Splunk Cloud Integration

The Splunk Cloud platform lets you investigate, monitor, analyze and act on your data with unprecedented insight, all from the cloud. Splunk experts manage your IT backend so you can focus on acting on your data, while the platform scales to your analytics needs. Make the most of all your data while maintaining privacy and compliance standards with our industry-certified platform.

The Splunk Cloud integration enables querying of security detections across Network Traffic, Malware, Data Loss Prevention, and Intrusion Detection CIM-compliant data for observables, such as IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes to take advantage of these capabilities.

Enabling this integration also provides a target in Cisco XDR Automation for automated workflows. If you configure an HTTP Event Collector Token, you can use Cisco XDR Automation to export incident data to Splunk Cloud (optional).

Note: This integration requires specific Splunk Cloud configuration details. Ensure that you follow the instructions carefully in the Integration Guide area when you add the Splunk Cloud integration.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Splunk Cloud integration.

  3. Click Get Started. The Splunk Cloud integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Splunk Cloud integration in Cisco XDR.

You can perform the following tasks after you integrate Splunk Cloud with Cisco XDR:

  • Investigate - Start a new investigation into any combination of IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes and see if any records of them exist in your Splunk Cloud. For details, see Investigate.

  • Automation Workflows - The Splunk Cloud target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

  • Playbooks - An Automation system workflow included in the Cisco Managed Incident Playbook can be used to close and export an incident. See Recovery Tasks and Workflows on the Response page.

  • Exchange - A workflow from Exchange can be used to send an incident to Splunk Cloud. See Exchange.

  • Atomic Actions - The atomic actions that search and retrieve in Splunk Cloud can be used as building blocks in workflows for threat hunting. See Atomic Actions.