The Vectra App for Splunk. Table of Contents. Overview... 2 Getting started Setup... 4 Using the Vectra App for Splunk... 4

Similar documents
ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

The Cognito automated threat detection and response platform

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

How Vectra Cognito enables the implementation of an adaptive security architecture

Integrated, Intelligence driven Cyber Threat Hunting

Novetta Cyber Analytics

Qualys Cloud Platform

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Imperva CounterBreach

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Compare Security Analytics Solutions

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

CyberArk Privileged Threat Analytics

Enhanced Threat Detection, Investigation, and Response

RSA NetWitness Suite Respond in Minutes, Not Months

ThreatConnect Learning Exercises

SentinelOne Technical Brief

Drill down. Drill down on metrics from a dashboard or protocol page

VARONIS APP FOR SPLUNK. User Guide

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Symantec Advanced Threat Protection App for Splunk

DomainTools for Splunk

<Partner Name> <Partner Product> RSA NETWITNESS Logs Implementation Guide. Exabeam User Behavior Analytics 3.0

File Reputation Filtering and File Analysis

Threat Centric Vulnerability Management

Automated Threat Management - in Real Time. Vectra Networks

Security Information & Event Management (SIEM)

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

User Guide Check Point Analytics App by QOS

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Vectra Cognito Automating Security Operations with AI

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Monitoring the Device

securing your network perimeter with SIEM

ForeScout App for Splunk

Forescout. Configuration Guide. Version 3.5

MA0-104.Passguide PASSGUIDE MA0-104 Intel Security Certified Product Specialist Version 1.0

SIEM Solutions from McAfee

McAfee MVISION Mobile epo Extension Product Guide

rat Comodo EDR Software Version 1.7 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Workflows. Overview: Workflows

Anomali ThreatStream IBM Resilient App

HPE Security ArcSight User Behavior Analytics

Comodo cwatch Network Software Version 2.23

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

RSA INCIDENT RESPONSE SERVICES

Imperva Incapsula Website Security

Viewing Capture ATP Status

Un SOC avanzato per una efficace risposta al cybercrime

Top 10 use cases of HP ArcSight Logger

Security. Made Smarter.

Qualys Indication of Compromise

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

12/05/2017. Geneva ServiceNow Security Management

SentinelOne Technical Brief

ForeScout App & Add-ons for Splunk

Trademarks. License Agreement. Third-Party Licenses. Note on Encryption Technologies. Distribution

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

One Hospital s Cybersecurity Journey

with Advanced Protection

Flowmon Application for QRadar User Guide

ForeScout Extended Module for Carbon Black

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

Workflows. Overview: Workflows. The following topics describe how to use workflows:

Workflows. Overview: Workflows

How-to Guide: Tenable Applications for Splunk. Last Revised: August 21, 2018

SIEM Product Comparison

Cyber Security Detection Technology for your Security Operations Centre. IT Security made in Europe

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

McAfee Investigator Product Guide

DNS Server Status Dashboard

IPS Event Analysis R Administration Guide

Snort: The World s Most Widely Deployed IPS Technology

RSA INCIDENT RESPONSE SERVICES

ZENworks Reporting System Reference. January 2017

DNS Server Status Dashboard

ARIA SDS. Application

ForeScout Extended Module for Splunk

PROTECT AND AUDIT SENSITIVE DATA

Cisco Threat Intelligence Director (TID)

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

A Risk Management Platform

NetFlow Optimizer. Overview. Version (Build ) May 2017

PALANTIR CYBERMESH INTRODUCTION

VARONIS DATALERT APP FOR IBM QRADAR

BIG-IP Analytics: Implementations. Version 13.1

Version 5.3 Rev A Student Guide

The Future of Threat Prevention

Cisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions

Eurostat Regions and Cities Illustrated: Usage guide

Comprehensive datacenter protection

USM Anywhere AlienApps Guide

Transcription:

Table of Contents Overview... 2 Getting started... 3 Installation... 3 Setup... 4 Using the Vectra App for Splunk... 4 The Vectra Dashboard... 5 Hosts... 7 Detections... 8 Correlations... 9 Technical support... 10 2017 Vectra Networks 1

Overview The Vectra App for Splunk allows users to seamlessly integrate real-time automated threat management from Vectra Networks with the operational intelligence of their Splunk deployment. Vectra uses a patent-pending combination of data science, machine learning and behavioral analysis to reveal the fundamental characteristics of malicious threat behavior without the need for countless signatures and reputation-based rules. Vectra automatically correlates all detections related to the same host and creates a confidence score to prioritize the hosts that pose the greatest risk. This app for Splunk incorporates Vectra high-value detections into existing workflows and automates their correlation with logs from devices in the Splunk database, providing greater context of a threat. The Vectra App for Splunk provides an extraordinary range of threat intelligence to the Splunk machine-data repository, including detections of unknown malware and attack tools, threats that hide in common apps and encrypted traffic, and inprogress threats in every phase of the attack kill chain. Vectra also pre-correlates threat events to specific physical hosts to enable faster investigations and responses. Splunk captures, indexes and correlates Vectra threat detection data in real-time, making it available in a searchable repository from which you can generate graphs, reports, alerts, dashboards and visualizations. 2017 Vectra Networks 2

Version compatibility Splunk version: 6.3, 6.4 Vectra App for Splunk version: 1.x Splunk version: 6.5, 6.6 Vectra App for Splunk version: 2.x Features at a glance The Vectra App for Splunk provides the following unique capabilities: Gather information on the state of the environment. Quickly determine which users have triggered the highest-risk detections. Rapidly identify the categories and types of detections that are present. Review activity over time for detection categories, types, hosts, and campaigns. Review audit logs Correlate Vectra detections with other SIEM events. Getting started Installation The Vectra App for Splunk is currently available on Splunkbase. To install the application: 1. Log into the Splunk Web interface. 2. From the main dashboard, click on the star in the upper left hand corner next to Apps, as shown below. 3. From the Apps page, select Browse for more apps and you will be redirected to Splunkbase. From there, search for the Vectra App for Splunk. If you have already downloaded the Vectra App for Splunk, you can click Install app from file, as shown below. From there, you can point to the downloaded app and select upload. 2017 Vectra Networks 3

4. You can then return to the main dashboard and select the Vectra App for Splunk. Setup Once the app is installed, apply the data type/parser to your input. If your Vectra appliance is already sending logs to Splunk, go to the Add Data screen, select Input Settings and change the source type to Vectra-CEF, as shown below. If you are configuring your appliance to receive Splunk logs, define the source type as part of defining the data input. After you assign the source type to the input, the receive logs will be parsed appropriately. To verify that your logs are being handled properly, do a search for any new logs that have been sent since you defined the input or updated the input with the appropriate parser. You should then see events with the source type of Vectra-CEF. Using the Vectra App for Splunk The workflow of the Vectra App for Splunk moves from left to right, starting with the Dashboard. The Dashboard gives you a fixed, at-a-glance view of detections that occurred in the last 24 hours. Next, the Hosts page provides more details around the devices in the environment that aren t exposed in the Dashboard and lets you modify your search criteria, such 2017 Vectra Networks 4

as filtering specific severities (critical, high, medium, low), searching a specific time window or searching for a specific host. Detections, the third page, provides the greatest detail. It shows individual events, or detections, and their scores. The aggregation of these individual events are what drives the scores on the Hosts page. Campaigns, show individual campaigns that have been identified and the number of events associated with the campaign. Audit Logs, provides a way to review system related activity. Activity such as system changes, log in/out events, and events related creation and deletion of triage rules can easily be filtered and associated with specific users. The last page, Correlations, show events from other devices within the environment that provide an additional level of detail to the activity that is occurring within the environment. The Vectra Dashboard Like the intuitive Vectra product UI, the Dashboard in the Vectra App for Splunk provides a quick view into activity. The default view is a 24-hour window, but can easily be changed to suit your needs. It includes a view of the host severity quadrants, worst offenders, key assets, and detections by type and category. 2017 Vectra Networks 5

The Dashboard in the Vectra App for Splunk. All statistics and graphs in the Dashboard are hyperlinked to more detailed information. Below is a summary of hyperlinked content from their respective page views. Severity quadrants: Clicking on any one of the severity quadrants will direct you to the Hosts page and filter for that specific severity quadrant. Worst offenders: Clicking any item in the row will take you to the Hosts page with a search applied for the specific host. Detection by type: Clicking on a bar in this chart will direct you to the Detections page and apply a filter for that specific type. Detection by category: Clicking on a bar in this chart will take you to the Detections page and apply a filter for that specific category. 2017 Vectra Networks 6

Hosts The Hosts page in the Vectra App for Splunk shows a scatter plot of host detections based on certainty and threat and provides a list of hosts sorted by threat. The default time window for this view is 24 hours and it can be changed using the time selector. The Hosts page in the Vectra App for Splunk. The Hosts page can also be filtered based on severity or it can provide a search criteria (hostname or IP) address to further refine the search. The Hosts page does not show host details. Selecting the Hostname, Source or Destination column takes you to the Detections page and the value of the cell you click will be applied as search criteria. The Threat, Certainty and Last Detection columns are not hyperlinked to additional information. To maintain efficient log parsing, some details of original logs that are not necessary for correct parsing are not incorporated into the Vectra App for Splunk. 2017 Vectra Networks 7

Comprehensive details are available through a pivot directly back into the Vectra user interface via a click on the link in the Host Details column. Detections The default view of the Detections page shows activity over the last 24 hours. The Detections page defaults to a 24-hour view, but has a configurable time window, can be filtered based on category and/or type, and is searchable based on hostname or IP address. Due to color-coding and order of appearance, visibility of activities in the Activity over Time chart may be hampered. To view activity that is hidden, hover your cursor over the activity name in the legend and it will be highlighted in the graph. The drilldown capabilities on the Detections page include: Category: Select Category to apply it as a filter in the current view (all other fields are reset to their default values). Type: Select Type to apply it as filter in the current view (all other fields are reset to their default values). Hostname: Select Hostname to apply it to the search string (all other fields are reset to their default values). Source or Destination: Select Source or Destination fields will direct you to the Correlations page and apply the value to the search criteria. The same additional detail for logs (available for the Host Details) is available through a pivot into the Vectra UI via the links in the Detection Details column. It is important to note the Detections page categories and types are dynamically generated based on events that have occurred over the previous 30 days. If you find that not all categories and types are listed, it is likely because these types of events have not occurred within this window of time. 2017 Vectra Networks 8

Correlations The Detections page in the Vectra App for Splunk. The Correlations page is the most important page for long-term success because it provides the most valuable feedback about active cyber threats. This page is critical for conducting searches for all host detections (source and destination IP address) over a given period. Once a list of IP addresses is generated, it can be used to query against the data set as a whole to find events from other systems that match the host detections. A list can be additionally filtered using tags that follow the Splunk Common Information Model. Please note that the size of the data set has a significant impact on the response time of a query. To avoid a slow, overly long query response time, the default time window is set at 24 hours. 2017 Vectra Networks 9

It is also important to keep in mind that filters and tags can provide a significant amount of value. Keeping query response times to a minimum will still provide you with a tremendous volume of intelligent, actionable detail. Events that match your search criteria are shown in a table with the following fields: Timestamp Source IP Destination IP Source: Input source of the event (e.g. filename, <protocol>:<port>) Product: Product that is defined in the Splunk Technology Add-on (TA) Source type: Type that is defined in the Splunk TA (i.e. Vectra-CEF) Tags: tags that were applied to the event Raw: Raw event that was generated Technical support We re available around the clock to promptly answer questions and provide expert technical guidance about the Vectra App for Splunk. Email or call Vectra support 24x7 to open a case with the support team. Vectra Networks support@vectranetworks.com +1 (408) 326-2022 Vectra Networks, GmbH support@vectranetworks.com +41 (44) 508-3049 2017 Vectra Networks 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback