icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Vectra Cognito Stream
SHA256 checksum (vectra-cognito-stream_111.tgz) 34f23dd3fb3d11a3c285e1cbc1f3468523bf67cf23906130a1c0e02e43d319b9
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Vectra Cognito Stream

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Cognito Stream: network metadata with an opinion

Deliver scalable, security-enriched network metadata to feed custom detection and response tools
- Actionable network data in Zeek format
- Embedded with data science-derived security insights
- Associates network metadata with unique host attributes

Security-enriched metadata
- Hundreds of metadata attributes collected from cloud to enterprise
- Embedded machine learning-derived security insights
- Conduct investigations based on hosts, not IP addresses

Low-touch Zeek deployments
- Presented in a compact, easy-to-understand Zeek format
- Requires no performance tuning or ongoing maintenance
- More than five times the performance of self-managed deployments


Splunk integration with Vectra Solutions Sheet:

Cognito Stream Solutions Sheet:

Vectra Cognito Stream App for Splunk


The Vectra Cognito Stream App for Splunk provides visualizations for the network metadata collected by Vectra Cognito Platforms.


The Vectra Cognito Stream technical Add-on needs to be properly installed, configured and functional on appropriate Search Heads, indexers and Universal forwarders.

Note: Do NOT configure inputs in Search Heads.

If using custom indexes, ensure that all Search Macros have been updated accordingly on the Search Heads.


This application need to be install only on Search Heads. Install the App by:

  • Downloading the app (from Splunkbase).
  • In the UI navigate to: “Manage Apps’
  • In the top right corner select ‘Install app from file’
  • Select ‘Choose File’ and select the App package
  • check the 'upgrade' box if there is already an older version installed.
  • Select ‘Upload’ and follow the prompts – restarting Splunk as necessary


The application is using 2 diffent sources:

  • Network Metadata from Vectra Cognito Stream product (99% of searches are build from that source).
  • Host Score from Vectra Cognito Detect (for 3 visualization only). It pulls Host Score from Cognito Detect syslog message and display results directly on the Single Host View page.

For that reason, there is 2 different search macros. To modify this setting, perform the following:

  1. Select ‘Settings’
  2. Select ‘Advanced Search’
  3. Select ‘Search Macros’
  4. Select the App: Vectra Cognito Stream
  5. The macro named ‘cognito_stream_index’ is for the Vectra Cognito Stream index (default is named: stream). Change the name accordingly to your index name used in the input configuragtion.
  6. The macro named ‘vectra_cognito_index’ is for the Vectra Cognito Deetct index (default is named: index_vetcra_cognito). Change the name accordingly to your index name used in the input configuragtion.

Vectra Cognito Stream App for Splunk leverages search macros to populate dashboard information! failure to properly configure these macros can result in no/incorrect information being displayed.

Release Notes

Version 1.1.1
Oct. 16, 2019

This is version 1.1.1

In addition to this app, to fully use its capabilities, you must install:
URL Toolbox

What's new
Add an IP to Hostname lookup page
Searches optimizations using based searches
Time ramge is carry over between dashboards
Revamp Security Dashboards
Remove dashboards autorun. It is recommended to narrow down your search first and not run it accross all your data.
Bug fixes

Add SSH dashboard
Add total number of beacons in Beacons dashboard
Fix the link from Host view to Beacons dashboard
Remove Treemap in DNS dashboard to use table instead (perf)
Fix drilldown searches into Beacons dashboard
Host and Session views show SSH metadata

Use metadata_type attribute for searches instead of vectra_metadata_xyz as it is discarded by syslog forwarder.
Minor fixes on few searches

Enhanced JA3 lookup file to contain only the most popular UA for a JA3 hash.
Add Host Privilege score in the Host View.
Add Threat and Certainty scores + Severity into Host View.
Minor typo fixes

Add local lookup CSV files for JA3, JA3S, Alexa 1M and Open public DNS.

Initial release

How to contact us:
General support: https://www.vectra.ai/support
Vectra website: https://www.vectra.ai


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.