# Splunk - Vectra Detect Integration Steps (QUX)

## Introduction

This article is meant to be used in conjunction with the [Splunk Integration Guide for Vectra AI](https://docs.vectra.ai/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux). It provides the following:

* An overview of Vectra's data sources that can feed Splunk.
* A listing of Vectra's Splunk Add-ons and Apps.
  * Links are provided to the Add-ons and Apps in Splunkbase.
* An installation matrix showing what needs to be installed where in your Splunk environment.
* Common prerequisites for any Vectra / Splunk integration

## Steps

1. Read the [Splunk Integration Guide for Vectra AI](https://docs.vectra.ai/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux) and keep it handy for links to Splunk Apps and guidance to go along with this article.
   * Be sure to have created the required dedicated index for the Detect Add-on to use.
   * Please note that if you will be ingesting data from Vectra SaaS and a Brain based installation of the Vectra platform, both Add-ons will use the same index. Only create one index for both Add-ons.
2. Install the Add-on(s)
   * As per the [Splunk Integration Guide for Vectra AI](https://docs.vectra.ai/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux), the Vectra platform is available to deploy via Vectra SaaS or Brain based deployments.
   * If using Vectra SaaS:
     * [Install the Vectra SaaS Add-on for Splunk following these instructions.](https://docs.vectra.ai/configuration/response/siem/splunk-vectra-saas-add-on-configuration-qux)
   * If using the Vectra platform in a Brain based deployment (running in a supported IaaS cloud, virtual appliance, or physical appliance):
     * [Install the Technology Add-On for Vectra Detect (JSON) and configure you Brain to send Syslog data to Splunk following these instructions](https://docs.vectra.ai/configuration/response/siem/splunk-vectra-detect-add-on-and-syslog-configuration-qux).
3. Install the App using the instructions below.

###

## Detect App Installation

The App must be installed on Search Heads:

* On the main Splunk dashboard, click the **"+ Find More Apps"** sign to open the app browser (or **Manage > Find more Apps**).
* Search the app store for "**Vectra Cognito Detect"**.
  * Click Install.
* Return to the main dashboard.

Once the installation is completed, the macro's configuration needs to be updated:

* Navigate to **\*Settings > Advanced search**.\*
* Click on **\*Search macros**.\*
* In the App dropdown list, select "**Vectra Cognito"**.
* A macro named: ***vectra\_cognito\_index*** must be listed.
  * Click on the name to edit it.
* Update the definition to match the name of the index where Vectra Detect events are located.
* Save.