The Vectra App for Splunk

© 2017 Vectra Networks 1

Table of Contents

Overview ...................................................................................................................... 2

Getting started ........................................................................................................... 3

Installation ...................................................................................................................... 3

Setup ............................................................................................................................. 4

Using the Vectra App for Splunk .......................................................................... 4

The Vectra Dashboard ................................................................................................... 5

Hosts .............................................................................................................................. 7

Detections ...................................................................................................................... 8

Correlations .................................................................................................................... 9

Technical support ................................................................................................... 10

The Vectra App for Splunk

© 2017 Vectra Networks 2

Overview The Vectra App for Splunk allows users to seamlessly integrate real-time automated threat management from Vectra® Networks with the operational intelligence of their Splunk deployment.

Vectra uses a patent-pending combination of data science, machine learning and behavioral analysis to reveal the fundamental characteristics of malicious threat behavior without the need for countless signatures and reputation-based rules.

Vectra automatically correlates all detections related to the same host and creates a confidence score to prioritize the hosts that pose the greatest risk.

This app for Splunk incorporates Vectra high-value detections into existing workflows and automates their correlation with logs from devices in the Splunk database, providing greater context of a threat.

The Vectra App for Splunk provides an extraordinary range of threat intelligence to the Splunk machine-data repository, including detections of unknown malware and attack tools, threats that hide in common apps and encrypted traffic, and in-progress threats in every phase of the attack kill chain. Vectra also pre-correlates threat events to specific physical hosts to enable faster investigations and responses.

Splunk captures, indexes and correlates Vectra threat detection data in real-time, making it available in a searchable repository from which you can generate graphs, reports, alerts, dashboards and visualizations.

The Vectra App for Splunk

© 2017 Vectra Networks 3

Version compatibility Splunk version: 6.3, 6.4 Vectra App for Splunk version: 1.x Splunk version: 6.5, 6.6 Vectra App for Splunk version: 2.x Features at a glance The Vectra App for Splunk provides the following unique capabilities: Gather information on the state of the environment. Quickly determine which users have triggered the highest-risk detections. Rapidly identify the categories and types of detections that are present. Review activity over time for detection categories, types, hosts, and campaigns. Review audit logs Correlate Vectra detections with other SIEM events.

Getting started Installation

The Vectra App for Splunk is currently available on Splunkbase. To install the application:

1. Log into the Splunk Web interface. 2. From the main dashboard, click on the star in the upper left hand corner next to

Apps, as shown below.

3. From the Apps page, select Browse for more apps and you will be redirected to

Splunkbase. From there, search for the Vectra App for Splunk.

If you have already downloaded the Vectra App for Splunk, you can click Install app from file, as shown below. From there, you can point to the downloaded app and select upload.

The Vectra App for Splunk

© 2017 Vectra Networks 4

4. You can then return to the main dashboard and select the Vectra App for Splunk.

Setup

Once the app is installed, apply the data type/parser to your input. If your Vectra appliance is already sending logs to Splunk, go to the Add Data screen, select Input Settings and change the source type to Vectra-CEF, as shown below.

If you are configuring your appliance to receive Splunk logs, define the source type as part of defining the data input. After you assign the source type to the input, the receive logs will be parsed appropriately. To verify that your logs are being handled properly, do a search for any new logs that have been sent since you defined the input or updated the input with the appropriate parser. You should then see events with the source type of Vectra-CEF.

Using the Vectra App for Splunk The workflow of the Vectra App for Splunk moves from left to right, starting with the Dashboard. The Dashboard gives you a fixed, at-a-glance view of detections that occurred in the last 24 hours.

Next, the Hosts page provides more details around the devices in the environment that aren’t exposed in the Dashboard and lets you modify your search criteria, such

The Vectra App for Splunk

© 2017 Vectra Networks 5

as filtering specific severities (critical, high, medium, low), searching a specific time window or searching for a specific host.

Detections, the third page, provides the greatest detail. It shows individual events, or detections, and their scores. The aggregation of these individual events are what drives the scores on the Hosts page.

Campaigns, show individual campaigns that have been identified and the number of events associated with the campaign.

Audit Logs, provides a way to review system related activity. Activity such as system changes, log in/out events, and events related creation and deletion of triage rules can easily be filtered and associated with specific users.

The last page, Correlations, show events from other devices within the environment that provide an additional level of detail to the activity that is occurring within the environment. The Vectra Dashboard

Like the intuitive Vectra product UI, the Dashboard in the Vectra App for Splunk provides a quick view into activity. The default view is a 24-hour window, but can easily be changed to suit your needs. It includes a view of the host severity quadrants, worst offenders, key assets, and detections by type and category.

The Vectra App for Splunk

© 2017 Vectra Networks 6

The Dashboard in the Vectra App for Splunk. All statistics and graphs in the Dashboard are hyperlinked to more detailed information. Below is a summary of hyperlinked content from their respective page views. Severity quadrants: Clicking on any one of the severity quadrants will direct you

to the Hosts page and filter for that specific severity quadrant. Worst offenders: Clicking any item in the row will take you to the Hosts page with

a search applied for the specific host. Detection by type: Clicking on a bar in this chart will direct you to the Detections

page and apply a filter for that specific type. Detection by category: Clicking on a bar in this chart will take you to the

Detections page and apply a filter for that specific category.

The Vectra App for Splunk

© 2017 Vectra Networks 7

Hosts

The Hosts page in the Vectra App for Splunk shows a scatter plot of host detections based on certainty and threat and provides a list of hosts sorted by threat. The default time window for this view is 24 hours and it can be changed using the time selector.

The Hosts page in the Vectra App for Splunk. The Hosts page can also be filtered based on severity or it can provide a search criteria (hostname or IP) address to further refine the search. The Hosts page does not show host details.

Selecting the Hostname, Source or Destination column takes you to the Detections page and the value of the cell you click will be applied as search criteria. The Threat, Certainty and Last Detection columns are not hyperlinked to additional information.

To maintain efficient log parsing, some details of original logs that are not necessary for correct parsing are not incorporated into the Vectra App for Splunk.

The Vectra App for Splunk

© 2017 Vectra Networks 8

Comprehensive details are available through a pivot directly back into the Vectra user interface via a click on the link in the Host Details column. Detections

The default view of the Detections page shows activity over the last 24 hours.

The Detections page defaults to a 24-hour view, but has a configurable time window, can be filtered based on category and/or type, and is searchable based on hostname or IP address.

Due to color-coding and order of appearance, visibility of activities in the Activity over Time chart may be hampered. To view activity that is hidden, hover your cursor over the activity name in the legend and it will be highlighted in the graph.

The drilldown capabilities on the Detections page include:

Category: Select Category to apply it as a filter in the current view (all other fields are reset to their default values).

Type: Select Type to apply it as filter in the current view (all other fields are reset to their default values).

Hostname: Select Hostname to apply it to the search string (all other fields are reset to their default values).

Source or Destination: Select Source or Destination fields will direct you to the Correlations page and apply the value to the search criteria.

The same additional detail for logs (available for the Host Details) is available through a pivot into the Vectra UI via the links in the Detection Details column.

It is important to note the Detections page categories and types are dynamically generated based on events that have occurred over the previous 30 days. If you find that not all categories and types are listed, it is likely because these types of events have not occurred within this window of time.

The Vectra App for Splunk

© 2017 Vectra Networks 9

The Detections page in the Vectra App for Splunk. Correlations

The Correlations page is the most important page for long-term success because it provides the most valuable feedback about active cyber threats. This page is critical for conducting searches for all host detections (source and destination IP address) over a given period.

Once a list of IP addresses is generated, it can be used to query against the data set as a whole to find events from other systems that match the host detections. A list can be additionally filtered using tags that follow the Splunk Common Information Model.

Please note that the size of the data set has a significant impact on the response time of a query. To avoid a slow, overly long query response time, the default time window is set at 24 hours.

The Vectra App for Splunk

© 2017 Vectra Networks 10

It is also important to keep in mind that filters and tags can provide a significant amount of value. Keeping query response times to a minimum will still provide you with a tremendous volume of intelligent, actionable detail.

Events that match your search criteria are shown in a table with the following fields:

Timestamp Source IP Destination IP Source: Input source of the event (e.g. filename, <protocol>:<port>) Product: Product that is defined in the Splunk Technology Add-on (TA) Source type: Type that is defined in the Splunk TA (i.e. Vectra-CEF) Tags: tags that were applied to the event Raw: Raw event that was generated

Technical support We’re available around the clock to promptly answer questions and provide expert technical guidance about the Vectra App for Splunk.

Email or call Vectra support 24x7 to open a case with the support team.

Vectra Networks support@vectranetworks.com +1 (408) 326-2022

Vectra Networks, GmbH support@vectranetworks.com +41 (44) 508-3049