Most SOCs already have the core pieces in place.
- A SIEM to centralize logs.
- A SOAR to automate workflows.
- A handful of tools feeding data into both.
Even with all these tools, there is still a problem with security investigations. The problem shows up when you actually try to use that stack during an investigation.
You get an alert. You kick off a playbook. Maybe you enrich it with a few lookups. But when it comes time to answer what actually happened, the investigation telemetry needed to do that work is still scattered across sytems. Not because the tools are broken, but because the data underneath them isn’t connected, and in most cases, isn’t usable enough to drive decisions.
That’s the gap Vectra AI is built to fill.
Where Vectra AI Fits
Vectra AI isn’t trying to replace your SIEM or your SOAR. If anything, we assume you already have them, and that they’re where your team is going to spend most of their time.
What Vectra AI does is provide something those systems typically don’t: a high-fidelity, behavior-driven signal that’s already correlated across identity, network, cloud, and SaaS.
Instead of pushing isolated alerts into your SIEM and expecting it to reconstruct an attack after the fact, Vectra AI delivers a signal that already reflects how an attacker is moving through the environment. That alone reduces a lot of the manual correlation work.
But signal is only part of it. At some point, you still need to validate what you’re seeing.
The Part That Usually Breaks: Investigation
Even in well-built environments, investigation tends to fall apart in the same place. You have the alert. Then, you have some context. But the actual security evidence is still scattered.
So, you pivot into logs, another tool, or another dataset. That’s where time goes. Not in analysis, but in trying to assemble the data needed to do the analysis.
After investigating (pun intended) the roadblocks security practitioners encounter in their workflows and engineering a solution that truly works for the SOC, Vectra AI bridges the gaps in assembling data with our investigate API.
What Vectra AI’s Investigate API Actually Does
The investigate API gives teams direct security data access to the underlying telemetry Vectra AI is already using, including the network activity, identity events, DNS, cloud logs, everything behind the detection. Then, it exposes that through a query interface you can call from anywhere.
So instead of leaving your workflow to go hunt for data, you can pull it directly into it. For example, a SOAR playbook can:
- take a Vectra AI detection
- query the exact activity behind it
- and make a decision based on real evidence, not just alert metadata
That fundamentally changes how API-driven investigations happen because the evidence gathering step is no longer manual.
Vectra AI’s investigate API currently surfaces 28 tables across 5 data sources:
What This Looks Like in Practice: 3 Investigation Scenarios
1. Validating a detection with network evidence
You get a command-and-control detection on a host. Normally, you’d pivot into your SIEM, rebuild the time window, and try to find matching sessions.
With the investigate API, you query that host and time window directly and pull back all session data, including IPs, ports, bytes, and connection state, by copying-and-pasting a JSON body directly into any API client. Learn more here and here.
In seconds, you know exactly what that host was doing during the detection window.
2. Hunting for DNS-based exfiltration
You want to check for DNS tunneling. Instead of relying on prebuilt detections alone, you can query TXT records and long query strings, then sort by length or frequency. Pair that with raw behavior, like abnormal DNS patterns, suspicious domains, and hosts behaving out of profile, and you’re performing real threat hunting, not just reacting to alerts.
3. Investigating a compromised identity across systems for identity threat detection
An alert fires on a user account. Now you want to know what happened before the alert and across what identity and SaaS systems. Using Vectra AI’s investigate API, you can run parallel queries like Entra sign-in activity (failures, risky sessions) and M365 activity (mail rules, access changes).
Put together, that gives you a clear pattern of what happened: failed logins → new inbox rule → potential compromise.
You didn’t pivot across three tools to get there. You queried it directly through Vectra AI’s investigate API.
This Isn’t About Moving You Into Another UI
There’s an obvious question that comes up here: If you can investigate through the API, why use the Vectra AI Platform at all?
The honest answer is: you’ll probably use it differently.
Practitioners already prefer to operate inside their SIEM or SOAR. That’s not changing. The investigate API isn’t trying to pull you out of that. It’s doing the opposite. It lets Vectra AI come to where you already work.
Instead of switching into the Vectra AI Platform to investigate, you stay in your workflow and pull Vectra AI’s data into it. This expands Vectra AI’s role in your security stack and program. Now, every investigation can leverage Vectra AI’s data to provide a better signal for security investigations.
The Bottom Line
SIEM and SOAR are good at managing workflows, but they’re not great at producing or validating coordinated high-quality security signal on their own. Vectra AI recognized that gap, and we aim to fill it, first by delivering signals that reflect real attacker behavior, then providing technology that makes the underlying evidence accessible inside the security operations workflows your team already relies on.
That changes more than just investigations. When security teams have access to richer, behavior-driven signal and direct evidence, they make faster and more confident decisions. Investigations become shorter and more accurate because telemetry correlation no longer depends on analysts manually reconstructing context across siloed tools. Exposure gaps become easier to identify and prioritize. Automation becomes more trustworthy because workflows are operating on validated data instead of fragmented alerts.
The result is a more efficient and resilient SOC: lower operational overhead, reduced attacker dwell time, stronger visibility across hybrid environments, and better security outcomes rooted in evidence instead of assumptions.
You keep your stack. With Vectra AI, you just make it work the way it was supposed to.