Splunk Cloud - Export Incident Summary to Index

Description

This incident response workflow allows you to export a summary of an XDR incident to a Splunk Cloud index from a playbook or using an automation rule. When using this workflow in a playbook, the user initiates the export. When using this workflow with an incident automation rule, the export can be done automatically when an incident is created. Sending incidents to Splunk allows them to be indexed for correlation with your other logs and allows for longer data retention than what may be available in Cisco XDR.

Target: Automation APIs, Conure APIs, Platform APIs, Splunk Cloud

Steps:

Fetch the incident summary (if this fails, end the workflow)
Process the incident summary
Check if the workflow was configured with inputs:
- If not, attempt to get the required configuration data from the Splunk Cloud integration
Send the incident summary to the Splunk HTTP event collector

This workflow requires the following targets to be available before it can be run.

Integration targets

Splunk Cloud
Cisco XDR

Author

Cisco

Version

v1.0

Intent

Incident Response

Integration

Splunk Cloud

Average rating

No ratings yet

Authorship

Cisco Managed

https://support.cisco.com

Content Licensing

Developer Community

Community

This workflow enhances security management by automating the process of identifying and managing network security events using Splunk and Cisco XDR.

Cisco Managed

This incident response workflow allows you to export a summary of an XDR incident to a Splunk Cloud index from a playbook or using an automation rule.

Community

This workflows will run a Search Query for an Observable in Splunk Cloud via the Pivot Menu.