feat: Added support for vectra json logs (#2694)

cwadhwani-splunk · web-flow · commit 124804b17a69 · 2025-04-02T18:15:21.000+05:30
* feat: Added support for vectra json logs

* Empty commit for triggering workflow
diff --git a/docs/sources/vendor/Vectra/cognito_json.md b/docs/sources/vendor/Vectra/cognito_json.md
@@ -0,0 +1,42 @@
+# Cognito JSON
+
+## Key facts
+
+* MSG Format based filter
+* Legacy BSD Format default port 514
+
+## Links
+
+| Ref            | Link                                                                                                    |
+|----------------|---------------------------------------------------------------------------------------------------------|
+| Technology Add-On for Vectra Detect (JSON) | <https://splunkbase.splunk.com/app/5271>                                                           |
+
+## Sourcetypes
+
+| sourcetype     | notes                                                                                                   |
+|----------------|---------------------------------------------------------------------------------------------------------|
+|vectra:cognito:detect:json||
+|vectra:cognito:hostscoring:json||
+|vectra:cognito:hostdetect:json||
+|vectra:cognito:hostlockdown:json||
+|vectra:cognito:accountscoring:json||
+|vectra:cognito:accountdetect:json||
+|vectra:cognito:accountlockdown:json||
+|vectra:cognito:campaigns:json||
+|vectra:cognito:audit:json||
+|vectra:cognito:health:json||
+
+### Index Configuration
+
+| key            | sourcetype     | index          | notes          |
+|----------------|----------------|----------------|----------------|
+|vectra_cognito detect_detect |vectra:cognito:detect:json |main|
+|vectra_cognito detect_hostscoring |vectra:cognito:hostscoring:json |main|
+|vectra_cognito detect_hostdetect |vectra:cognito:hostdetect:json |main|
+|vectra_cognito detect_hostlockdown |vectra:cognito:hostlockdown:json |main|
+|vectra_cognito detect_accountscoring |vectra:cognito:accountscoring:json |main|
+|vectra_cognito detect_accountdetect |vectra:cognito:accountdetect:json |main|
+|vectra_cognito detect_accountlockdown |vectra:cognito:accountlockdown:json |main|
+|vectra_cognito detect_campaigns |vectra:cognito:campaigns:json |main|
+|vectra_cognito detect_audit |vectra:cognito:audit:json |main|
+|vectra_cognito detect_health |vectra:cognito:health:json |main|
diff --git a/package/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf b/package/etc/conf.d/conflib/syslog/app-syslog-vectra_json.conf
@@ -0,0 +1,104 @@
+block parser app-syslog-vectra-json() {
+    channel {
+        parser {
+            regexp-parser(
+                prefix(".tmp.")
+                patterns('\"vectra_timestamp\"\:\s\"(?<timestamp>[^\"]+)\"')
+                template("$MESSAGE")
+            );
+            date-parser-nofilter(
+                format('%s')
+                template("${.tmp.timestamp}")
+            );
+        };
+
+        rewrite {
+            subst('\-\:\s',"",value("MESSAGE"));
+        };
+
+        rewrite {
+            r_set_splunk_dest_default(
+                index("main")
+                sourcetype('vectra:cognito:detect:json')
+                vendor("vectra")
+                product("cognito detect")
+                class('detect')
+                template("t_msg_only")
+            );
+        };
+
+        if (message('\"host_\w+\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostscoring:json')
+                    class('hostscoring')
+                    condition(message('\"HOST\sSCORING\"'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostdetect:json')
+                    class('hostdetect')
+                    condition(message('\"detection_id\"\:'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostlockdown:json')
+                    class('hostlockdown')
+                    condition(message('\"success\"\:'))
+                );
+            };
+        } elif (message('\"account_uid\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountscoring:json')
+                    class('accountscoring')
+                    condition(message('\"ACCOUNT\sSCORING\"'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountdetect:json')
+                    class('accountdetect')
+                    condition(message('\"detection_id\"\:'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountlockdown:json')
+                    class('accountlockdown')
+                    condition(message('\"success\"\:'))
+                );
+            };
+        } elif (message('\"campaign_id\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:campaigns:json')
+                    class('campaigns')
+                );
+            };
+        } elif (message('\"role\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:audit:json')
+                    class('audit')
+                );
+            };
+        } elif (message('\"type\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:health:json')
+                    class('health')
+                );
+            };
+        } else {};
+    };
+};
+
+application app-syslog-vectra-json[sc4s-syslog-pgm] {
+    filter {
+        program('vectra_json' type(string) flags(prefix));
+    };
+    parser { app-syslog-vectra-json(); };
+};
diff --git a/package/lite/etc/addons/vectra/app-syslog-vectra_json.conf b/package/lite/etc/addons/vectra/app-syslog-vectra_json.conf
@@ -0,0 +1,104 @@
+block parser app-syslog-vectra-json() {
+    channel {
+        parser {
+            regexp-parser(
+                prefix(".tmp.")
+                patterns('\"vectra_timestamp\"\:\s\"(?<timestamp>[^\"]+)\"')
+                template("$MESSAGE")
+            );
+            date-parser-nofilter(
+                format('%s')
+                template("${.tmp.timestamp}")
+            );
+        };
+
+        rewrite {
+            subst('\-\:\s',"",value("MESSAGE"));
+        };
+
+        rewrite {
+            r_set_splunk_dest_default(
+                index("main")
+                sourcetype('vectra:cognito:detect:json')
+                vendor("vectra")
+                product("cognito detect")
+                class('detect')
+                template("t_msg_only")
+            );
+        };
+
+        if (message('\"host_\w+\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostscoring:json')
+                    class('hostscoring')
+                    condition(message('\"HOST\sSCORING\"'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostdetect:json')
+                    class('hostdetect')
+                    condition(message('\"detection_id\"\:'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:hostlockdown:json')
+                    class('hostlockdown')
+                    condition(message('\"success\"\:'))
+                );
+            };
+        } elif (message('\"account_uid\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountscoring:json')
+                    class('accountscoring')
+                    condition(message('\"ACCOUNT\sSCORING\"'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountdetect:json')
+                    class('accountdetect')
+                    condition(message('\"detection_id\"\:'))
+                );
+            };
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:accountlockdown:json')
+                    class('accountlockdown')
+                    condition(message('\"success\"\:'))
+                );
+            };
+        } elif (message('\"campaign_id\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:campaigns:json')
+                    class('campaigns')
+                );
+            };
+        } elif (message('\"role\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:audit:json')
+                    class('audit')
+                );
+            };
+        } elif (message('\"type\"\:')) {
+            rewrite {
+                r_set_splunk_dest_update_v2(
+                    sourcetype('vectra:cognito:health:json')
+                    class('health')
+                );
+            };
+        } else {};
+    };
+};
+
+application app-syslog-vectra-json[sc4s-syslog-pgm] {
+    filter {
+        program('vectra_json' type(string) flags(prefix));
+    };
+    parser { app-syslog-vectra-json(); };
+};
diff --git a/tests/test_vectra_json.py b/tests/test_vectra_json.py
