Splunk Cloud Integration

The Splunk Cloud platform lets you investigate, monitor, analyze and act on your data with unprecedented insight, all from the cloud. Splunk experts manage your IT backend so you can focus on acting on your data, while the platform scales to your analytics needs. Make the most of all your data while maintaining privacy and compliance standards with our industry-certified platform.

The Splunk Cloud integration enables three outcomes:

  • A Splunk Cloud target in Cisco XDR Automation for automated workflows.

  • (Optional) In XDR Investigate, querying of security detections across Network Traffic, Malware, Data Loss Prevention, and Intrusion Detection CIM-compliant data for observables such as IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes. Requires adding and configuring Splunk's Common Information Model addon.

  • (Optional) Cisco XDR Automation support to export incident and other data to Splunk Cloud. This requires configuration of an HTTP Event Collector Token.

Note: A Splunk addon is available for the Cisco Security Cloud (CSC). Installing this addon provides enhanced integration with Cisco XDR. See Splunkbase for more information. Enabling the Splunk addon will allow for easy synchronization of Cisco XDR incident data with Splunk, and an XDR dashboard in the Splunk UI. All other integration capabilities mentioned above require the integration described below, not the Splunk CSC addon.

Note: This integration requires specific Splunk Cloud configuration details. Ensure that you follow the instructions carefully in the Integration Guide area when you add the Splunk Cloud integration.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Splunk Cloud integration.

  3. Click Get Started. The Splunk Cloud integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Splunk Cloud integration in Cisco XDR.

You can perform the following tasks after you integrate Splunk Cloud with Cisco XDR:

  • Investigate - Start a new investigation into any combination of IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes and see if any records of them exist in your Splunk Cloud. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Splunk Cloud has recent information. For details, see Investigate.

  • Automation:

    • Atomic Actions - The atomic actions for Splunk Cloud can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Splunk Cloud can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Splunk Cloud target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.

    • Playbooks - An Automation system workflow that uses Splunk Cloud and is included in the Cisco Managed Incident Playbook can be used to close and export an incident. See Recovery Tasks and Workflows on the Response page.