Splunk Cloud SIEM / Vectra integration guide (start here for RUX)

Start here for Splunk Cloud integration with Vectra Respond UX, including supported add-ons/apps, install matrix, API client setup, and data inputs.

As stated in the summary, this article only applies to customers using Vectra's Respond UX. If you are using the Quadrant UX please see the Splunk Integration Guide for Vectra AI. If you are unsure of which UX you are using, please see Vectra Analyst User Experiences (Respond vs Quadrant).

Integration Overview

Vectra AI provides add-ons and apps that enable seamless integration with Splunk Cloud Platform and Splunk Enterprise Security. These integrations allow security teams to ingest, analyze, and operationalize Vectra data directly within Splunk workflows.

Vectra provides two primary data sources for Splunk:

Vectra XDR

Vectra XDR uses a patent-pending combination of data science, machine learning, and behavioral analysis to identify the fundamental characteristics of malicious threat behavior. The Vectra platform collects and analyzes packets and logs across public cloud, SaaS, federated identity, and data center environments to surface and prioritize high-fidelity threat detections.

These insights can be retrieved through the Vectra API and integrated into Splunk to support investigation, alert triage, threat hunting, and security operations workflows.

Name

Type

Splunkbase Link

Supported Splunk Version

CIM Compatibility

Splunk Cloud

Vectra Platform

Data Structure

Vectra XDR Technology Add-on

Add-on

https://splunkbase.splunk.com/app/6991

10.4, 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2

Yes

Vectra Respond UX

JSON

Vectra XDR App

App

https://splunkbase.splunk.com/app/6992

10.4, 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2, 9.1

Yes

Vectra Respond UX

n/a

Vectra Stream

Vectra Stream enables the export of network metadata collected by Vectra Sensors deployed across the environment. This metadata provides detailed visibility into observed communications, helping security teams perform deeper investigations, threat hunting, and network behavior analysis in Splunk.

Name

Type

Splunkbase Link

Supported Splunk Version

CIM Compatibility

Splunk Cloud

Data structure

Dependencies

Technology Add-on for Vectra Stream (JSON)

Add-on

https://splunkbase.splunk.com/app/6367

10.4, 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2, 9.1

Yes

JSON

N/A

Vectra Stream

App

https://splunkbase.splunk.com/app/4739

10.4, 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2, 9.1, 9.0

Yes

n/a

Treemap

URL Toolbox

A list of supported protocols and extracted attributes is available here.

Installation Matrix

Splunk Node

What to install

Notes

Search Head

Add-on and App

Both must be installed for distributed or standalone Splunk

Indexer

Add-on only

Do not install on Indexer if using Heavy Forwarders

Heavy Forwarder

Add-on only

Must be installed here if using Heavy Forwarders

Universal Forwarder

None

Please Note!! In the scenario of a standalone Splunk setup (all-in-one), install both the add-on and the app.

Prerequisites

Before configuring the Vectra AI integration with Splunk Cloud Platform, ensure the following requirements are met:

A valid Splunk account with access to Splunkbase to download the required Vectra apps and add-ons.
A supported version of Splunk Cloud Platform or Splunk Enterprise.
All application dependencies listed in the Add-ons and Apps table are installed and configured.
The required Splunk index or indexes are created before data ingestion begins.

Vectra recommends using a dedicated index for Vectra XDR data. If Vectra Stream is also enabled, Vectra recommends creating a separate dedicated index for Vectra Stream data.

Integration of Splunk Cloud with Vectra XDR

Integrating Splunk Cloud Platform with Vectra XDR involves three main steps:

Creating API clients in the Vectra Respond UX for use by the Technology Add-on.
Installing and configuring the Vectra XDR Technology Add-on.
Installing the Vectra XDR App.

Create API Clients in Vectra Respond UX

API clients must be created in the Vectra Respond UX. These API clients are used by the Vectra XDR Technology Add-on for Splunk to authenticate with the Vectra platform and retrieve data.

Install and Configure the Vectra XDR Technology Add-on

The Vectra XDR Technology Add-on for Splunk collects data from the Vectra platform, including:

Entity scoring data
Detection data
Audit data
Lockdown data
Health data

The Technology Add-on performs CIM mapping for detection and audit data. It also maps entity scoring and detection data fields to the corresponding Vectra Syslog event fields.

Note: If you are using a prior version of a Vectra Technology Add-on with an existing Quadrant UX-based Vectra deployment, you can continue to keep that deployment separate. However, the Technology Add-on and App for Vectra XDR using the Respond UX must be installed separately. You cannot upgrade from a prior version to this version.

Install the Vectra XDR App

The Vectra XDR App for Splunk provides dashboards built from the data collected by the Vectra XDR Technology Add-on for Splunk. These dashboards help security teams visualize and investigate Vectra XDR detections, entities, and related activity directly in Splunk.

1. Create API Clients for Splunk Integration

To integrate Splunk with Vectra XDR, you must create individual API clients for each API endpoint required by the integration.

Using separate API clients is recommended for the following reasons:

Each API endpoint used by the integration is polled independently.
Different API endpoints require different permission levels within Vectra.
Separate API clients help improve performance and scalability when accessing multiple API endpoints.
Troubleshooting is easier because activity and issues can be isolated to the specific API client associated with each endpoint.

Creating dedicated API clients ensures that the Splunk integration has the appropriate permissions for each data source while supporting better operational visibility, performance, and maintainability.

API Clients Required for Integration

Create the following API clients for use with the Vectra Splunk integration. Each API client should be assigned the appropriate role based on the endpoint it will poll.

API Client Name

Role

Purpose

ro_splunk_entity_scoring

Read-only

Used by Splunk to poll the entity_scoring endpoint.

ro_splunk_detections

Read-only

Used by Splunk to poll the detections endpoint.

ro_splunk_lockdown

Read-only

Used by Splunk to poll the lockdown endpoint.

audit_splunk_audits

Auditor

Used by Splunk to poll the audits endpoint.

audit_splunk_health

Auditor

Used by Splunk to poll the health endpoint.

Using dedicated API clients for each endpoint helps ensure that the Splunk integration has the correct permissions and makes monitoring, troubleshooting, and access management easier.

Creating API Clients

To create each of the API clients listed above:

Enter a name for the client you are creating, select the role, optionally enter a description and then click "Generate Credentials".

On the "API Client Created" screen, copy the Client ID and Secret Key to a safe place for later configuration in Splunk and then click "Done".
- !! Please note that this is the only time you can copy the secret key. If you do not copy the key now, you will need to delete your API client and start over creating that client.

When you have created all 5 required API clients, you screen should look similar to this:

2. Install and Configure the Vectra XDR Technology Add-on

Install the Add-on in Splunk Cloud

Install the Vectra XDR Technology Add-on for Splunk in your Splunk Cloud Platform environment using one of the supported Splunk Cloud installation methods.

Option 1: Install from Splunkbase in Splunk Cloud (Recommended)

Log in to Splunk Cloud Platform with an account that has the required administrative permissions.
From the Splunk Home page, navigate to Apps > Find More Apps.
Search for Vectra XDR Technology Add-on.
Select the add-on and click Install.
When prompted, enter your Splunk.com credentials and accept the license terms.
After installation completes, verify that the add-on appears under Apps > Manage Apps.

Option 2: Install from an App Package

Download the Vectra XDR Technology Add-on package from Splunkbase.
Log in to Splunk Cloud Platform with the required administrative permissions.
Navigate to Apps > Manage Apps.
Select Install app from file or Upload App, depending on your Splunk Cloud experience.
Click Choose file and select the downloaded add-on package.
Click Upload and follow the prompts.
Wait for Splunk Cloud to validate the app package.
After the package is approved, click Install.
Confirm that the add-on appears under Apps > Manage Apps.

Note: If self-service installation is not available for your Splunk Cloud deployment or the add-on requires manual review, contact Splunk Support to request installation.

Configure Accounts in the Vectra XDR Technology Add-on

After the Vectra XDR Technology Add-on for Splunk is installed, configure the accounts that the add-on will use to authenticate with the Vectra platform.

In Splunk Cloud Platform, navigate to Apps.
Open Vectra XDR Technology Add-on.
Go to Configuration > Account.
Click Add to create a new account.
Add one account for each API client created earlier in the Vectra Respond UX.
Enter the required connection details, including the Vectra platform URL and the API client credentials.
Save each account configuration.

When complete, the Account page should include separate account entries for each required API client, similar to the following:

Account Name

Purpose

splunk_entity_scoring

Polls the entity_scoring endpoint.

ro_splunk_detections

Polls the detections endpoint.

ro_splunk_lockdown

Polls the lockdown endpoint.

audit_splunk_audits

Polls the audits endpoint.

audit_splunk_health

Polls the health endpoint.

If a proxy is required in your Splunk environment, configure this in the Proxy tab of the Add-on Configuration.

Choose a desired Logging level (If unsure, Vectra recommends "Info").

Configure Data Inputs

After configuring the required accounts, create a data input for each account in the Vectra XDR Technology Add-on for Splunk.

In Splunk Cloud Platform, open the Vectra XDR Technology Add-on.
Navigate to Inputs.
Click Create New Input or Add Input.
Create one data input for each account configured earlier.
Configure the input fields as described below.

Field

Description

Name

Enter a name that clearly identifies the endpoint or account associated with the input.

Interval

Set the polling interval. 60 seconds is typically recommended for all inputs except Health.

Index

Select the dedicated index created for Vectra XDR data.

Historical Data

Optional. When enabled, the add-on pulls the previous 24 hours of data. This can be useful in smaller environments to quickly confirm that the integration is working.

Status

Set the input to Enabled or Disabled.

For the Health input, set the interval to 900 seconds because health data is refreshed every 15 minutes on the Vectra side.

Note: The Health and Lockdown inputs do not include the Historical Data option.

When complete, the Inputs table should include one input for each configured API client, similar to the following:

Input Name

Vectra Account

Interval

Historical Data

Status

Index

vectra_entity_scoring

ro_splunk_entity_scoring

60

Optional

Enabled

<vectra_xdr_index>

vectra_detections

ro_splunk_detections

60

Optional

Enabled

<vectra_xdr_index>

vectra_lockdown

ro_splunk_lockdown

60

Not applicable

Enabled

<vectra_xdr_index>

vectra_audits

audit_splunk_audits

60

Optional

Enabled

<vectra_xdr_index>

vectra_health

audit_splunk_health

900

Not applicable

Enabled

<vectra_xdr_index>

Using separate data inputs for each account helps ensure that each Vectra endpoint is polled independently with the correct credentials, interval, and index configuration.

3. Install the Vectra XDR App

The Vectra XDR App for Splunk provides dashboards and visualizations using the data collected by the Vectra XDR Technology Add-on for Splunk. Install this app after the Technology Add-on has been installed and configured.

Install the App in Splunk Cloud

Install the Vectra XDR App in Splunk Cloud Platform using one of the supported installation methods.

Option 1: Install from Splunkbase in Splunk Cloud (Recommended)

Log in to Splunk Cloud Platform with an account that has the required administrative permissions.
From the Splunk Home page, navigate to Apps > Find More Apps.
Search for Vectra XDR App.
Select the app and click Install.
When prompted, enter your Splunk.com credentials and accept the license terms.
After installation completes, verify that the app appears under Apps > Manage Apps.

Option 2: Install from an App Package

Download the Vectra XDR App package from Splunkbase.
Log in to Splunk Cloud Platform with the required administrative permissions.
Navigate to Apps > Manage Apps.
Select Install app from file or Upload App, depending on your Splunk Cloud experience.
Click Choose File and select the downloaded app package.
Click Upload and follow the prompts.
Wait for Splunk Cloud to validate the app package.
After installation completes, confirm that the app appears under Apps > Manage Apps.

Note: Depending on your Splunk Cloud deployment and permissions, app package uploads may require validation or assistance from Splunk Support.

After the app is installed, dashboards will begin populating once the Vectra XDR Technology Add-on successfully ingests data into the configured index.

Configuration

Important: Updating the vectra_xdr_index_macro is required for the Vectra XDR App for Splunk to display data correctly when a custom index is used. If this macro is not updated, the dashboards may not show Vectra data because the app will continue searching the default main index.

To update the index macro:

In Splunk Cloud Platform, go to Settings > Advanced Search > Search Macros.
In App context, select Vectra XDR App for Splunk.
Locate and open the vectra_xdr_index_macro macro.
Update the macro definition to reference the index configured for the Vectra XDR data inputs.

For example, if your Vectra XDR data is stored in an index named vectra_xdr, update the macro to use:

index=vectra_xdr

Save the macro.

Open the Vectra XDR App dashboards and confirm that data is displayed as expected.

Note: If the macro is not updated when a custom index is used, the Vectra XDR App dashboards may not display data because they will continue searching the default main index.

Uninstall and Cleanup Steps

To remove the Vectra XDR Splunk integration from Splunk Cloud Platform, complete the following steps.

Disable Data Inputs

In Splunk Cloud Platform, open the Vectra XDR Technology Add-on.
Navigate to Inputs.
Disable each configured Vectra data input.
Confirm that data ingestion has stopped before continuing with the uninstall process.

Remove Account Configurations

Navigate to Vectra XDR Technology Add-on > Configuration > Account.
Delete the Vectra SaaS account entries associated with the configured API clients.
Confirm that all Vectra account configurations have been removed.

Uninstall the Vectra XDR App and Technology Add-on

In Splunk Cloud Platform, navigate to Apps > Manage Apps.
Locate the Vectra XDR App.
Select Uninstall and follow the prompts.
Locate the Vectra XDR Technology Add-on.
Select Uninstall and follow the prompts.

Note: If the uninstall option is not available in Splunk Cloud, contact Splunk Support or use the supported Splunk Cloud app management workflow for your deployment.

Cleanup Considerations

Direct filesystem cleanup steps, such as removing files from $SPLUNK_HOME/etc/apps/ or deleting logs from $SPLUNK_HOME/var/log/, apply to self-managed Splunk Enterprise deployments and are not applicable to Splunk Cloud Platform.

Restarting Splunk is also handled by Splunk Cloud as part of the managed service. If a restart or additional cleanup is required, contact Splunk Support.

Uninstalling the app and add-on does not automatically remove indexed Vectra data. If historical Vectra data must also be removed, review your organization’s data retention requirements and coordinate with your Splunk Cloud administrator or Splunk Support.

Troubleshooting

General Checks

For Splunk Cloud Platform, Vectra XDR Technology Add-on logs are not accessed directly from the filesystem. Instead, use Splunk Search to review logs from the _internal index.

To list available Splunk internal log sources from the last 24 hours, run:

index=_internal earliest=-24h
| dedup source
| sort source
| table source

To identify Vectra-related log sources, run:

index=_internal earliest=-24h source="*vectra*"
| dedup source
| sort source
| table source

This is useful when troubleshooting the Vectra XDR integration because it helps identify which Vectra-related log files are available in Splunk Cloud.

Example Vectra log sources may include:

/opt/splunk/var/log/splunk/ep/extension-platform-worker-TA-Vectra-XDR.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_TA_Vectra_XDR_rh_account.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_account_validation.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_audits_input.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_audits_input_<input_name>.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_common.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_detections_input.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_detections_input_<input_name>.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_entity_scoring_input.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_entity_scoring_input_<input_name>.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_health_input.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_health_input_<input_name>.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_lockdown_input.log
/opt/splunk/var/log/splunk/ta_vectra_xdr_lockdown_input_<input_name>.log

Search Add-on Logs

To view all Vectra XDR Technology Add-on logs in Splunk Cloud, run:

index=_internal earliest=-24h source="*ta_vectra_xdr*.log"

To view only error messages from the add-on logs, run:

index=_internal earliest=-24h source="*ta_vectra_xdr*.log" ERROR

You can also search all Vectra-related internal logs by using:

index=_internal earliest=-24h source="*vectra*"

Data Collection Troubleshooting

If Vectra data is not being collected, verify the following:

The Vectra SaaS account configuration is correct.
The API client credentials are valid.
The configured API client has the required role and permissions for the endpoint.
The data input is enabled.
The configured index exists and is searchable.
Network connectivity to the Vectra platform is available.
If a proxy is used, confirm that the proxy configuration is correct and that the proxy can reach the Vectra platform.

Review the relevant log source based on the input being troubleshot:

Data Input

Log Source

Entity Scoring

ta_vectra_xdr_entity_scoring_input*.log

Detections

ta_vectra_xdr_detections_input*.log

Audits

ta_vectra_xdr_audits_input*.log

Lockdown

ta_vectra_xdr_lockdown_input*.log

Health

ta_vectra_xdr_health_input*.log

Account validation

ta_vectra_xdr_account_validation.log

Common add-on logs

ta_vectra_xdr_common.log

For example, to troubleshoot detection input logs, run:

index=_internal earliest=-24h source="*ta_vectra_xdr_detections_input_Splunk_RUX_Detections.log"

Validate Collected Data

To confirm that Vectra data is being written to the configured index, run searches using the correct source and sourcetype values.

To check all supported Vectra XDR data types in the configured index, run:

index=<your_index_name> earliest=-24h
(
  (source="health_input" sourcetype="vectra:cloud:health")
  OR (source="detections_input" sourcetype="vectra:cloud:detections")
  OR (source="audits_input" sourcetype="vectra:cloud:audits")
  OR (source="entity_scoring_input" sourcetype="vectra:cloud:entity:scoring")
  OR (source="lockdown_input" sourcetype="vectra:cloud:lockdown")
)

You can also validate each data type individually.

Health Data

index=<your_index_name> earliest=-24h source="health_input" sourcetype="vectra:cloud:health"

Detection Data

index=<your_index_name> earliest=-24h source="detections_input" sourcetype="vectra:cloud:detections"

Audit Data

index=<your_index_name> earliest=-24h source="audits_input" sourcetype="vectra:cloud:audits"

Entity Scoring Data

index=<your_index_name> earliest=-24h source="entity_scoring_input" sourcetype="vectra:cloud:entity:scoring"

Lockdown Data

index=<your_index_name> earliest=-24h source="lockdown_input" sourcetype="vectra:cloud:lockdown"

If these searches return events, the Vectra XDR Technology Add-on is successfully collecting data and writing it to the configured index. If no events are returned, verify that the related data input is enabled, the selected index is correct, and the corresponding Vectra SaaS account is configured with the correct API client credentials.

Dashboard Not Populating

If the Vectra XDR App dashboards are not displaying data, verify the following:

Confirm that Vectra data is being collected in the configured index.
Confirm that the correct sourcetypes are present.
Confirm that the vectra_xdr_index_macro macro is updated to reference the index used by the Vectra XDR Technology Add-on.
Confirm that the time range selected in the dashboard includes the time period when data was collected.

Important: If a custom index is used and the vectra_xdr_index_macro macro is not updated, the Vectra XDR App dashboards may not display data because the app may continue searching the default main index.

Add-on Icons Not Displaying

The Vectra XDR Technology Add-on does not require a restart for its core functionality after installation. However, app or add-on icons may not appear immediately in the Splunk UI.

In Splunk Cloud Platform, restarts are managed by Splunk Cloud. If icons do not appear after installation and a restart is required, contact Splunk Support or use the supported restart workflow for your Splunk Cloud deployment.

Integration of Splunk with Vectra Stream

There are 3 main steps required to integrate Splunk with Vectra Stream:

Installation and configuration of "Technology Add-on for Vectra Stream (JSON) ".
Installation of "Vectra Cognito Stream " App.
Configuring Vectra Stream to send metadata to Splunk using Publisher of "Raw JSON" using Protocol of "TCP" to the server IP/Hostname and port number of your choice where Splunk will be listening.

For details please see the Splunk Integration Guide for Vectra AI .

PreviousSplunk On-Prem SIEM / Vectra integration guide (start here for RUX)NextSplunk SIEM / Vectra integration guide (start here for QUX)

Last updated 6 days ago

Was this helpful?