icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Vectra Cognito Detect
SHA256 checksum (vectra-cognito-detect_102.tgz) ffc70de83e9647900366773f3f4e18f30f27f21ebb080874176646e478de20a0 SHA256 checksum (vectra-cognito-detect_100.tgz) 9f75648614f912854a847fe9f488a9a48c424518907d03452cf2582fe5b742e4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Vectra Cognito Detect

Splunk AppInspect Passed
This app is a successor to the "Vectra App for Splunk".
The Technology Add-on for Vectra Cognito is a pre-requisite for this app.

Compatible Versions:
Vectra Cognito Detect – 4.9 or newer
Splunk Enterprise version – 7.0 or newer

Set up Vectra Cognito TA
1) Login to Cognito UI
2) Browse to Settings > Notifications
3) Under Syslog, click “Edit”.
4) Add the Splunk URI / IP and select a listening UDP port number. Select UDP as the protocol and CEF as the format. Select all available log types. Click Save.

Set up Data Inputs (Single Splunk Instance)
Using a Splunk Network Input:
1) On the Splunk dashboard, click Settings > Data Inputs
2) Click “Add new” under UDP
a. Select UDP, add port number
b. Click Source type > Select “vectra:cognito:cef”
c. Click Index > Create a new index
d. Fill Index Name e.g. vectra_cognito
3) Save

Using a syslog server (Splunk best practice)
1. Set up Syslog-Server to log to a file
2. On the Splunk dashboard, click Settings > Data Inputs
3. Click “Add new” under Files & Directories Monitor
a. Browse File or Directory: Enter the file location here
b. Select Continuously Monitor
c. Click Source type > Select “vectra:cognito:cef”
d. Set the Host Name
e. Click Index > Create a new index
f. Fill Index Name e.g. vectra_cognito
4. Save

Download and Install Vectra Cognito app from the Splunkbase.
1) On the main Splunk dashboard, click the + sign to open the app browser.
2) Search the app store for Vectra Cognito. Click Install.
3) Now search for the app store for the Technology Add-on for Vectra Cognito. Click Install.
4) Return to the main dashboard.

Setup Vectra App
1) Within the Vectra App, click Settings
2) Select Advanced Search -> Search Macros
3) Edit the vectra_cognito_index macro and adjust the index definition to match the index that contains cognito events.

1) On the Splunk dashboard, go to the Search & Reporting app.
2) Search for index=”vectra_cognito_index”. Confirm that the events are flowing in.
3) After a period of time, go to the Vectra Cognito app. The app dashboard will populate as as detections fire and the host quadrant populates.

Release Notes

Version 1.0.2
April 24, 2019

Minor bug fixes

Version 1.0.0
April 17, 2019

Vectra Cognito Detect 1.0.0


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.