Splunk Enterprise Integration

Splunk Enterprise is a powerful data analytics platform that allows you to collect, index, and analyze data from any source across your IT environment. It is typically deployed on-premises or in private cloud infrastructure, giving full control over data, security, and system management.

The Splunk Enterprise integration enables three outcomes:

  • A Splunk Enterprise target in Cisco XDR Automation for automated workflows.

  • (Optional) In XDR Investigate, querying of security detections across Network Traffic, Malware, Data Loss Prevention, and Intrusion Detection CIM-compliant data for observables such as IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes. Requires adding and configuring Splunk's Common Information Model addon.

  • (Optional) Cisco XDR Automation support to export incident and other data to Splunk Enterprise. This requires configuration of an HTTP Event Collector Token.

Note: A Splunk addon is available for the Cisco Security Cloud (CSC). Installing this addon provides enhanced integration with Cisco XDR. See Splunkbase for more information. Enabling the Splunk addon will allow for easy synchronization of Cisco XDR incident data with Splunk, and an XDR dashboard in the Splunk UI. All other integration capabilities mentioned above require the integration described below, not the Splunk CSC addon.

Note: This integration requires specific Splunk Enterprise configuration details. Ensure that you follow the instructions carefully in the Integration Guide area when you add the Splunk Enterprise integration.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Cisco tab and navigate to the Splunk Enterprise integration.

  3. Click Get Started. The Splunk Enterprise integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Splunk Enterprise integration in Cisco XDR.

You can perform the following tasks after you integrate Splunk Enterprise with Cisco XDR:

  • Investigate - Start a new investigation into any combination of IP addresses, hostnames, file names, file paths, MD5 hashes, and SHA-256 hashes and see if any records of them exist in your Splunk Enterprise. To verify that this integration is working, and to see what kind of data is returned, investigate one of more observables about which you know Splunk Enterprise has recent information. For details, see Investigate.

  • Automation:

    • Atomic Actions - The atomic actions for Splunk and Splunk Enterprise can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Workflows - The workflows for Splunk Enterprise can be installed from the Automation Exchange. See Workflows and Exchange.

    • Target - The Splunk Enterprise target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.