Splunk - Vectra SaaS Add-on Configuration (QUX)

The Splunk Integration Guide for Vectra AI provides an overview of Vectra's integration with Splunk and should be your starting point if you have not already read it. That guide serves as an overview of the Vectra data sources and various Add-ons and Apps required for integration. It also provides navigation to other related articles.

The Splunk - Vectra Detect Integration Steps article details the overall process of integration with Splunk from Vectra Detect and may have pointed you to this article.

Here is demo video of the add on configuration:

It discusses the Add-on, what and where to install in Splunk, how to install, and configuration of the Add-on.

Vectra SaaS API Client Prerequisite

After creating an API client in your Vectra SaaS console, you will need the Client ID and Secret Key along with the hostname of your Vectra SaaS tenant (this should end in ".portal.vectra.ai). For instructions on how to create a API client, please see either of the following articles:

• Vectra SaaS API Guide

• Vectra SaaS API Quickstart Tutorial

Installation

This chart from the Splunk Integration Guide for Vectra AI shows that the Add-on (this article) must be installed on your Search Head in the case of standalone or distributed environments. If you have a distributed environment using Heavy Forwarders, you must also install the Add-on on any Heavy Forwarders but should not install it on your Indexer. If you are not using Heavy Forwarders, you must install the Add-on on your Indexer. If using a Universal Forwarder, you do not need to install the Add-on on it.

The Add-on can be installed in one of 3 methods:

1. Go to Apps → Manage Apps → Browse more apps in your Splunk console. Search for Vectra SaaS and click Install.

   • You must have internet access for this way of Add-on installation.

   • This is equivalent to clicking + Find More Apps on the Splunk Home Dashboard.

2. Download the Add-on from Splunkbase.

   • Navigate to Apps → Manage Apps → Install app from file.

   • Select "Choose File"** **and select the App package you downloaded.

   • Select "Upload" and follow the prompts.

3. Download the Add-on from Splunkbase.

   • Extract downloaded app package directly into $SPLUNK_HOME/etc/apps/ folder.

Configuration

Summary of Add-on configuration steps:

1. Configuration of the Account settings that allow Splunk to query the Vectra SaaS API.

2. Optional configuration of proxy settings if required for your Splunk instance to reach the Vectra SaaS API endpoints.

3. Choosing a logging level for the Add-on.

4. Creating Data Inputs for Account Scoring and Detection.

Account Settings:

Adding an Account:

1. Go to Apps > Vectra SaaS Add-on for Splunk > Configuration > Account.

2. Click "Add" and fill in the details.

   • The Account Name can be any unique name you like.

   • The Host Name should be the hostname of your Vectra SaaS tenant (do not add http:// or https://).

   • Paste the Client ID and Client Secret exactly as they were provided to you in the Vectra UI.

3. Click "Add".

Updating an Account:

1. Go to Apps > Vectra SaaS Add-on for Splunk > Configuration > Account.

2. Find the account you want to edit from the list of configured accounts.

3. Click on the pencil icon (edit button) under the Actions section.

4. Update the required parameters in the dialog box.

5. Click on Save.

Removing an Account:

1. Go to Apps > Vectra SaaS Add-on for Splunk > Configuration > Account.

2. Find the account you want to delete from the list of configured accounts.

3. Click on the trashcan icon (delete button) under the Actions section.

4. Click on Delete in the dialog box.

Please Note: Before removing the Account, make sure none of the Inputs are using the account you want to remove.

Proxy Configuration (if required in your environment):

Enabling a proxy:

1. Go to ***Apps > **Vectra SaaS Add-on for Splunk > Configuration > Proxy.***

2. Add the Proxy Type, Host, Port, Username, and Password.

3. Select the "Enable" checkbox and "Save" the details.

Disabling a proxy:

1. Go to ***Apps > **Vectra SaaS Add-on for Splunk > Configuration > Proxy.***

2. Deselect the "Enable" checkbox and "Save" the details.

Parameters:

Logging:

Users can configure the logging level for the Vectra SaaS Add-on for Splunk through this page.

1. Go to Apps > Vectra SaaS Add-on for Splunk > Configuration > Logging.

2. Select the "Log Level" from the drop-down and "Save" it.

The default log level is "Info".

Creating Data Inputs:

1. Go to Apps > Vectra SaaS Add-on for Splunk > Inputs.

2. Click on "Create New Input".

   • A dropdown will open with options for Account Scoring Input or Account Detect Input.

3. Select an option and a pop-up will appear where you can enter the required information.

4. Click on "Add".

Both Data Input types have the same options:

The Name, Interval, Index, and Vectra SaaS Account are required. The Historical Data checkbox is optional. If checked, the Add-on will pull historical data during the 1st connection to the API and then only new data on subsequent pulls.

Uninstallation and Clean Up Steps

• Remove $SPLUNK_HOME/etc/apps/TA-Vectra-SaaS

• Remove $SPLUNK_HOME/var/log/Splunk/ta_vectra_saas_.log*

• To reflect the cleanup changes in UI, Restart Splunk Enterprise instance

Troubleshooting

Case #1 Configuration → Account → Not able to configure Vectra SaaS account

• “Invalid client credentials. Please verify the provided client credentials.”

  • Verify Client ID and Client Secret.

  • Make sure the Client ID and Client Secret are not expired.

• “API limit has been exceeded. Please retry after some time.”

  • Due to the large number of API calls, the rate limit is exceeded. Wait for sometime and try again.

• “Connection unsuccessful: Status code - {}.”

  • For more information check $SPLUNK_HOME$/var/log/splunk/ta_vectra_sass_account_validation.log file

• “Server error: Status code - {}. Cannot verify Vectra SaaS instance. Please try again.”

  • Make sure correct client credentials are passed.

  • If a Server error is logged then verify that server is up and running and if we are still facing the same issue then contact Vectra SaaS support. because it's an API server-related issue.

• “SSL certificate verification failed. Please add a valid SSL certificate.”

  • The user should have the valid SSL certificate. If the user wants to make each request using by validating their SSL certificate then the custom certificate should be added in , $SPLUNK_HOME$/etc/apps/TA-Vectra-SaaS/bin/ta_vectra_saas/aob_py3/certifi /cacert.pem file.

  • If SSL verification is not mandatory, then the user can try disabling the SSL verification by switching the SSL_VERIFY flag to False in $SPLUNK_HOME$/etc/apps/TA-Vectra-SaaS/bin/const.py

• “Invalid Proxy settings or Host Name. Please recheck your Proxy settings and Host Name.”

  • Verify the Proxy credentials and try to connect to Vectra SaaS API using curl command to check if the proxy is blocking access.

    • Command: CURL <vectra_saas_portal_url> --proxy <[protocol://][proxy_username:proxy_password@]proxy_host[:proxy_port]>

  • Also verify that the correct Host Name is passed.

• “Unexpected error occurred. Please verify the Host Name and check the `ta_vectra_saas_account_validation.log` file for more details.”

  • Check that the Platform URL is correct or not.

  • Check internet connection while saving Vectra SaaS account details

  • For more details check `ta_vectra_sass_account_validation.log` file

Case #2 Configuration → Account/Input → Not able to configure Vectra SaaS account

• Possible root cause:

  • Splunk Logged-in users have no admin rights. Non-admin users are not able to access the Configuration/Input page in the TA.

• Troubleshooting:

  • Check the logged-in user role once and make sure the user has admin rights.

Case #3 Configuration → Input → Not able to create Vectra SaaS Account Scoring/ Account Detection Input

• “Interval should be in the range of 60 to 86400.”

  • Try to set the Interval value in the range of 60 to 86400.

  • It should be less than or equal to 60 and greater than or equal to 86400.

• “Interval must be a positive integer.”

  • Try to enter the appropriate positive interval value.

Case #4 Data Collection → Vectra SaaS Account and Inputs are configured but data is not getting collected in Splunk

• Possible root causes:

  • If the Vectra SaaS Account is configured from the Backend then there may be invalid details/configuration.

    • Troubleshooting:

      • Check Vectra SaaS Account Configuration.

      • Go to the Search tab.

      • Hit the following query index="_internal" source=*ta_vectra_saas_*.log and check the results.

      • Check DEBUG level logs.

      • Check if there are any ERROR logs related to Account Config when the input is invoked for data collection.

  • Proxy is enabled and configured from the backend then it may be possible proxy details are invalid.

    • Troubleshooting:

      • Check the Proxy Configuration screen.

      • Check DEBUG level logs.

      • Check if there are any ERROR logs related to Proxy Config when the input is invoked for data collection.

Case #5 Field Extraction → Data Collection is done but the extracted fields are not showing up in Splunk search UI.

• Possible Root Causes:

  • Fast Mode is selected while performing a search.

    • Troubleshooting:

      • Change the Mode to 'Verbose' Mode

      • Re-run the search

      • Check whether the Fields are shown in the search UI.

  • Source and Source type of the Data is not extracted according to the list of source types and written extractions.

    • Troubleshooting:

      • Check the value of source and sourcetype from the extracted fields.

      • To check the extractions, please follow the below steps.

        • Go to /opt/splunk/etc/apps/TA-Vectra-SaaS

        • Go to default

        • Open props.conf

        • Validate the mentioned sourcetype in the props.conf and compare it with the Splunk extracted sourcetype.

        • Make sure both the sourcetype should be the same.

Case #6 Data Collection → ‘Account Scoring’ or ‘Account Detection’ Input → Getting less events ingested into Splunk instances than the actual events returned from API.

• Possible Root Cause:

  • There might be an error during data collection and an error is logged in the log file for that particular input such as ta_vectra_saas_.log.

• Troubleshooting:

  • Check the log files if there are any errors

    • Log file location:

      • $SPLUNK_HOME/var/log/splunk/ta_vectra_saas_account_scoring_input_<account_scoring_input_name>.log

      • or

      • $SPLUNK_HOME/var/log/splunk/ta_vectra_saas_account_detection_input_<account_detection_input_name>.log

  • Check the 'number of events ingested' log and see how many events are returned from the API .

  • Compare it with Splunk search UI.

  • Troubleshooting:

    • Try increasing truncate size for larger events at $SPLUNK_HOME/etc/apps/TA-Vectra-SaaS/local/props.conf

    • Where the current truncate value is 9999999.

    • If an event is not getting extracted properly, then we need to add $SPLUNK_HOME/etc/apps/TA-Vectra-SaaS/local/limits.conf

      • The content of limits.conf should be

        • [kv] limit = <integer> maxchars = <integer>

      • By default, maxchars = <integer>

        • Truncate _raw to this size and then do auto KV.

        • Default: 10240 characters

General Checks

• Add-on icons are not showing up:

  • The Add-on does not require restart after the installation in order for all functionalities to work. However, the icons will be visible after one Splunk restart post installation.

• If you are still having problems, use the command line and run the following command to generate diag and send it to the Vectra support.

  • $SPLUNK_HOME/bin/splunk diag --collect app:TA-Vectra-SaaS