare Sensors are capable of handling 20Gb/s of traffic and support all the same features as other Cloud/Virtual/Hardware Sensors.  For more information, please see our deployment guide: https://support.vectra.ai/s/article/KB-VS-1075 

Hidden DNS Tunnel NoReply Enhancement

As part of the 8.10 release, Vectra has improved our Hidden DNS Tunnel detection to detect scenarios where an attacker may attempt to exfiltrate data over DNS using techniques where the server does not respond (thus the tunnel is only a one sided tunnel where the attacker streams the data from In to Out.).

Scoring Enhancements to Azure AD and M365 Detections

Enhancements have been introduced to the following Microsoft 365 and Azure AD detections to better account for the risk of the underlying behaviors and surface them promptly for review. Introduction of these enhancements may result in changes to the number of entities prioritized within the Vectra platform:

• Azure AD/Entra ID
  
  • Azure AD Domain Settings Modified: This detection alerts when a new unverified or verified domain is suspiciously added to the environment. 
  • Azure AD Cross-Tenant Access Change: This detection alerts when a partner's cross tenant access settings are added or updated.
  • Azure AD New Certification Authority Registered: This detection alerts when a new Certification Authority is registered to the tenant.
  • Azure AD Privilege Operation Anomaly: This detection alerts on potential privilege escalation or account takeover behaviors within the environment. The enhancements made to this detection result in significant improvements in the fidelity of this detection and reduction in the rate of false positives. 
• Microsoft 365
  
  • M365 Phishing Simulation Configuration Change: This detection alerts when the configuration associated with a Phishing account is changed.

M365 SecOps Mailbox Change: This detection alerts when the configuration associated with a SecOps account is changed.

Launch of CDR for Azure

Vectra AI adds AI-powered detections that expose attacker behaviors targeting Microsoft Azure cloud services and Microsoft Copilot delivering much needed reinforcements for customers’ native tools:

• Detects attackers abusing Azure Cloud
• Identifies real attacks in real-time connecting the dots across Azure IaaS, Active Directory, Microsoft 365, Copilot and Microsoft Entra ID within a single pane of glass.
• Stops Azure compromise, enabling security teams to 1) identify security gaps for Azure Cloud, 2) easily access to relevant enriched Azure activity and resource logs, and 3) take decisive response actions to swiftly contain Microsoft Entra ID accounts involved in an attack
  

Dynamic Groups

Groups have been extended to support dynamic membership through the definition of a Regular Expression (RegEx) to describe the names of members to include. This delivers an enormous saving of operational effort in managing groups for triage or scoring. Group membership is evaluated at run-time, to ensure new entities are correctly categorized with no additional effort from you. This applies to groups for hosts or accounts.

Saved queries for Advanced Investigation

Streamlining the query management process within Respond UX’s Advanced Investigation experience through the ability to save and share queries.

Analysts will be able to create, save, update, and delete queries seamlessly reducing repetition and promoting reuse. Analysts will also be able to share saved queries with other analysts will foster collaboration and knowledge sharing within teams.

Switzerland region is enabled

We now support Respond UX deployments within Switzerland. This enables Swiss customers to host within their own borders if required. This new region supports all Vectra products.

Selective PCAPs is enabled for Respond UX network customers

With this release, we now fully support selective PCAPs for our Respond UX network customers. This feature enables you to leverage the Vectra sensor footprint to run a customized packet capture remotely – without having to get access to local infrastructure.

Vectra Match - Curated Ruleset

With this release, Vectra has introduced a downloadable link that allows users to retrieve the curated ruleset for Vectra Match. A new link will appear in the UI on the Vectra Match page for updated daily content, as well as consumable via API. Please see Vectra Match Curated Ruleset for more details.

Copilot for M365 Threat Surface Dashboard

This is a new dashboard in Respond UX for M365 focused on organization-wide Copilot usage. Use this dashboard to understand Copilot usage within your organization, and what files are being accessed by Copilot.

Integration Health endpoints added to V3 API

New API endpoint on the V3 Respond UX API to give visibility into integrations such as EDR, AD, etc enabling you to monitor these critical integrations over time.

Vectra Match now available in Instant and Advanced Investigations

With this release, Vectra Match is supported in Respond UX. Respond UX support brings all the WebUI and API support delivered in Quadrant UX and adds Instant and Advanced Investigation support for Match alerts. Please see the Match Deployment Guide for additional details.

User Management added to V3 API

New API endpoint on the V3 Respond UX API to manage standalone users within your Respond UX tenant. Use this API to provision or deprovision users automatically from your onboarding or offboarding playbooks.

AzureAD Account Automatic Lockdown

AzureAD Account Automatic Lockdown is designed to empower Vectra users with proactive defense mechanisms against threats. By enabling this feature, you can now configure two pivotal settings: Urgency Score and Entity Importance. This dual-configuration approach ensures that when an entity surpasses predefined thresholds of Urgency Score and Importance, it automatically enters a lockdown state for a set duration configured by the user. This period allows for thorough investigation, ensuring that potential threats are investigated and responded to effectively.

Network Threat Surface Dashboard

Initial release of a new Threat Surface dashboard for our Respond UX network customers. This dashboard unveils a wealth of information about your environment and exposes attack surface and compliance issues. Leverage this dashboard to explore legacy and deprecated protocol use within your environment, and ensure compliance with your established policies for areas such as SMBv1.

Detect for AWS – Support for S3 copyObject in CloudTrail logs

By default, CloudTrail populates S3 buckets by putObject events. Upon ingest Vectra was discarding events populated with the copyObject command. With this change, Vectra ingests events created using copyObject or putObject.

AzureAD and AD lockdown consolidation

For customers with options to lockdown both AzureAD and AD accounts (customers with network and Detect for AzureAD), we have harmonized the experience to give a better overall experience – integrating these two different capabilities and enabling greater visibility and selectivity for the action you want to perform. Choose to lock down either Azure AD or AD, or both, all from the same experience.

AD Account Automatic Lockdown

AD Account Automatic Lockdown is designed to empower Vectra users with proactive defense mechanisms against threats. By enabling this feature, you can now configure two pivotal settings: Urgency Score and Entity Importance. This dual-configuration approach ensures that when an entity surpasses predefined thresholds of Urgency Score and Importance, it automatically enters a lockdown state for a set duration configured by the user. This period allows for thorough investigation, ensuring that potential threats are investigated and responded to effectively.

User Management improvements

This enhancement gives Respond UX administrators the familiar look and feel of the user management interface offered on our Quadrant UX platform. Admins can now easily manage users and their roles, ensuring utmost accuracy when provisioning users and auditing system access.

Azure AD Suspicious Access from Cloud Provider

Vectra has introduced the ability to detect attackers who compromise an identity and accesses it from a public cloud provider, such as Amazon, Azure or GCP to attempt evade detection and hide their true location. The detection uses machine learning to identify whether a user normally accesses their account from the public cloud. Bening alerts may trigger when a user uses an application that routes through a public cloud or cloud hosted virtual machines. This new alert will prioritize an account when it occurs with other alerts in a similar manner to the Azure AD Suspicious Sign-On alert.