Follow

Splunk Technology Add-on for Cognito Detect (JSON)

Overview

A new Splunk Technology Add-on (TA) is available which uses JSON format instead of the CEF format (which was used by the original TA from Vectra).

 

"TA for Vectra Detect (JSON)"

"TA for Vectra Cognito" (CEF)

Syslog Format

JSON

CEF

Input Sourcetype

vectra:cognito:json

vectra:cognito:cef

Published in Splunkbase

Yes (link)

Yes (link)

Compatible with "Vectra Cognito Detect" App

Yes

Yes

More information regarding the Vectra TAs and Apps for Splunk and additional download links can be found here : https://support.vectranetworks.com/hc/en-us/articles/360006424834-Vectra-Technology-Add-ons-and-Apps-for-Splunk

Why a new TA?

In releases 5.9 and 6.0, we introduced a new feature which allowed users  to include additional information in a syslog event. It came first for Account and Host Scoring events (in 5.9), and then for Account and Host Detections (in 6.0). The goal of this feature is to provide additional detailed information in the syslog events to the SIEM and limit the need for a SOC Analyst to pivot to Detect. This is configurable in the Detect UI per destination. When using CEF format, all this additional information included in the syslog events are stored in a single attribute in JSON format.  Parsing syslog events in different formats (CEF and JSON) presents some challenges and the solution can be cumbersome. For this reason, we decided to create a new TA which parses syslog events sent by Detect in full JSON format. This is something already supported by Detect (CEF, JSON and Standard are the 3 format supported today).

Installation

Remove the legacy TA that used CEF format - If applicable

To allow the Vectra Cognito Detect App to be compatible with both TAs (CEF and JSON), we used the same Sourcetypes inside the index (after transformation during input) in both Add-ons. For that reason, you need to remove the previous TA before installing the new one.

Follow those instructions to remove the add-on: https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Managingappobjects . 

You need to remove this Add-on everywhere it has been installed: Heavy Forwarders, Indexers and Search Heads (it should not have been installed on Universal Forwarders)

If you want to keep Detect data (in CEF), do not delete the index or data inside. You can decide to send the Detect syslog events in JSON format into the same index or create a new one. It does not really matter, you just need to be aware that the app (Vectra Detect or any other apps like Search & Reporting ) would only be able to parse the data properly in JSON format. The data in CEF format would be accessible in RAW format.

 

Where to install the new TA

Roles TA Required
Search Head Yes
Indexer Yes
Heavy Forwarder Yes
Universal Forwarder No

 

Install the "Technology Add-on for Vectra Detect (JSON)"

Download the app from Splunkbase and then navigate in Splunk to Apps > Manage Apps:

Splunk_1.png

Click on "Install app from file":

Splunk_2.png

Upload the Add-on previously downloaded and click Upload. The new Add-on should be visible:

Splunk_3.png

Once it is installed, edit the Permissions

Splunk_4.png

Select "All apps" then Save

Splunk_5.png

Select "All apps" then Save

This allow any apps to read objects defined in this Add-on!

Configuration

Create a new index - If applicable

If you are moving from CEF to JSON you can use the same index if you desire.  If you are performing a new install, you will need to create a new index.  To create a new dedicated index, follow the steps as described below:

Go to Settings >Indexes

Index_1.png

Then click on New Index on the top right corner:

Index_2.png

Give it a name which is easy to remember and recognize. Set the App to Vectra Cognito. 

Index_3.png

Click Save

 

Create a new Data Input

Most production deployments would have a separate syslog server like syslog-ng or rsyslog to send the syslog events to. This guide is not going to cover what the configuration should be in that case. Here, we are creating a new TCP inputs directly in Splunk.

Go to Settings > Data Inputs

Input_1.png

Click on Add new for TCP type input:

Input_2.png

Configure a Port number (in this example, it is 5141/TCP) and click Next:

Input_3.png

In Source type, search for vectra keyword in the dropdown list:

Input_4.png

If the Add-on has been properly installed, you should see in the list the sourcetype: vectra:cognito:json. Select it! In the case you don't see it, it means that the Add-on has not been installed successfully. Select Vectra Cognito for the App Context and the newly created index (detect_json in this case).

Input_5.png

Click Next the Submit if everything looks good:

Input_6.png

 

Configure Detect Syslog

In the Detect UI, go to Settings > Notification. At the bottom of the page, you have the Syslog configuration, click the Edit button:

Syslog_1.png

Configure the IP address of your syslog server, the Port and the Protocol. Select JSON for the format. Then you can choose which log types you want to receive. For most cases, just select all of them! Click Save when you are done.

Syslog_2.png

There is additional configuration you can do in the second step to fine tune some other aspects. Edit again the syslog configuration. On the right side, you can see a couple of switch buttons (all off by default):

  • Include triaged Detections: When turned off, syslog messages will not be sent when triaged detections are created or updated.

  • Include detections in Info category: When turned off, syslog messages will not be sent when detections in the info category are created or updated.
  • Include host/account score decreases: When turned off, syslog messages will not be sent when threat and certainty scores are both decreasing and/or remain the same. This applies to both hosts and accounts.

Change the configuration of those 3 switch buttons based on your preferences.

The last piece of configuration is the checkbox for Enhanced Details. When it is on, event logs will include additional host, account, and detection attributes. This will benefit users looking for more detail in syslog, such as those that utilize a SIEM as their primary dashboard.

Syslog_3.png

Click Save

Syslog_4.png

 

Validation

The First step would be to validate that data is received by Splunk and is indexed. The easiest way to do that is to open the Search & Reporting App and filter on the index name:

index="detect_json"

Below you can see the data is received and is in JSON format:

Validation_1.png

The Second step would be to validate that the data is parsed successfully by the Vectra Detect Add-on. To validate that it is working as expected at the indexer level, look at the different Source Type:

Validation_2.png

If you see multiple Sourcetypes, it means that the Add-on in the indexer is doing the transformation as expected. Then, to validate it is working as expected at the Search Head level, expand one syslog event and look the list of fields:

Validation_3.png

Certain fields are added by the Add-on, like:

  • vectra_url
  • vectra_timestamp
  • src
  • tags
  • etc.

Fields are not the same for all source types but look at couple of different type of events (a scoring or detection event are good candidates) and validate that you can see those. If that is the case, the Add-on is working as expected!

After couple of hours (or the next day), open the Vectra Cognito App and check if the dashboard are populated.

Validation_4.png

*** Make sure the macro uses by the Vectra Detect app named vectra_cognito_index is pointing to the right index! ***

 

FAQ

Do I need a new version of Detect App to use the TA in JSON?

No. The Detect App is compatible with both Add-ons. It does not matter if you ingest syslog in CEF or JSON format as long as you have the right Add-on installed.

Why are syslog headers are not visible when I look at the RAW syslog event?

Splunk can parse all the attributes in a JSON document automatically but it needs to be exclusively in JSON. Syslog headers are not in JSON, only the message is. Actually, it does not matter which format we are using for the message (CEF or JSON or standard), the syslog header structure would be exactly the same and include:

  • Priority
  • Timestamp
  • Hostname
  • application

Example below where the syslog header is: <13>Oct 1 22:23:07 A21000000000354 vectra_json_v2 -: 

<13>Oct  1 22:23:07 A21000000000354 vectra_json_v2 -: {"account_access_history": [], "tags": [], "service_access_history": [], "dvchost""x29-1-37.sc.tvec""host_ip""172.16.199.72""last_detection_type""New Host""href""https://x29-1-37.sc.tvec/hosts/6302""src_key_asset"false"host_id"6302"headend_addr""192.168.52.37""category""HOST SCORING""dst_key_asset"false"detection_profile": {"scoringDetections": ["Brute-Force (Botnet)"], "name""botnet""vname""Botnet"}, "score_decreases"false"host_groups": [], "mac_vendor"null"certainty"14"vectra_timestamp""1601590987""threat"6"host_name""rc-laptop""version""6.0""mac_address"null"privilege"null"sensor""Vectra X"}

In our case, syslog header information are redundant with the information stored in the syslog message. In order to allow Splunk to have only JSON data, the add-on is stripping the syslog header and what you would see in Splunk would be only:

{"account_access_history": [], "tags": [], "service_access_history": [], "dvchost""x29-1-37.sc.tvec""host_ip""172.16.199.72""last_detection_type""New Host""href""https://x29-1-37.sc.tvec/hosts/6302""src_key_asset"false"host_id"6302"headend_addr""192.168.52.37""category""HOST SCORING""dst_key_asset"false"detection_profile": {"scoringDetections": ["Brute-Force (Botnet)"], "name""botnet""vname""Botnet"}, "score_decreases"false"host_groups": [], "mac_vendor"null"certainty"14"vectra_timestamp""1601590987""threat"6"host_name""rc-laptop""version""6.0""mac_address"null"privilege"null"sensor""Vectra X"}
Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.