## Installation and Configuration Instructions

### Step 1: Install the Workflow

- Ensure you have the **Splunk Cloud** integration enabled in XDR.
- Install the workflow from the XDR automation Exchange.

### Step 2: Configure Search Parameters

- **Splunk Search Parameter: Index**
  - Enter the Splunk Index to retrieve the network events.
  - To search all events, use "*". Note: This is not recommended for scalability.

- **Splunk Search Parameter: Source Type**
  - Enter the source type for the Splunk events (e.g., `cisco:asa`).

### Step 3: Map Event Field Names

For each field, enter the corresponding field name from the Splunk events:

- **Destination Port**: (e.g., `dest_port`)
- **Indicator**: (e.g., `Threat_Name`)
- **Severity**: (e.g., `event_severity`)
- **MITRE Tactic**: (e.g., `mitre_tactic_id`)
- **MITRE Technique**: (e.g., `mitre_technique_id`)
- **Source IP**: (e.g., `src_ip`)
- **Time**: (e.g., `splunk_time`)
- **Destination IP**: (e.g., `dest_ip`)
- **Event Type Name**: (e.g., `alert_category`)
- **Source Name**: (e.g., `vendor_product`)

Ensure all field names are correctly mapped to match your specific Splunk event data structure.

### Step 4: Automate the Workflow

- When prompted to "Automate it," you can add a scheduled automation rule.
- For example, set the automation to run at a 10-minute interval.

Splunk - Search Network Events (generic) - Cisco XDR Incident

Enter the Splunk Source Type that the Splunk Network Events that you are after are formatted in (e.g. cisco:asa). 

This is a default Splunk Event Field that identifies the data structure of an event. A source type determines how the Splunk platform formats the data during the indexing process.


Splunk Search Parameter: Source Type

Enter the Splunk Index that will retrieve the Splunk Network Events that you are after. If you want to search all Events then leave the "*". This is not recommended!

Splunk Search Parameter: Index

Enter the Field of the Splunk event that has the value of the Destination Port (e.g. dest_port).

Splunk Event Field: Destination Port

Enter the Field of the Splunk event that has the value of the MITRE Technique (e.g. mitre_technique_id).

Splunk Event Field: MITRE Technique

Enter the Field of the Splunk event that has the value of the source name (e.g. vendor_product).

Splunk Event Field: Source Name

Enter the Field of the Splunk event that has the value of the Destination IP (e.g. dest_ip).

Splunk Event Field: Destination IP

Enter the Field of the Splunk event that has the value of the Destination IP (e.g. src_ip).

Splunk Event Field: Source IP

Enter the Field of the Splunk event that has the value of the Time (e.g. splunk_time).

Splunk Event Field: Time

Enter the Field of the Splunk event that has the value of the Indicator (e.g. Threat_Name).

Splunk Event Field: Indicator

Enter the Field of the Splunk event that has the value of the Event Type Name (e.g. alert_category). 

Splunk Event Field: Event Type Name

Enter the Field of the Splunk event that has the value of the MITRE Tactic (e.g. mitre_tactic_id).

Splunk Event Field: Mitre Tactic

Enter the Field of the Splunk event that has the value of the Severity (e.g. event_severity).

Splunk - Search Network Events (generic) - Cisco XDR Incident

Description

Installation and Configuration Instructions

Step 1: Install the Workflow

Step 2: Configure Search Parameters

Step 3: Map Event Field Names

Step 4: Automate the Workflow

Integration targets