Splunk - Vectra Detect Integration Steps (QUX)

End-to-end steps for integrating Vectra Detect (QUX) with Splunk, including which add-ons to install and how to configure the Detect app macro.

Introduction

This article is meant to be used in conjunction with the Splunk Integration Guide for Vectra AI. It provides the following:

  • An overview of Vectra's data sources that can feed Splunk.

  • A listing of Vectra's Splunk Add-ons and Apps.

    • Links are provided to the Add-ons and Apps in Splunkbase.

  • An installation matrix showing what needs to be installed where in your Splunk environment.

  • Common prerequisites for any Vectra / Splunk integration

Steps

  1. Read the Splunk Integration Guide for Vectra AI and keep it handy for links to Splunk Apps and guidance to go along with this article.

    • Be sure to have created the required dedicated index for the Detect Add-on to use.

    • Please note that if you will be ingesting data from Vectra SaaS and a Brain based installation of the Vectra platform, both Add-ons will use the same index. Only create one index for both Add-ons.

  2. Install the Add-on(s)

  3. Install the App using the instructions below.

Detect App Installation

The App must be installed on Search Heads:

  • On the main Splunk dashboard, click the "+ Find More Apps" sign to open the app browser (or Manage > Find more Apps).

  • Search the app store for "Vectra Cognito Detect".

    • Click Install.

  • Return to the main dashboard.

Once the installation is completed, the macro's configuration needs to be updated:

  • Navigate to *Settings > Advanced search.*

  • Click on *Search macros.*

  • In the App dropdown list, select "Vectra Cognito".

  • A macro named: vectra_cognito_index must be listed.

    • Click on the name to edit it.

  • Update the definition to match the name of the index where Vectra Detect events are located.

  • Save.

Last updated

Was this helpful?