Vectra Recall

Vectra Recall empowers skilled security analysts and professional threat hunters to conduct conclusive incident investigations.

A comprehensive source of security-enriched network metadata, Vectra Recall also empowers skilled security analysts and professional threat hunters to conduct conclusive incident investigations.

The metadata in Vectra Recall is organized by host name, not just IP address. This eliminates the need to search through DHCP logs to find the host device that was using an IP address at the time and to piece together IP address changes during an investigation. Searching by device saves time when speed is essential.

Vectra Recall also leverages Privileged Access Analytics to automatically analyze behaviors and uses artificial intelligence to identify entities that have privilege and differentiate between approved and malicious uses. It is available across the Vectra platform as searchable security enrichments in Vectra Stream and Vectra Recall and as detections in Vectra Detect. Custom use-cases are also supported by accessing its attributes through the Vectra REST API.

Vectra Recall enables incident responders to follow the chain of events from an initial threat signal – whether from Vectra Detect, another security event or threat intelligence – using security-enriched network metadata that is searchable by host name.

Vectra Recall is like a transactional record of every conversation from the cloud to the enterprise. But the collection and storage of historical metadata, instead of packet payloads, ensures data privacy and supports compliance mandates like GDPR.

And since Vectra Recall is delivered as a service in the cloud, there’s no big data infrastructure to purchase, install and manage. Just a single click to forward metadata to the Vectra cloud.

Summary of Vectra Recall's capabilities

• Empowers threat hunters with real-time collection and storage of security enriched network metadata, and cloud events, enabling them to leverage their deep knowledge of advanced cyberattacks.
• Enables intelligent investigation of device activity by associating devices, workloads and host names, regardless of IP address changes.
• Provides infrastructure-wide visibility into the actions of all cloud and data center workloads and user and IoT devices.
• Delivers cloud-powered limitless scale to store and search metadata for as long it is needed while Vectra manages the infrastructure.

The power to Detect and Recall

Vectra Recall allows security analysts to perform in-depth investigations based on the high-fidelity, actionable incidents identified by Vectra Detect, which automates AI-driven cyberattack detection and response. With Vectra Recall, senior security analysts can also perform threat hunting based on alerts from third-party security solutions and use new, high-quality threat intelligence to hunt retrospectively.

How Vectra Recall works

High-fidelity visibility across the enterprise Vectra Recall provides visibility into network traffic by extracting metadata from all packets and storing it in the cloud for search and analysis. Every IP-enabled device on the network is identified and tracked and data can be stored for any amount of time.

Captured metadata includes all internal (east-west) traffic, internet-bound (north-south) traffic, virtual infrastructure traffic, and traffic in cloud computing environments.

This visibility extends to laptops, servers, printers, BYOD and IoT devices as well as all operating systems and applications, including traffic between virtual workloads in data centers and the cloud, even SaaS applications.

System, authentication and SaaS logs provide context enrichment to network metadata analysis for accurate identification of systems and users.

Threat hunting with Vectra Recall

AI-assisted threat hunting with Vectra Recall can be triggered by attacker detections from Vectra Detect, existing indicators of compromise and anomalies in data identified by security analysts.

Hunt using indicators of compromise

With full metadata search capabilities and limitless data storage, Vectra Recall enables security analysts to determine whether indicators of compromise exist in metadata, including user agents, IP addresses and domains. Vectra Recall also delivers in-depth information for more efficient threat hunting, such as PowerShell commands from a remote machine to a server or a specific type of connection from a remote site.

Hunt for anomalous behaviors

Vectra Recall enables professional threat hunters to identify anomalous behaviors that are displayed through visual graphs. Anomalous behaviors that can be exposed using Vectra Recall include:

• Atypical use of TCP and UDP ports and applications
• Unusually high connection rates
• Heuristic indicators
• New beaconing activity
• Volumetric thresholds for connection counts, login failures and excessive internal and external data transfers In some instances, anomalies could consist of any combination of these behaviors, such as unusual amounts of data sent to an uncommon IP address.

> Download our Guide on How to Threat Hunt with Vectra Recall

Conclusive incident investigations with Vectra Recall

Vectra Recall enables security analysts to conduct deeper, more conclusive incident investigations with remarkable efficiency.

Security analysts can easily follow the chain of related events from attack detections found by Vectra Detect, third-party security products, and searchable, high-quality threat intelligence in historical network metadata.

When events or alerts are received from Vectra Detect or third-party security products, Vectra Recall ensures that security analysts have a full 360-degree view of all workload and device activity.

With Vectra Recall, security analysts can investigate incidents with unprecedented efficiency using complete context about incidents, along with relevant details about associated devices, accounts and network communications.

Host-based investigations

Vectra Recall allows security analysts to identify the activity of host devices surrounding the time of a threat detection and reveal significant changes in the overall behavior of host devices.

Through visual graphs and search capabilities, Vectra Recall exposes other host devices, accounts, and external domains and IP addresses, which enables security analysts to identify the full scope of the incident.

Security analysts can easily sequence through a wide range of suspicious behaviors to identify the trail of evidence that leads to other host devices and efficiently search for indicators of compromise along the way.

Account-based investigations

Vectra Recall enhances account-based investigations by providing the details that security analysts require to identify all uses and actions of potentially-compromised accounts in specific timeframes as well as actions against targets.

By leveraging Vectra Recall, security analysts are also presented with a broader picture of an overall cyberattack, which can be instrumental during investigations into other host devices that might have compromised accounts.

What is Cognito Recall?

Cognito Recall is the former name of the Vectra Recall functionality. The Vectra AI Platform was originally branded as "the Cognito Platform". The Platform and its features have been rebranded to reflect the evolution of our products.

What is the difference between Vectra Recall and Vectra Detect?

Vectra Recall complements Vectra Detect. Vectra Detect identifies compromised hosts in real-time as an investigation starting point. Vectra Recall finds threats that detection has missed by investigating historical metadata.