SIEM Event Forwarding functionality is available in your Vectra UI at Settings > External Connectors > SIEM. The attached document speaks to the capabilities of the feature.
!! Please note:
Vectra plans to deprecate the Kerberos event ingestion functionality of this feature and rename it to "DHCP Log Ingestion" in a future release.
With the existing implementation, Windows Security Event Log data was limited to ingesting only Kerberos event 4768 and this data was only used by this feature to provide naming artifacts used by Vectra's automated Host ID capability. The data did not help to feed Kerberos learnings that were used by Vectra's Privileged Access Analytics AI models.
Windows Event Log Ingestion (WELI) is also available in Settings > External Connectors.
WELI accepts both 4768 and 4769 Kerberos events.
WELI feeds both Host ID and Kerberos learning needed for PAA detections.
Please only use SIEM Event Forwarding to feed DHCP log data into Vectra and use WELI for Windows Security Event Log Kerberos messages.
Enabling both of these integrations is considered a best practice.
