# Splunk SIEM / Vectra integration guide (start here for QUX)

Vectra AI provides a set of Add-ons and Apps to seamlessly integrate with Splunk and Splunk Enterprise Security. This articles provides guidance for the various options, some prerequisites, and points to configuration articles for the integrations.

## Data sources

The Vectra platform provides 3 main data sources into Splunk:

#### Detection Data and Entity Scoring from Vectra Detect

* Vectra AI uses a patent-pending combination of data science, machine learning and behavioral analysis to reveal the fundamental characteristics of malicious threat behavior without the need for countless signatures and reputation-based rules. The Vectra platform captures packets and logs across public cloud, SaaS, federated identity and data center networks to surface and prioritize threats. These high fidelity insights can be exported through SYSLOG (in the case of Brain based deployment) or pulled via API (in the case of Vectra SaaS) to any SIEM to integrate seamlessly with your workflows and operations.

#### Network Metadata from Vectra Stream

* Leveraging the same platform, Vectra provides the ability to export network metadata collected by the Vectra Sensors deployed through the environment to any data lake or SIEM including Splunk. This data provides an in-depth view of any communication observed in your environment and enables you to perform investigation & threat hunting. A list of protocols supported and attributes extracted is available [here](https://support.vectra.ai/s/article/KB-VS-1245).

#### Log Output from Vectra Match

* Vectra Match utilizes the open source Suricata IDS engine. Vectra’s Sensors (network data sources) are extremely high performance and adept at producing the proprietary metadata required to supply the AI-based behavioral models utilized by Detect for Network. Match enables these same Sensors to also run a Suricata engine that is fed by the same capture buffers that feed the existing data processing pipeline. Matches flow from the Sensors to your Brain and then on to your SIEM or other data processing system used for this type of security event data. The Vectra Detect Add-on and App for Splunk have been updated to support parsing Match log output and includes new Splunk dashboard for Vectra Match.

## Vectra Add-ons and Apps for Splunk

### Vectra Detect

The Vectra platform is available for customers to deploy via Vectra SaaS or Brain based deployments. Customers running their own Brain in either a supported IaaS Cloud, virtual appliance, or physical appliance will need to install the Technology Add-On for Vectra Detect (JSON). Vectra SaaS customers will need to install the Vectra SaaS Add-on for Splunk. Customers running both will need to install both. The Vectra Cognito Detect App works for any type of Vectra Deployment.

| Name                                       | Type   | Supported Splunk Version | CIM Compatibility | Splunk Cloud | Vectra Platform         | Data Structure |
| ------------------------------------------ | ------ | ------------------------ | ----------------- | ------------ | ----------------------- | -------------- |
| Technology Add-On for Vectra Detect (JSON) | Add-on | 8.1, 8.2, 9.0            | Yes               | Yes          | Brain based deployments | JSON           |
| Vectra SaaS Add-on for Splunk              | Add-on | 8.1, 8.2, 9.0            | Yes               | Yes          | Vectra SaaS             | JSON           |
| Vectra Cognito Detect                      | App    | 8.1, 8.2, 9.0            | n/a               | Yes          | Any                     | n/a            |

\*\*Please Note!! The add-on for Vectra Detect using CEF format has been deprecated and the recommendation is to use JSON format add-on.

**Please Note!! When using both the Add-ons (Vectra SaaS Add-on and Technology Add-on for Vectra Detect), both Add-ons should use the same index. Only create one index that can be used for both Add-ons.\*\***

### Vectra Stream

| Name                                        | Type   | Supported Splunk Version | CIM Compatibility | Splunk Cloud | Data structure | Splunkbase Link                                     | Preferred                  | Dependencies                                                                                                                                 |
| ------------------------------------------- | ------ | ------------------------ | ----------------- | ------------ | -------------- | --------------------------------------------------- | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| Technology Add-on for Vectra Cognito Stream | Add-on | 8.1, 8.2, 9.0            | Yes               | Yes          | Standard       | [APP-4437](https://splunkbase.splunk.com/app/4437/) | No - *would be deprecated* |                                                                                                                                              |
| Technology Add-on for Vectra Stream (JSON)  | Add-on | 8.1, 8.2, 9.0            | Yes               | Yes          | JSON           | [APP-6637](https://splunkbase.splunk.com/app/6367/) | Yes                        | [Vectra Cognito Stream](https://splunkbase.splunk.com/app/4739/) >= 1.3                                                                      |
| Vectra Cognito Stream                       | App    | 8.1, 8.2, 9.0            | n/a               | Yes          | n/a            | [APP-4739](https://splunkbase.splunk.com/app/4739/) | n/a                        | <p><a href="https://splunkbase.splunk.com/app/3118/">Treemap</a></p><p><a href="https://splunkbase.splunk.com/app/2734/">URL Toolbox</a></p> |

\*\*Please Note! The Vectra Stream App is compatible with both add-ons. \*\*

## Installation and Configuration

### Installation Matrix

| Splunk Node         | What to install |
| ------------------- | --------------- |
| Search Head         | Add-on and App  |
| Indexer             | Add-on only     |
| Heavy Forwarder     | Add-on only     |
| Universal Forwarder | None            |

**Please Note!! In the scenario of a standalone Splunk setup (all-in-one), install both the add-on and the app.**

### Prerequisites

* Valid Splunk account to be able to access & download apps in [Splunkbase](https://splunkbase.splunk.com/).
* Supported version of Splunk or Splunk Enterprise.
* Applications dependencies listed in the Add-ons and apps table must be fulfilled.
* Create index(es).
  * Vectra recommends to have a dedicated index for Vectra Detect and another dedicated index for Vectra Stream.
  * \***\*When using both the Add-ons (Vectra SaaS Add-on and Technology Add-on for Vectra Detect) with the Vectra Detect App, both Add-ons should use the same index. Only create one index that can be used for both Add-ons.\*\***

### Installation and Configuration Guides

#### [Splunk - Vectra Detect Integration Steps](https://docs.vectra.ai/configuration/response/siem/splunk-vectra-detect-integration-steps-qux) - Go here 1st if integrating Splunk with Vectra Detect, then use either or both of the below depending on if you are integrating Splunk with Vectra SaaS and/or using the Vectra Platform with a Brain based installation

* [Splunk - Vectra SaaS Add-On Configuration](https://docs.vectra.ai/configuration/response/siem/splunk-vectra-saas-add-on-configuration-qux)
* [Splunk - Vectra Detect Add-On and Syslog Configuration for Brains](https://docs.vectra.ai/configuration/response/siem/splunk-vectra-detect-add-on-and-syslog-configuration-qux)

#### [Splunk - Vectra Stream Integration Steps](https://docs.vectra.ai/deployment/stream/publisher-specific-guidance/splunk-integration) - Go here if integrating Splunk with Vectra Stream.