Splunk Enterprise - Export Incident Summary to Index
This incident response workflow allows you to export a summary of an XDR incident to a Splunk Enterprise index from a playbook or using an automation rule. When using this workflow in a playbook, the user initiates the export. When using this workflow with an incident automation rule, the export can be done automatically when an incident is created. Sending incidents to Splunk allows them to be indexed for correlation with your other logs and allows for longer data retention than what may be available in Cisco XDR.
Description
This incident response workflow allows you to export a summary of an XDR incident to a Splunk Enterprise index from a playbook or using an automation rule. When using this workflow in a playbook, the user initiates the export. When using this workflow with an incident automation rule, the export can be done automatically when an incident is created. Sending incidents to Splunk allows them to be indexed for correlation with your other logs and allows for longer data retention than what may be available in Cisco XDR.
Target: Automation APIs system target, Conure APIs system target, Platform APIs system target, Splunk Enterprise integration target
Note: The Splunk Enterprise integration typically requires you deploy an on-premises automation remote to allow communication from the XDR cloud to your Splunk appliance. Please see the integration details for more information.
Steps:
- Fetch the incident summary (if this fails, end the workflow)
- Process the incident summary
- Check if the workflow was configured with inputs:
- If not, attempt to get the required configuration data from the Splunk Enterprise integration
- Send the incident summary to the Splunk HTTP event collector
This workflow requires the following targets to be available before it can be run.
Integration targets
- Splunk Enterprise
- Cisco XDR