Splunk Cloud - Create XDR Incident v2 - from Template
This workflow searches for events in a Splunk Cloud instance and creates a new Cisco XDR incident (via private intelligence) or updates an existing one created by a workflow. it includes templates for multiple log sources or can use a custom search query Templates exist for : Corelight (Notice and Suricata), Endace, Cisco Secure Firewall (Intrusion and SI), Palo Alto Firewall (Intrusion), Zscaler ZIA, Meraki MX, Cisco SNA, Sophos EPP, Symantec EPP, ThousandEyes Alerts. Sightings based on : - Assets : Source IP or/and Hostname - Observables : sha256, IP, Domain, User and/or URL. Correlation with existing incident based on : Same Observable SHA256+indicator OR Same Observable Destination IP/Domain OR Same Asset/User. Incidents stop to be updated 5 days after creation (or update if the workflow "Splunk - Create XDR incident - Update History Table" is also deployed and configured.
Description
Step 1: Install the Workflow
- Ensure you have the Splunk Enterprise integration enabled in XDR.
- Install the workflow from the XDR automation Exchange.
Step 2: Configure the input variables
- Input - Splunk - Index : Enter the Splunk Index to retrieve events.
To search all events, use "*". Note: This is not recommended for scalability.
- Input - Splunk - Template X : Set to true if you want to use the template for the search query. Only one template can be enable. To use the workflow on multiple template you need to link this workflow to a different trigger/schedule
Templates exist for : Corelight (Notice and Suricata), Endace, Cisco Secure Firewall (Intrusion and SI), Palo Alto Firewall (Intrusion), Zscaler ZIA, Meraki MX, Cisco SNA, Sophos EPP, Symantec EPP, ThousandEyes Alerts.
- Input - Splunk - Custom Search Query : Set to true if you want to use a custom search query instead of an existing template and fill the input variable "Input - Splunk - Custom Search Query Content"
- Input - Splunk - Custom Search Query Content : Only if "Input - Splunk - Custom Search Query" is true and you don't want to use a predefined template. Replace X in the Search Query template with the correct value or fiedname or with the value "null" if the field doesn't exist.
Template :
index=X
| rename X as event_severity | eval event_severity=if(event_severity=,"High","Unknown")))
| rename X as sighting_name
| rename X as indicator
| rename X as src_ip | eval src_ip=if(src_ip!="",'src_ip',"null")
| rename X as src_port | eval src_port=if(src_port!="",'src_port',"null")
| rename X as dest_ip | eval dest_ip=if(dest_ip!="",'dest_ip',"null")
| rename X as dest_port | eval dest_port=if(dest_port!="",'dest_port',"null")
| rename X as mitre_tactic | eval mitre_tactic=if(mitre_tactic!="",'mitre_tactic',"null")
| rename X as mitre_technique | eval mitre_technique=if(mitre_technique!="",'mitre_technique',"null")
| rename _time as splunk_time
| rename X as URL | eval URL=if(URL!="",'URL',"null")
| rename X as domain | eval domain=if(domain!="",'domain',"null")
| rename X as IngressInterface | eval IngressInterface=if(IngressInterface!="",'IngressInterface',"null")
| rename X as EgressInterface | eval EgressInterface=if(EgressInterface!="",'EgressInterface',"null")
| rename X as action | eval action=if(action!="",'action',"null")
| rename X as proto | eval proto=if(match(URL,":443"),"https",if(domain!="","http","null"))
| rename X as Various1 | eval Various1=if(Various1!="",'Various1',"null")
| rename X as Various2 | eval Various2=if(Various2!="",'Various2',"null")
| rename X as sha256 | eval sha256=if(sha256!="",'sha256',"null")
| rename X as user | eval user=if(user!="",'user',"null")
| rename X as filename | eval filename=if(filename!="",'filename',"null")
| rename X as hostname | eval hostname=if(hostname!="",'hostname',"null")
| table sourcetype event_severity sighting_name indicator src_ip dest_ip src_port dest_port mitre_tactic mitre_technique splunk_time URL domain IngressInterface action proto Various1 Various2 filename EgressInterface sha256 user hostname
| sort +sighting_time*
- Input - Splunk - Custom SourceType : Use this field if the Splunk SourceType is different than the one predefined in the template
- Input - XDR - Default Mitre Tactic : Set the default Mitre Tactic ID to use in incident if not existing in the log or if the workflow can't deduce it from the indicator name
- Input - Firewall Logs - Outside Interface Name : Only for Secure Firewall and Palo Alto, set the name of the Outside interface (case sensitive)
- Input - Firewall Logs - Span Interface Name : Only for Secure Firewall and Palo Alto, set the name of the Span interface (case sensitive)
- Input - Workflow Run Interval : Set this value to reflect the schedule interval (in minutes) Ex : if you schedule the workglow to run every 5 minutes, set this value to 5, if you schedule the workglow to run every 1 hour , set this value to 60
- Input - XDR - Update Closed Incident : On new detections with similarity with an existing incident, define the behaviour if the existing incident has a status closed* If set to true : The incident will be updated with the new detection. If set to false : A new incident will be created (except for Closed FP and Closed Near Miss).
requiers the deployment and the configuration of the workflow : "Splunk - Create XDR incident - Update History Table".
Step 3: Automate the Workflow
When prompted to "Automate it," you can add a scheduled automation rule.
For example, set the automation to run at a 5-minute interval.
This workflow requires the following targets to be available before it can be run.
Integration targets
- Cisco XDR
- Splunk Cloud