Skip to content

Vendor - Vectra

Product - Cognito

Ref Link
Technology Add-On for Vectra Cognito https://splunkbase.splunk.com/app/4408/

Sourcetypes

sourcetype notes
vectra:cognito:detect
vectra:cognito:accountdetect
vectra:cognito:accountscoring
vectra:cognito:audit
vectra:cognito:campaigns
vectra:cognito:health
vectra:cognito:hostscoring
vectra:cognito:accountlockdown

Index Configuration

key sourcetype index notes
Vectra Networks_X Series vectra:cognito:detect main
Vectra Networks_X Series_accountdetect vectra:cognito:accountdetect main
Vectra Networks_X Series_asc vectra:cognito:accountscoring main
Vectra Networks_X Series_audit vectra:cognito:audit main
Vectra Networks_X Series_campaigns vectra:cognito:campaigns main
Vectra Networks_X Series_health vectra:cognito:health main
Vectra Networks_X Series_hsc vectra:cognito:hostscoring main
Vectra Networks_X Series_lockdown vectra:cognito:accountlockdown main

Filter type

MSG Parse: This filter parses message content

Options

Note: listed for reference; processing utilizes the Microsoft ArcSight log path as this format is a subtype of CEF

Variable default description
SC4S_LISTEN_CEF_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_CEF_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers
SC4S_ARCHIVE_CEF no Enable archive to disk for this specific source
SC4S_DEST_CEF_HEC no When Splunk HEC is disabled globally set to yes to enable this specific source
  • NOTE: Set only one set of CEF variables for the entire SC4S deployment, regardless of how many ports are in use by this CEF source (or any others). See the “Common Event Format” source documentation for more information.

Verification

An active site will generate frequent events use the following search to check for new events

Verify timestamp, and host values match as expected

index=<asconfigured> (sourcetype="deepsecurity*")