1. Expel Help Center
  2. Connect Your Technology
  3. Q-Z Integrations

Vectra AI (NDR) Setup for Workbench

This guide helps you set up the Vectra AI (NDR) security device in Workbench.

Scope and Limitations

When choosing to set up this integration, remember the following:

  • We only developed on the 3.0+ REST API (RUX).

Prerequisites

  • You must have a Vectra account with Admin privileges in order to create the API client and the Expel user.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Create an API Client for Expel in Vectra
  2. Create a New Expel User in Vectra
  3. Add Vectra AI (NDR) as a Security Device in Workbench

Step 1: Create an API Client for Expel in Vectra

The API client allows Workbench to access Vectra's data.

  1. Log in to the Vectra console. Make sure you know your unique Vectra console URL, as you will need it in a later step.
  2. In the side menu navigate to Manage > API Clients.
  3. Select the Add API Client button.
  4. In the window, set up the API client:
    • Client Name - enter a client name (example: "Expel").
    • Role - select Security Analyst.
    • Description - enter a description if desired, or leave blank.
  5. Select Generate Credentials.
  6. Copy and save your Client ID and Secret Key to a safe place, as you will need them in a later step.
  7. Select Done to close the window.

Step 2: Create a New Expel User in Vectra

Creating a user for Expel allows us to access your console. Why do we need console access?

  1. Still in the Vectra console, use the side menu to navigate to Manage > Users.
  2. Select Create New User.
  3. In the window, set up the Expel user:
    • Name - enter "Expel Analyst".
    • Email - enter "soc+customername@expel.io", where customername is the name of your organization with no spaces.
    • Role - select Security Analyst.
  4. Select Create.
  5. The invitation email will be sent to a mailbox monitored by Expel.
    • Our team will finish the rest of the onboarding steps, including setting up credentials & 2FA, and will notify you when the process is complete.
  6. While you wait, continue to Step 3. 

Step 3: Add Vectra AI (NDR) as a Security Device in Workbench

Before you begin, make sure you have your unique Vectra console URL, as well as the Client ID and Secret Key from Step 1.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Vectra” and then select the Vectra AI (NDR) integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Vectra”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • Vectra Console URL - enter your unique Vectra console URL, making sure to remove the trailing slash (/). Example: https://209437179984.uw2.portal.vectra.ai
    • Client ID - enter the Client ID generated in Step 1.
    • Secret Key - enter the Secret Key generated in Step 1.
    • Select Save.
  6. Select Set up later from the console access dropdown, as we will finish this step for you.
  7. Select Save.
  8. Your device should be created successfully within a few seconds. A few reminders:
    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.
    • To check on the status, select the downward arrow for your device in the first column and choose View details.
    • Polling will happen first; data will be received after that. You must refresh the page to see updates.
    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.
    • To check if alerts are coming through, navigate to Dashboards > Alert Analysis. Scroll to the device you want to check and select the Expel Alerts tab to reveal more alert information. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Troubleshooting

If your device is not healthy after saving:

  • Make sure you have the correct Vector console URL, and that you did not leave a trailing slash when you entered it into the security device.
    • Incorrect: https://209437179984.uw2.portal.vectra.ai/
    • Correct: https://209437179984.uw2.portal.vectra.ai
  • Make sure you entered the Expel Client ID and Secret Key correctly.

If you have lost this information or if it does not work, try setting up a new API client by following the steps in Step 1, and then edit your device and add the new credentials.

Related articles