search

Splunk - Vectra Detect Add-On and Syslog Configuration (QUX)

Install the Technology Add-on for Vectra Detect (JSON) and configure Detect syslog so Splunk parses events into the correct sourcetypes.

The Splunk Integration Guide for Vectra AI provides an overview of Vectra's integration with Splunk and should be your starting point if you have not already read it. That guide serves as an overview of the Vectra data sources and various Add-ons and Apps required for integration. It also provides navigation to other related articles.

The Splunk - Vectra Detect Integration Steps article details the overall process of integration with Splunk from Vectra Detect / Match may have pointed you to this article.

hashtag
Technology Add-On for Vectra Detect (JSON) Installation

Using a syslog server and Universal Forwarder (Recommended)

  • The Add-on must be installed on Search Heads.

  • For standalone deployments

    • Install the Add-on

  • For distributed deployments:

    • If data is collected through Intermediate Heavy Forwarders, the Add-on must be installed on Heavy Forwarders and should not be installed on indexers.

    • If you do not have Heavy Forwarders, the Add-on must be installed on the indexers.

  • The Add-on expects an initial source type named vectra:cognito:detect:json, the source type will be transformed into more specific ones (see source type list below).

  • Syslog server must be installed to receive logs from Vectra Detect (outside of the scope of this guide).

  • Install the Splunk Universal Forwarderarrow-up-right.

  • Configure inputs (see example below).

## inputs.conf example. The stanza should be copied e.g. to $SPLUNK_HOME/etc/system/local/inputs.conf

# Example input when syslog-ng/rsyslog is used

[monitor:///var/log/vectra/*.log*]
index = <your destination index goes here>
sourcetype = vectra:cognito:detect:json  

**Please Note!! The Add-on is installed by default with Global permissions. ** Using a Splunk Network Input

  1. On the Splunk dashboard, click Settings > Data Inputs

  2. Click “Add new” under TCP or UDP a. Select TCP or UDP b. Add a port number c. As Source type, select one from the list, vectra:cognito:detect:json d. As App Context, select vectra_cognito (this App) e. As Index, create a new one f. Fill Index Name e.g. vectra_detect

  3. Save

Source types list

The initial source type must be set to vectra:cognito:detect:json then a set of transform rules included in the Add-on modifies the source type based on the type of events received:

  • vectra:cognito:audit:json

  • vectra:cognito:campaigns:json

  • vectra:cognito:detect:json

  • vectra:cognito:accountdetect:json

  • vectra:cognito:health:json

  • vectra:cognito:hostscoring:json

  • vectra:cognito:accountscoring:json

  • vectra:cognito:accountlockdown:json

  • vectra:cognito:hostlockdown:json

  • vectra:cognito:match:json

Tip!! To validate that the add-on is working as expected, filter on the index where the Vectra Detect events are located and look at the source types list. It must contains a subset of the the above list. If only vectra:cognito:detect:json is shown, it means the Add-on is not working as expected.

Supported CIM Data models

The following data model is supported:

  • Intrusion Detection

More information on CIM Data modelsarrow-up-right.

hashtag
Vectra Detect Syslog Configuration

In the Detect UI, go to Settings > Notification. At the bottom of the page, you have the Syslog configuration, click the Edit button:

Configure the** IP address of your syslog server**, the Port and the Protocol. Select JSON for the format. Then you can choose which log types you want to receive. For most cases, just select all of them! Click Save when you are done.

There is additional configuration you can do in the second step to fine tune some other aspects. Edit again the syslog configuration. On the right side, you can see a couple of switch buttons (all off by default):

  • Include triaged Detections: When turned off, syslog messages will not be sent when triaged detections are created or updated.

  • Include detections in Info category: When turned off, syslog messages will not be sent when detections in the info category are created or updated.

  • Include host/account score decreases: When turned off, syslog messages will not be sent when threat and certainty scores are both decreasing and/or remain the same. This applies to both hosts and accounts.

Change the configuration of those 3 switch buttons based on your preferences.

The last piece of configuration is the checkbox for Enhanced Details. When it is on, event logs will include additional host, account, and detection attributes. This will benefit users looking for more detail in syslog, such as those that utilize a SIEM as their primary dashboard.

Click Save

PreviousSplunk SIEM / Vectra integration guide (start here for QUX)NextSplunk - Vectra Detect Integration Steps (QUX)

Last updated

Was this helpful?