Vectra NDR
Connect Vectra NDR to Radiant Security to forward network alerts via syslog for AI triage.
Vectra NDR (Network Detection and Response) is a network detection and response platform that analyzes network metadata with behavioral AI to surface threats such as command-and-control, lateral movement, credential abuse, and data exfiltration. Connecting Vectra NDR forwards network alerts to Radiant Security over syslog. Radiant uses these alerts as triage inputs and pairs them with Vectra Stream network metadata to determine whether the activity reflects a real compromise or benign network behavior.
Vectra NDR forwards network alerts only, not the underlying network events. If you have Vectra Stream, connect it as well so Radiant can correlate the network events that support Vectra NDR alert triage. See Vectra Stream.
Vectra NDR can forward syslog to Radiant Security in two ways:
Through the Radiant Agent (recommended). Forward to a Radiant Agent deployed in your environment.
Direct to Radiant Security. Forward to a Radiant-managed collector. Use only when a Radiant Agent is not available.
Prerequisites
Add the data connector in Radiant Security
Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors, then click + Add Connector.
Search for and select Radiant Agent, then click Data Feeds.
Under Select your data feeds, select Vectra NDR, then click Credentials.
Under Credential Name, enter an identifiable name for the Radiant Agent integration (e.g.,
Radiant Agent integration). To reuse an existing Radiant Agent credential, select it from the drop-down menu.Click Add Connector.
Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors, then click + Add Connector.
Search for and select Vectra NDR (syslog), then click Data Feeds.
Under Select your data feeds, select Vectra NDR (syslog), then click Credentials.
Under Credential Name, enter an identifiable name (e.g.,
Vectra NDR Credentials). To reuse an existing credential, select it from the drop-down menu.In the Connector tag field, enter a random value. This value acts as the salt to randomize the Token you download in the next step.
Click Add Connector.
Configure Vectra NDR to forward syslog through the Radiant Agent
Before starting, confirm the IP address of the Radiant Agent and the port configured to receive Vectra NDR data. If you do not know the port, contact your Customer Success representative.
Log in to the Vectra (Brain) UI with an admin user.
Navigate to Settings > Notification, then scroll to the Syslog section.
Click Edit to add a new syslog destination, then enter the following:
Destination: IP address of the Radiant Agent
Port: port configured on the Radiant Agent to receive Vectra NDR data
Protocol:
TCPFormat:
JSONLog Types: select all
Enable Include enhanced detail
Enable Include detections in info category
Disable Include filtered Detections
Disable Include host/account score decreases
Click Save.
Click Test to verify the syslog configuration.
Configure Vectra NDR to forward syslog directly to Radiant Security
Use this path only when a Radiant Agent is not available. Use the collector IP and port provided in the Radiant data connector setup.
Log in to the Vectra (Brain) UI with an admin user.
Navigate to Settings > Notification, then scroll to the Syslog section.
Click Edit to add a new syslog destination, then enter the following:
Destination: Radiant collector IP
Port: Radiant collector port
Protocol:
TCPFormat:
JSONLog Types: select all
Enable Include enhanced detail
Enable Include detections in info category
Disable Include filtered Detections
Disable Include host/account score decreases
Click Save.
Click Test to verify the syslog configuration.
Verify ingestion
After Vectra NDR begins forwarding, confirm alerts are reaching Radiant.
In Radiant, navigate to Log Management.
Filter by
rs_connectorType:"vectra_ndr".Confirm recent alerts appear.
Allow several minutes for alerts to be parsed, indexed, and available for search.
Last updated
Was this helpful?