> For the complete documentation index, see [llms.txt](https://docs.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vectra.ai/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-rux-1.md). # Splunk Cloud SIEM / Vectra integration guide (start here for RUX) {% hint style="info" %} As stated in the summary, this article only applies to customers using Vectra's Respond UX. If you are using the Quadrant UX please see the [Splunk Integration Guide for Vectra AI.](/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux.md) If you are unsure of which UX you are using, please see [Vectra Analyst User Experiences (Respond vs Quadrant)](/deployment/getting-started/analyst-ux-options-rux-vs-qux.md). {% endhint %} ## Integration Overview Vectra AI provides add-ons and apps that enable seamless integration with Splunk Cloud Platform and Splunk Enterprise Security. These integrations allow security teams to ingest, analyze, and operationalize Vectra data directly within Splunk workflows. Vectra provides two primary data sources for Splunk: ### Vectra XDR Vectra XDR uses a patent-pending combination of data science, machine learning, and behavioral analysis to identify the fundamental characteristics of malicious threat behavior. The Vectra platform collects and analyzes packets and logs across public cloud, SaaS, federated identity, and data center environments to surface and prioritize high-fidelity threat detections. These insights can be retrieved through the Vectra API and integrated into Splunk to support investigation, alert triage, threat hunting, and security operations workflows.
NameTypeSplunkbase LinkSupported Splunk VersionCIM CompatibilitySplunk CloudVectra PlatformData Structure
Vectra XDR Technology Add-onAdd-onhttps://splunkbase.splunk.com/app/699110.4, 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2YesYesVectra Respond UXJSON
Vectra XDR AppApphttps://splunkbase.splunk.com/app/699210.4, 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2, 9.1YesYesVectra Respond UXn/a
### Vectra Stream Vectra Stream enables the export of network metadata collected by Vectra Sensors deployed across the environment. This metadata provides detailed visibility into observed communications, helping security teams perform deeper investigations, threat hunting, and network behavior analysis in Splunk.
NameTypeSplunkbase LinkSupported Splunk VersionCIM CompatibilitySplunk CloudData structureDependencies
Technology Add-on for Vectra Stream (JSON)Add-onhttps://splunkbase.splunk.com/app/636710.4, 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2, 9.1YesYesJSONN/A
Vectra StreamApphttps://splunkbase.splunk.com/app/473910.4, 10.3, 10.2, 10.1, 10.0, 9.4, 9.3, 9.2, 9.1, 9.0YesYesn/a

Treemap

URL Toolbox

{% hint style="info" %} A list of supported protocols and extracted attributes is available [here](https://support.vectra.ai/s/article/KB-VS-1245). {% endhint %} ### Installation Matrix | Splunk Node | What to install | Notes | | ------------------- | --------------- | ----------------------------------------------------------- | | Search Head | Add-on and App | Both must be installed for distributed or standalone Splunk | | Indexer | Add-on only | Do not install on Indexer if using Heavy Forwarders | | Heavy Forwarder | Add-on only | Must be installed here if using Heavy Forwarders | | Universal Forwarder | None | | {% hint style="info" icon="triangle-exclamation" %} **Please Note!! In the scenario of a standalone Splunk setup (all-in-one), install both the add-on and the app.** {% endhint %} ### Prerequisites Before configuring the Vectra AI integration with Splunk Cloud Platform, ensure the following requirements are met: * A valid Splunk account with access to Splunkbase to download the required Vectra apps and add-ons. * A supported version of Splunk Cloud Platform or Splunk Enterprise. * All application dependencies listed in the **Add-ons and Apps** table are installed and configured. * The required Splunk index or indexes are created before data ingestion begins. {% hint style="info" icon="triangle-exclamation" %} Vectra recommends using a **dedicated index** for **Vectra XDR** data. If Vectra Stream is also enabled, Vectra recommends creating a separate **dedicated index** for **Vectra Stream** data. {% endhint %} ## Integration of Splunk Cloud with Vectra XDR Integrating Splunk Cloud Platform with Vectra XDR involves three main steps: 1. Creating API clients in the Vectra Respond UX for use by the Technology Add-on. 2. Installing and configuring the **Vectra XDR Technology Add-on**. 3. Installing the **Vectra XDR App**. #### Create API Clients in Vectra Respond UX API clients must be created in the Vectra Respond UX. These API clients are used by the Vectra XDR Technology Add-on for Splunk to authenticate with the Vectra platform and retrieve data. #### Install and Configure the Vectra XDR Technology Add-on The **Vectra XDR Technology Add-on for Splunk** collects data from the Vectra platform, including: * Entity scoring data * Detection data * Audit data * Lockdown data * Health data The Technology Add-on performs CIM mapping for detection and audit data. It also maps entity scoring and detection data fields to the corresponding Vectra Syslog event fields. > **Note:** If you are using a prior version of a Vectra Technology Add-on with an existing Quadrant UX-based Vectra deployment, you can continue to keep that deployment separate. However, the Technology Add-on and App for Vectra XDR using the Respond UX must be installed separately. You cannot upgrade from a prior version to this version. #### Install the Vectra XDR App The **Vectra XDR App for Splunk** provides dashboards built from the data collected by the Vectra XDR Technology Add-on for Splunk. These dashboards help security teams visualize and investigate Vectra XDR detections, entities, and related activity directly in Splunk. ### 1. Create API Clients for Splunk Integration To integrate Splunk with Vectra XDR, you must create individual API clients for each API endpoint required by the integration. Using separate API clients is recommended for the following reasons: * Each API endpoint used by the integration is polled independently. * Different API endpoints require different permission levels within Vectra. * Separate API clients help improve performance and scalability when accessing multiple API endpoints. * Troubleshooting is easier because activity and issues can be isolated to the specific API client associated with each endpoint. Creating dedicated API clients ensures that the Splunk integration has the appropriate permissions for each data source while supporting better operational visibility, performance, and maintainability. ### API Clients Required for Integration Create the following API clients for use with the Vectra Splunk integration. Each API client should be assigned the appropriate role based on the endpoint it will poll. | API Client Name | Role | Purpose | | -------------------------- | --------- | ----------------------------------------------------- | | `ro_splunk_entity_scoring` | Read-only | Used by Splunk to poll the `entity_scoring` endpoint. | | `ro_splunk_detections` | Read-only | Used by Splunk to poll the `detections` endpoint. | | `ro_splunk_lockdown` | Read-only | Used by Splunk to poll the `lockdown` endpoint. | | `audit_splunk_audits` | Auditor | Used by Splunk to poll the `audits` endpoint. | | `audit_splunk_health` | Auditor | Used by Splunk to poll the `health` endpoint. | Using dedicated API clients for each endpoint helps ensure that the Splunk integration has the correct permissions and makes monitoring, troubleshooting, and access management easier. #### Creating API Clients To create each of the API clients listed above: * Log in to your Vectra Respond UX, navigate to *Manage > API Clients*, and click "Add API Client". ![](/files/SfTJfPUKOREyNMmnLOGX) * Enter a name for the client you are creating, select the role, optionally enter a description and then click "Generate Credentials". ![](/files/ssKUzR9hzzlEvXQ48Wry) * On the "API Client Created" screen, copy the Client ID and Secret Key to a safe place for later configuration in Splunk and then click "Done". * !! Please note that this is the only time you can copy the secret key. If you do not copy the key now, you will need to delete your API client and start over creating that client. ![](/files/5GJP0pqBqvlX7t73eFs2) * When you have created all 5 required API clients, you screen should look similar to this: #### ![](/files/0i39fKGvAbfnTvqvBIKu) ### 2. Install and Configure the Vectra XDR Technology Add-on #### Install the Add-on in Splunk Cloud Install the **Vectra XDR Technology Add-on for Splunk** in your Splunk Cloud Platform environment using one of the supported Splunk Cloud installation methods. **Option 1: Install from Splunkbase in Splunk Cloud (Recommended)** 1. Log in to Splunk Cloud Platform with an account that has the required administrative permissions. 2. From the Splunk Home page, navigate to **Apps > Find More Apps**. 3. Search for **Vectra XDR Technology Add-on**. 4. Select the add-on and click **Install**. 5. When prompted, enter your Splunk.com credentials and accept the license terms. 6. After installation completes, verify that the add-on appears under **Apps > Manage Apps**. **Option 2: Install from an App Package** 1. Download the **Vectra XDR Technology Add-on** package from Splunkbase. 2. Log in to Splunk Cloud Platform with the required administrative permissions. 3. Navigate to **Apps > Manage Apps**. 4. Select **Install app from file** or **Upload App**, depending on your Splunk Cloud experience. 5. Click **Choose file** and select the downloaded add-on package. 6. Click **Upload** and follow the prompts. 7. Wait for Splunk Cloud to validate the app package. 8. After the package is approved, click **Install**. 9. Confirm that the add-on appears under **Apps > Manage Apps**. > **Note:** If self-service installation is not available for your Splunk Cloud deployment or the add-on requires manual review, contact Splunk Support to request installation. #### Configure Accounts in the Vectra XDR Technology Add-on After the **Vectra XDR Technology Add-on for Splunk** is installed, configure the accounts that the add-on will use to authenticate with the Vectra platform. 1. In Splunk Cloud Platform, navigate to **Apps**. 2. Open **Vectra XDR Technology Add-on**. 3. Go to **Configuration > Account**. 4. Click **Add** to create a new account. 5. Add one account for each API client created earlier in the Vectra Respond UX. 6. Enter the required connection details, including the Vectra platform URL and the API client credentials. 7. Save each account configuration. When complete, the **Account** page should include separate account entries for each required API client, similar to the following: | Account Name | Purpose | | ----------------------- | ------------------------------------ | | `splunk_entity_scoring` | Polls the `entity_scoring` endpoint. | | `ro_splunk_detections` | Polls the `detections` endpoint. | | `ro_splunk_lockdown` | Polls the `lockdown` endpoint. | | `audit_splunk_audits` | Polls the `audits` endpoint. | | `audit_splunk_health` | Polls the `health` endpoint. |
{% hint style="info" %} If a proxy is required in your Splunk environment, configure this in the *Proxy* tab of the Add-on *Configuration.* {% endhint %}
{% hint style="info" %} Choose a desired *Logging* level (If unsure, Vectra recommends "Info"). {% endhint %}
#### Configure Data Inputs After configuring the required accounts, create a data input for each account in the **Vectra XDR Technology Add-on for Splunk**. 1. In Splunk Cloud Platform, open the **Vectra XDR Technology Add-on**. 2. Navigate to **Inputs**. 3. Click **Create New Input** or **Add Input**. 4. Create one data input for each account configured earlier. 5. Configure the input fields as described below. | Field | Description | | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Name** | Enter a name that clearly identifies the endpoint or account associated with the input. | | **Interval** | Set the polling interval. `60` seconds is typically recommended for all inputs except Health. | | **Index** | Select the dedicated index created for Vectra XDR data. | | **Historical Data** | Optional. When enabled, the add-on pulls the previous 24 hours of data. This can be useful in smaller environments to quickly confirm that the integration is working. | | **Status** | Set the input to **Enabled** or **Disabled**. | For the **Health** input, set the interval to `900` seconds because health data is refreshed every 15 minutes on the Vectra side. > **Note:** The **Health** and **Lockdown** inputs do not include the **Historical Data** option. When complete, the Inputs table should include one input for each configured API client, similar to the following:
Input NameVectra AccountIntervalHistorical DataStatusIndex
vectra_entity_scoringro_splunk_entity_scoring60OptionalEnabled<vectra_xdr_index>
vectra_detectionsro_splunk_detections60OptionalEnabled<vectra_xdr_index>
vectra_lockdownro_splunk_lockdown60Not applicableEnabled<vectra_xdr_index>
vectra_auditsaudit_splunk_audits60OptionalEnabled<vectra_xdr_index>
vectra_healthaudit_splunk_health900Not applicableEnabled<vectra_xdr_index>
Using separate data inputs for each account helps ensure that each Vectra endpoint is polled independently with the correct credentials, interval, and index configuration.
### 3. Install the Vectra XDR App The **Vectra XDR App for Splunk** provides dashboards and visualizations using the data collected by the **Vectra XDR Technology Add-on for Splunk**. Install this app after the Technology Add-on has been installed and configured. #### Install the App in Splunk Cloud Install the **Vectra XDR App** in Splunk Cloud Platform using one of the supported installation methods. **Option 1: Install from Splunkbase in Splunk Cloud (Recommended)** 1. Log in to Splunk Cloud Platform with an account that has the required administrative permissions. 2. From the Splunk Home page, navigate to **Apps > Find More Apps**. 3. Search for **Vectra XDR App**. 4. Select the app and click **Install**. 5. When prompted, enter your Splunk.com credentials and accept the license terms. 6. After installation completes, verify that the app appears under **Apps > Manage Apps**. **Option 2: Install from an App Package** 1. Download the **Vectra XDR App** package from Splunkbase. 2. Log in to Splunk Cloud Platform with the required administrative permissions. 3. Navigate to **Apps > Manage Apps**. 4. Select **Install app from file** or **Upload App**, depending on your Splunk Cloud experience. 5. Click **Choose File** and select the downloaded app package. 6. Click **Upload** and follow the prompts. 7. Wait for Splunk Cloud to validate the app package. 8. After installation completes, confirm that the app appears under **Apps > Manage Apps**. > **Note:** Depending on your Splunk Cloud deployment and permissions, app package uploads may require validation or assistance from Splunk Support. After the app is installed, dashboards will begin populating once the Vectra XDR Technology Add-on successfully ingests data into the configured index. ### Configuration {% hint style="danger" %} **Important:** Updating the `vectra_xdr_index_macro` is required for the **Vectra XDR App for Splunk** to display data correctly when a custom index is used. If this macro is not updated, the dashboards may not show Vectra data because the app will continue searching the default `main` index. {% endhint %} To update the index macro: 1. In Splunk Cloud Platform, go to **Settings > Advanced Search > Search Macros**. 2. In **App context**, select **Vectra XDR App for Splunk**. 3. Locate and open the `vectra_xdr_index_macro` macro. 4. Update the macro definition to reference the index configured for the Vectra XDR data inputs.
For example, if your Vectra XDR data is stored in an index named `vectra_xdr`, update the macro to use: ``` index=vectra_xdr ``` 5. Save the macro.
5. Open the Vectra XDR App dashboards and confirm that data is displayed as expected. > **Note:** If the macro is not updated when a custom index is used, the Vectra XDR App dashboards may not display data because they will continue searching the default `main` index. ### Uninstall and Cleanup Steps To remove the Vectra XDR Splunk integration from Splunk Cloud Platform, complete the following steps. #### Disable Data Inputs 1. In Splunk Cloud Platform, open the **Vectra XDR Technology Add-on**. 2. Navigate to **Inputs**. 3. Disable each configured Vectra data input. 4. Confirm that data ingestion has stopped before continuing with the uninstall process. #### Remove Account Configurations 1. Navigate to **Vectra XDR Technology Add-on > Configuration > Account**. 2. Delete the Vectra SaaS account entries associated with the configured API clients. 3. Confirm that all Vectra account configurations have been removed. #### Uninstall the Vectra XDR App and Technology Add-on 1. In Splunk Cloud Platform, navigate to **Apps > Manage Apps**. 2. Locate the **Vectra XDR App**. 3. Select **Uninstall** and follow the prompts. 4. Locate the **Vectra XDR Technology Add-on**. 5. Select **Uninstall** and follow the prompts.
> **Note:** If the uninstall option is not available in Splunk Cloud, contact Splunk Support or use the supported Splunk Cloud app management workflow for your deployment. #### Cleanup Considerations Direct filesystem cleanup steps, such as removing files from `$SPLUNK_HOME/etc/apps/` or deleting logs from `$SPLUNK_HOME/var/log/`, apply to self-managed Splunk Enterprise deployments and are not applicable to Splunk Cloud Platform. Restarting Splunk is also handled by Splunk Cloud as part of the managed service. If a restart or additional cleanup is required, contact Splunk Support. Uninstalling the app and add-on does not automatically remove indexed Vectra data. If historical Vectra data must also be removed, review your organization’s data retention requirements and coordinate with your Splunk Cloud administrator or Splunk Support. ### Troubleshooting #### General Checks For Splunk Cloud Platform, Vectra XDR Technology Add-on logs are not accessed directly from the filesystem. Instead, use Splunk Search to review logs from the `_internal` index. To list available Splunk internal log sources from the last 24 hours, run: ```spl index=_internal earliest=-24h | dedup source | sort source | table source ``` To identify Vectra-related log sources, run: ```spl index=_internal earliest=-24h source="*vectra*" | dedup source | sort source | table source ``` This is useful when troubleshooting the Vectra XDR integration because it helps identify which Vectra-related log files are available in Splunk Cloud.
Example Vectra log sources may include: ``` /opt/splunk/var/log/splunk/ep/extension-platform-worker-TA-Vectra-XDR.log /opt/splunk/var/log/splunk/ta_vectra_xdr_TA_Vectra_XDR_rh_account.log /opt/splunk/var/log/splunk/ta_vectra_xdr_account_validation.log /opt/splunk/var/log/splunk/ta_vectra_xdr_audits_input.log /opt/splunk/var/log/splunk/ta_vectra_xdr_audits_input_.log /opt/splunk/var/log/splunk/ta_vectra_xdr_common.log /opt/splunk/var/log/splunk/ta_vectra_xdr_detections_input.log /opt/splunk/var/log/splunk/ta_vectra_xdr_detections_input_.log /opt/splunk/var/log/splunk/ta_vectra_xdr_entity_scoring_input.log /opt/splunk/var/log/splunk/ta_vectra_xdr_entity_scoring_input_.log /opt/splunk/var/log/splunk/ta_vectra_xdr_health_input.log /opt/splunk/var/log/splunk/ta_vectra_xdr_health_input_.log /opt/splunk/var/log/splunk/ta_vectra_xdr_lockdown_input.log /opt/splunk/var/log/splunk/ta_vectra_xdr_lockdown_input_.log ``` #### Search Add-on Logs To view all Vectra XDR Technology Add-on logs in Splunk Cloud, run: ```spl index=_internal earliest=-24h source="*ta_vectra_xdr*.log" ``` To view only error messages from the add-on logs, run: ```spl index=_internal earliest=-24h source="*ta_vectra_xdr*.log" ERROR ``` You can also search all Vectra-related internal logs by using: ```spl index=_internal earliest=-24h source="*vectra*" ```
### Data Collection Troubleshooting If Vectra data is not being collected, verify the following: * The Vectra SaaS account configuration is correct. * The API client credentials are valid. * The configured API client has the required role and permissions for the endpoint. * The data input is enabled. * The configured index exists and is searchable. * Network connectivity to the Vectra platform is available. * If a proxy is used, confirm that the proxy configuration is correct and that the proxy can reach the Vectra platform. Review the relevant log source based on the input being troubleshot: | Data Input | Log Source | | ------------------ | ----------------------------------------- | | Entity Scoring | `ta_vectra_xdr_entity_scoring_input*.log` | | Detections | `ta_vectra_xdr_detections_input*.log` | | Audits | `ta_vectra_xdr_audits_input*.log` | | Lockdown | `ta_vectra_xdr_lockdown_input*.log` | | Health | `ta_vectra_xdr_health_input*.log` | | Account validation | `ta_vectra_xdr_account_validation.log` | | Common add-on logs | `ta_vectra_xdr_common.log` | For example, to troubleshoot detection input logs, run: ```spl index=_internal earliest=-24h source="*ta_vectra_xdr_detections_input_Splunk_RUX_Detections.log" ```
### Validate Collected Data To confirm that Vectra data is being written to the configured index, run searches using the correct `source` and `sourcetype` values. To check all supported Vectra XDR data types in the configured index, run: ``` index= earliest=-24h ( (source="health_input" sourcetype="vectra:cloud:health") OR (source="detections_input" sourcetype="vectra:cloud:detections") OR (source="audits_input" sourcetype="vectra:cloud:audits") OR (source="entity_scoring_input" sourcetype="vectra:cloud:entity:scoring") OR (source="lockdown_input" sourcetype="vectra:cloud:lockdown") ) ``` You can also validate each data type individually. **Health Data** ``` index= earliest=-24h source="health_input" sourcetype="vectra:cloud:health" ``` **Detection Data** ``` index= earliest=-24h source="detections_input" sourcetype="vectra:cloud:detections" ``` **Audit Data** ``` index= earliest=-24h source="audits_input" sourcetype="vectra:cloud:audits" ``` **Entity Scoring Data** ``` index= earliest=-24h source="entity_scoring_input" sourcetype="vectra:cloud:entity:scoring" ``` **Lockdown Data** ``` index= earliest=-24h source="lockdown_input" sourcetype="vectra:cloud:lockdown" ``` If these searches return events, the Vectra XDR Technology Add-on is successfully collecting data and writing it to the configured index. If no events are returned, verify that the related data input is enabled, the selected index is correct, and the corresponding Vectra SaaS account is configured with the correct API client credentials. #### Dashboard Not Populating If the Vectra XDR App dashboards are not displaying data, verify the following: 1. Confirm that Vectra data is being collected in the configured index. 2. Confirm that the correct sourcetypes are present. 3. Confirm that the `vectra_xdr_index_macro` macro is updated to reference the index used by the Vectra XDR Technology Add-on. 4. Confirm that the time range selected in the dashboard includes the time period when data was collected. > **Important:** If a custom index is used and the `vectra_xdr_index_macro` macro is not updated, the Vectra XDR App dashboards may not display data because the app may continue searching the default `main` index. #### Add-on Icons Not Displaying The Vectra XDR Technology Add-on does not require a restart for its core functionality after installation. However, app or add-on icons may not appear immediately in the Splunk UI. In Splunk Cloud Platform, restarts are managed by Splunk Cloud. If icons do not appear after installation and a restart is required, contact Splunk Support or use the supported restart workflow for your Splunk Cloud deployment. ## Integration of Splunk with Vectra Stream There are 3 main steps required to integrate Splunk with Vectra Stream: 1. Installation and configuration of "[Technology Add-on for Vectra Stream (JSON)](https://splunkbase.splunk.com/app/6367) ". 2. Installation of "[Vectra Stream](https://splunkbase.splunk.com/app/4739) " App. 3. Configuring Vectra Stream to send metadata to Splunk using Publisher of "Raw JSON" using Protocol of "TCP" to the server IP/Hostname and port number of your choice where Splunk will be listening. For details please see the [Splunk Integration Guide for Vectra AI](/deployment/stream/publisher-specific-guidance/splunk-integration.md) . --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vectra.ai/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-rux-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.