search

Splunk SIEM / Vectra integration guide (start here for QUX)

This article serves as the starting point for Vectra's various integrations with Splunk. Read this prior to any other articles regarding Splunk integration.

Vectra AI provides a set of Add-ons and Apps to seamlessly integrate with Splunk and Splunk Enterprise Security. This articles provides guidance for the various options, some prerequisites, and points to configuration articles for the integrations.

hashtag
Data sources

The Vectra platform provides 3 main data sources into Splunk:

hashtag
Detection Data and Entity Scoring from Vectra Detect

  • Vectra AI uses a patent-pending combination of data science, machine learning and behavioral analysis to reveal the fundamental characteristics of malicious threat behavior without the need for countless signatures and reputation-based rules. The Vectra platform captures packets and logs across public cloud, SaaS, federated identity and data center networks to surface and prioritize threats. These high fidelity insights can be exported through SYSLOG (in the case of Brain based deployment) or pulled via API (in the case of Vectra SaaS) to any SIEM to integrate seamlessly with your workflows and operations.

hashtag
Network Metadata from Vectra Stream

  • Leveraging the same platform, Vectra provides the ability to export network metadata collected by the Vectra Sensors deployed through the environment to any data lake or SIEM including Splunk. This data provides an in-depth view of any communication observed in your environment and enables you to perform investigation & threat hunting. A list of protocols supported and attributes extracted is available herearrow-up-right.

hashtag
Log Output from Vectra Match

  • Vectra Match utilizes the open source Suricata IDS engine. Vectra’s Sensors (network data sources) are extremely high performance and adept at producing the proprietary metadata required to supply the AI-based behavioral models utilized by Detect for Network. Match enables these same Sensors to also run a Suricata engine that is fed by the same capture buffers that feed the existing data processing pipeline. Matches flow from the Sensors to your Brain and then on to your SIEM or other data processing system used for this type of security event data. The Vectra Detect Add-on and App for Splunk have been updated to support parsing Match log output and includes new Splunk dashboard for Vectra Match.

hashtag
Vectra Add-ons and Apps for Splunk

hashtag
Vectra Detect

The Vectra platform is available for customers to deploy via Vectra SaaS or Brain based deployments. Customers running their own Brain in either a supported IaaS Cloud, virtual appliance, or physical appliance will need to install the Technology Add-On for Vectra Detect (JSON). Vectra SaaS customers will need to install the Vectra SaaS Add-on for Splunk. Customers running both will need to install both. The Vectra Cognito Detect App works for any type of Vectra Deployment.

Name
Type
Supported Splunk Version
CIM Compatibility
Splunk Cloud
Vectra Platform
Data Structure

Technology Add-On for Vectra Detect (JSON)

Add-on

8.1, 8.2, 9.0

Yes

Yes

Brain based deployments

JSON

Vectra SaaS Add-on for Splunk

Add-on

8.1, 8.2, 9.0

Yes

Yes

Vectra SaaS

JSON

Vectra Cognito Detect

App

8.1, 8.2, 9.0

n/a

Yes

Any

n/a

**Please Note!! The add-on for Vectra Detect using CEF format has been deprecated and the recommendation is to use JSON format add-on.

Please Note!! When using both the Add-ons (Vectra SaaS Add-on and Technology Add-on for Vectra Detect), both Add-ons should use the same index. Only create one index that can be used for both Add-ons.**

hashtag
Vectra Stream

Name
Type
Supported Splunk Version
CIM Compatibility
Splunk Cloud
Data structure
Splunkbase Link
Preferred
Dependencies

Technology Add-on for Vectra Cognito Stream

Add-on

8.1, 8.2, 9.0

Yes

Yes

Standard

APP-4437arrow-up-right

No - would be deprecated

Technology Add-on for Vectra Stream (JSON)

Add-on

8.1, 8.2, 9.0

Yes

Yes

JSON

APP-6637arrow-up-right

Yes

Vectra Cognito Streamarrow-up-right >= 1.3

Vectra Cognito Stream

App

8.1, 8.2, 9.0

n/a

Yes

n/a

APP-4739arrow-up-right

n/a

Treemaparrow-up-right

URL Toolboxarrow-up-right

**Please Note! The Vectra Stream App is compatible with both add-ons. **

hashtag
Installation and Configuration

hashtag
Installation Matrix

Splunk Node
What to install

Search Head

Add-on and App

Indexer

Add-on only

Heavy Forwarder

Add-on only

Universal Forwarder

None

Please Note!! In the scenario of a standalone Splunk setup (all-in-one), install both the add-on and the app.

hashtag
Prerequisites

  • Valid Splunk account to be able to access & download apps in Splunkbasearrow-up-right.

  • Supported version of Splunk or Splunk Enterprise.

  • Applications dependencies listed in the Add-ons and apps table must be fulfilled.

  • Create index(es).

    • Vectra recommends to have a dedicated index for Vectra Detect and another dedicated index for Vectra Stream.

    • **When using both the Add-ons (Vectra SaaS Add-on and Technology Add-on for Vectra Detect) with the Vectra Detect App, both Add-ons should use the same index. Only create one index that can be used for both Add-ons.**

hashtag
Installation and Configuration Guides

hashtag
Splunk - Vectra Detect Integration Steps - Go here 1st if integrating Splunk with Vectra Detect, then use either or both of the below depending on if you are integrating Splunk with Vectra SaaS and/or using the Vectra Platform with a Brain based installation

hashtag
Splunk - Vectra Stream Integration Steps - Go here if integrating Splunk with Vectra Stream.

PreviousSplunk SIEM / Vectra integration guide (start here for RUX)NextSplunk - Vectra Detect Add-On and Syslog Configuration (QUX)

Last updated

Was this helpful?