# Splunk - Vectra Detect Add-On and Syslog Configuration (QUX) The [Splunk Integration Guide for Vectra AI](https://docs.vectra.ai/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux) provides an overview of Vectra's integration with Splunk and should be your starting point if you have not already read it. That guide serves as an overview of the Vectra data sources and various Add-ons and Apps required for integration. It also provides navigation to other related articles. The [Splunk - Vectra Detect Integration Steps](https://docs.vectra.ai/configuration/response/siem/splunk-vectra-detect-integration-steps-qux) article details the overall process of integration with Splunk from Vectra Detect / Match may have pointed you to this article. ## Technology Add-On for Vectra Detect (JSON) Installation **Using a syslog server and Universal Forwarder (Recommended)** * The Add-on must be installed on Search Heads. * For standalone deployments * Install the Add-on * For distributed deployments: * If data is collected through Intermediate Heavy Forwarders, the Add-on must be installed on Heavy Forwarders and should not be installed on indexers. * If you do not have Heavy Forwarders, the Add-on must be installed on the indexers. * The Add-on expects an initial source type named `vectra:cognito:detect:json`, the source type will be transformed into more specific ones (see source type list below). * Syslog server must be installed to receive logs from Vectra Detect (outside of the scope of this guide). * Install the [Splunk Universal Forwarder](https://www.splunk.com/en_us/download/universal-forwarder.html). * Configure inputs (see example below). ``` ## inputs.conf example. The stanza should be copied e.g. to $SPLUNK_HOME/etc/system/local/inputs.conf # Example input when syslog-ng/rsyslog is used [monitor:///var/log/vectra/*.log*] index = sourcetype = vectra:cognito:detect:json   ``` **\*\*Please Note!! The Add-on is installed by default with Global permissions. \*\* Using a Splunk Network Input** 1. On the Splunk dashboard, click Settings > Data Inputs 2. Click “Add new” under TCP or UDP\ a. Select TCP or UDP\ b. Add a port number\ c. As *Source type*, select one from the list, `vectra:cognito:detect:json`\ d. As *App Context*, select `vectra_cognito` (this App)\ e. As *Index*, create a new one\ f. Fill *Index Name* e.g. vectra\_detect 3. Save **Source types list** The initial source type must be set to `vectra:cognito:detect:json` then a set of transform rules included in the Add-on modifies the source type based on the type of events received: * `vectra:cognito:audit:json` * `vectra:cognito:campaigns:json` * `vectra:cognito:detect:json` * `vectra:cognito:accountdetect:json` * `vectra:cognito:health:json` * `vectra:cognito:hostscoring:json` * `vectra:cognito:accountscoring:json` * `vectra:cognito:accountlockdown:json` * `vectra:cognito:hostlockdown:json` * `vectra:cognito:match:json` **Tip!! To validate that the add-on is working as expected, filter on the index where the Vectra Detect events are located and look at the source types list. It must contains a subset of the the above list. If only vectra:cognito:detect:json is shown, it means the Add-on is not working as expected.** **Supported CIM Data models** The following data model is supported: * Intrusion Detection More information on [CIM Data models](https://docs.splunk.com/Documentation/CIM/5.0.1/User/Overview). ## Vectra Detect Syslog Configuration In the Detect UI, go to **Settings > Notification**. At the bottom of the page, you have the Syslog configuration, click the **Edit** button: ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-494d2e0578ae02f1a0b8044345be1bca5704602d%2Fsplunk-vectra-detect-add-on-and-syslog-configuration-qux-1.png?alt=media) Configure the\*\* IP address of your syslog server\*\*, the **Port** and the **Protocol**. Select *JSON* for the format. Then you can choose which log types you want to receive. For most cases, just select all of them! Click **Save** when you are done. ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-e6d3a406641c296c038dc93f20fb1fbae189dc1c%2F5fe4482377024f468668683c378b124c612f9880c4a0760a37ca0325f9dea475.jpg?alt=media) There is additional configuration you can do in the second step to fine tune some other aspects. **Edit** again the syslog configuration. On the right side, you can see a couple of switch buttons (all off by default): * **Include triaged Detections:** When turned off, syslog messages will not be sent when triaged detections are created or updated. * **Include detections in Info category**: When turned off, syslog messages will not be sent when detections in the info category are created or updated. * **Include host/account score decreases**: When turned off, syslog messages will not be sent when threat and certainty scores are both decreasing and/or remain the same. This applies to both hosts and accounts. Change the configuration of those 3 switch buttons based on your preferences. The last piece of configuration is the checkbox for Enhanced Details. When it is on, event logs will include additional host, account, and detection attributes. This will benefit users looking for more detail in syslog, such as those that utilize a SIEM as their primary dashboard. ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-f0fe3c8795428cc069fc9f6f2a3923d22ecacc05%2Fd1c75dc485d03ea926013993aa4e4225aac34652a44fd2dafce17421b42589e2.jpg?alt=media) Click **Save** ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-81e3a93e9345c2978bfda7e66e261fc617ba9b13%2F2152589b9c6f504c726f9196524e86b5e7b89476d7bc3e4c3db77c3a9d857f72.jpg?alt=media)