search

Splunk integration

This article is meant to be used by customers who will be integrating Vectra Steam metadata into their Splunk installation.

hashtag
Introduction

This article is meant to be used in conjunction with the Splunk Integration Guide for Vectra AI (for the Quadrant UX) or the Splunk Integration Guide for Vectra XDR (For the Respond UX). If you are unsure of which UX you are using, please see Vectra Analyst User Experiences (Respond vs Quadrant). Either article will provide the following:

  • An overview of Vectra's data sources that can feed Splunk.

  • A listing of Vectra's Splunk Add-ons and Apps.

    • Links are provided to the Add-ons and Apps in Splunkbase.

  • An installation matrix showing what needs to be installed where in your Splunk environment.

  • Common prerequisites for any Vectra / Splunk integration

As of Vectra software versions 8.1 and above, Vectra supports the use of Splunk's HTTP Event Collector (HEC) as the recommended publisher option for Stream metadata transport to Splunk.

hashtag
Overview of Steps

1

Read integration guide for RUX or QUX

Links are in the introduction. Keep it hand for links to Splunk apps and guidance to go along with this article.

2

Create a Splunk index

To be used for Vectra Stream metadata using the instructions below.

3

Install the Add-on using the instructions below

4

Create Splunk Data input

Choose option 4A or 4B:

4A - Configure a Splunk HEC Data Input / Token (recommended in Vectra v8.1 and higher)

4B - Install Syslog Server / Universal Forwarder / Network Data input.

5

Install the App using the instructions below

6

Configure Stream to send metadata to Splunk using either

  • Publisher of "Splunk HEC" with Splunk HEC URI Format matching "Splunk Enterprise" or "Splunk or Splunk Cloud Platform" to the server IP/Hostname and port number of your choice where Splunk will be listening. You will also need to input an HEC token from your Splunk deployment. This is the recommended method in Vectra software versions 8.1 and above.

  • Publisher of "Raw JSON" using Protocol of "TCP" to the server IP/Hostname and port number of your choice where Splunk will be listening.

hashtag
2. Create a Splunk Index for Vectra Stream Metadata

  • Create a new index in Splunk, you can select the "App" as Search & Reporting.

  • Configure other options as desired.

hashtag
3. Stream Add-on Installation

  • The Add-on must be installed on Search Heads.

  • For standalone deployments

    • Install the Add-on

  • For distributed deployments:

    • If data is collected through Intermediate Heavy Forwarders, the Add-on must be installed on Heavy Forwarders and should not be installed on indexers.

    • If you do not have Heavy Forwarders, the Add-on must be installed on the indexers.

  • The Add-on expects an initial source type named vectra:stream:json, the source type will be transformed into more specific ones (see source type list).

  • Please Note!! The Add-on is installed by default with Global permissions.

hashtag
Source types list

The initial source type must be set to vectra:stream:json then a set of transform rules included in the Add-on is modifying the source type based on the type of events received:

  • vectra_isession

  • vectra_ssl

  • vectra_x509

  • vectra_dns

  • vectra_beacon

  • vectra_http

  • vectra_dhcp

  • vectra_radius

  • vetcra_smbfiles

  • vectra_smbmapping

  • vectra_kerberos

  • vectra_ntlm

  • vectra_dcerpc

  • vecta_ldap

  • vectra_ssh

  • vectra_smtp

circle-info

Tip:

To validate that the add-on is working as expected, filter on the index where the Vectra NDR/Detect events are located and look at the source types list. It must contains a subset of the the above list. If only vectra:stream:json is shown, it means the Add-on is not working as expected.

hashtag
Supported CIM Data models

The following data models are supported:

  • Network Traffic (isession metadata)

  • Network Resolution (dns metadata)

  • Email (smtp metadata)

  • dhcp (Network Sessions)

  • httpsessioninfo (Web)

More information on CIM Data modelsarrow-up-right.

hashtag
4A - Configure a Splunk HEC Data Input / Token

circle-info

This is the recommended option in Vectra software versions 8.1 and higher.

Details below are for Splunk Enterprise. If using Splunk Cloud the procedure is similar. Please see https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/UsetheHTTPEventCollectorarrow-up-right for details from Splunk.

  • Navigate in Splunk to Settings > Data Inputs > HTTP Event Collector.

  • Click on "Global Settings" in the top right.

    • Ensure that the "Enable SSL" checkbox is checked to allow Vectra to communicate with your Splunk instance and save your settings.

  • Click on "New Token" in the top right and step through the process of creating a new HEC token.

    • On the 1st screen:

      • Give your token a name.

      • DO NOT enable "Enable Indexer Acknowledgement" as it is not supported and if selected, data will not flow from Vectra to Splunk.

    • On the 2nd screen:

      • "Select" a source type of "vectra:stream:json".

      • "Select" the "Allowed Index" you previously created for Stream metadata.

    • On the 3rd screen:

      • Review your configuration and the click "Submit"

    • On the 4th screen:

      • Copy your token for later input to Vectra.

After completing the above steps, you should have a new token with a configuration that looks like similar to this (just click on the token name to compare your token to this sample):

hashtag
4B - Install Syslog Server / Universal Forwarder / Network Data Input

circle-exclamation

Only do this if using this type of Publisher in Vectra for Stream metadata. As per the "Overview of Steps" above, Splunk HEC is the recommended Publisher option for Splunk integration in v8.1 and higher of Vectra software. A syslog server must be installed to receive logs from Vectra Detect (outside of the scope of this guide).

hashtag
Creating a Splunk Network Input

  1. On the Splunk dashboard, click Settings > Data Inputs

  2. Click “Add new” under TCP or UDP a. Select TCP or UDP b. Add a port number c. As Source type, select one from the list, vectra:stream:json d. As Index, create a new one e. Fill Index Name e.g. vectra_stream

  3. Save

hashtag
5. Stream App Installation

The App must be installed on Search Heads:

  • On the main Splunk dashboard, click the "+ Find More Apps" sign to open the app browser (or Manage > Find more Apps).

  • Search the app store for Vectra Cognito Stream.

    • Click Install.

  • Return to the main dashboard.

Once the installation is completed, the macro's configuration needs to be updated:

  • Navigate to Settings > Advanced search.

  • Click on Search macros.

  • In the App dropdown list, select Vectra Cognito Stream.

  • A macro named: cognito_stream_index must be listed.

    • Click on the name to edit it.

  • Update the definition to match the name of the index where Vectra Stream events are located.

  • A macro named: vectra_cognito_index must be listed.

    • Click on the name to edit it.

  • Update the definition to match the name of the index where Vectra NDR/Detect events are located.

  • Save.

Please Note!! 99% of visualizations in the App are using the Vectra Stream data source. Only 3 visualizations are using the data from Vectra NDR/Detect (Host View dashboard).

hashtag
6. Configuring Vectra Stream to Send Metadata to Splunk

hashtag
Option 4A Example - Configure a Splunk HEC Data Input / Token

In your Vectra UI, navigate to Settings > Stream and set your Splunk HEC Publisher options similarly to this example:

hashtag
Option 4B Example - Install Syslog Server / Universal Forwarder / Network Data Input

In your Vectra UI, navigate to *Settings > Stream *and set your destination as shown below, using whatever port your have configured your Splunk deployment to listen on:

PreviousELK integrationNextRecall (QUX only)

Last updated

Was this helpful?