The Vectra Cognito Stream App for Splunk provides visualizations for the network metadata collected by Vectra Cognito Platforms.
The Vectra Cognito Stream technical Add-on needs to be properly installed, configured and functional on appropriate Search Heads, indexers and Universal forwarders.
Note: Do NOT configure inputs in Search Heads.
If using custom indexes, ensure that all Search Macros have been updated accordingly on the Search Heads.
This application need to be install only on Search Heads. Install the App by:
The application is using 2 diffent sources:
For that reason, there is 2 different search macros. To modify this setting, perform the following:
Vectra Cognito Stream App for Splunk leverages search macros to populate dashboard information! failure to properly configure these macros can result in no/incorrect information being displayed.
This is version 1.1.1
In addition to this app, to fully use its capabilities, you must install:
Add an IP to Hostname lookup page
Searches optimizations using based searches
Time ramge is carry over between dashboards
Revamp Security Dashboards
Remove dashboards autorun. It is recommended to narrow down your search first and not run it accross all your data.
Add SSH dashboard
Add total number of beacons in Beacons dashboard
Fix the link from Host view to Beacons dashboard
Remove Treemap in DNS dashboard to use table instead (perf)
Fix drilldown searches into Beacons dashboard
Host and Session views show SSH metadata
Use metadata_type attribute for searches instead of vectra_metadata_xyz as it is discarded by syslog forwarder.
Minor fixes on few searches
Enhanced JA3 lookup file to contain only the most popular UA for a JA3 hash.
Add Host Privilege score in the Host View.
Add Threat and Certainty scores + Severity into Host View.
Minor typo fixes
Add local lookup CSV files for JA3, JA3S, Alexa 1M and Open public DNS.
How to contact us:
General support: https://www.vectra.ai/support
Vectra website: https://www.vectra.ai
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.