Contact sales
Details

This workflow searches for network detections events in a Splunk Cloud tenant based on a custom search query (see template) and ingest them in the XDR Data Analytics Platform (detection findings) for incident generation. It is designed to run every X minutes (default 5) via a schedule rule

Description

Installation and Configuration Instructions

  1. Install the Workflow

    • Ensure you have the Splunk Cloud integration enabled in XDR.
    • Install the workflow from XDR automate Exchange.
    • Set the Input variables

  2. Automate the Workflow

    • When prompted to "Automate it," add a scheduled automation rule or add it later.
    • The interval has to match the one configured in the input variable "Workflow Run Interval"

  3. Validate your custom search

    • Edit the workflow and disable the automation rule until you have completed this step
    • In your Splunk tenant, go to the “Search and Reports” section and test your custom search query (input variable: Splunk Custom Search Query)
    • Make sure all mapped fields are filled in correctly; if not, correct the Splunk query
    • If the Splunk query is correct, enable the automation rule

  4. Expected behavior

    • Workflow transforms each collected logs into a Custom Security Event
    • Events are stored as Detection Findings
    • Findings automatically participate in:
      • Correlation
      • Incident generation

  5. Verification

    • Navigate to Detection Findings Viewer in Cisco XDR
    • Confirm that:
      • Events are being ingested as Detection Findings
      • Detection Findings may be correlated into Incidents
Required targets

This workflow requires the following targets to be available before it can be run.

Integration targets

  • Cisco XDR
  • Splunk Cloud
About
Author
Ivan Berlinson
Version
v1.1
Intent
Custom Security Event
Integration
Average rating
No ratings yet
Authorship
Community
Contact and support information
ivberlin@cisco.com
External links

Content Licensing

Developer Community

Splunk Search Reference

Splunk Search Command : Rename

Splunk Search Command : Eval

Related workflows
Logo for Splunk Cloud
Splunk Cloud - Export Incident Summary to Index
Cisco Managed
This incident response workflow allows you to export a summary of an XDR incident to a Splunk Cloud index from a playbook or using an automation rule.
Incident Response
Learn more
Logo for Splunk Cloud
Splunk Cloud - Run Search for Observable via Prompt
Community
This workflows will run a Search Query for an Observable in Splunk Cloud via the Pivot Menu.
Pivot Menu
Learn more
Logo for Splunk Cloud
Splunk - Search Network Events (generic) - Cisco XDR Incident
Community
This workflow enhances security management by automating the process of identifying and managing network security events using Splunk and Cisco XDR.
Learn more
Logo for Splunk Cloud
Splunk Cloud - Create XDR Incident v2 - from Template
Community
This workflow searches for events in a Splunk Cloud instance and creates a new Cisco XDR incident (via private intelligence) or updates an existing one created by a workflow.
Learn more
Logo for Splunk Cloud
Splunk Cloud Risk Events (ip_address) - Custom Event Ingestion
Community
This workflow searches for events in the Splunk Cloud risk index (alerts) and ingest them in the XDR Data Analytics Platform (detection findings) for incident generation.
Custom Security Event
Learn more
Logo for Splunk Cloud
Splunk Cloud - Export XDR Detection Findings
Cisco Managed
This workflows exports XDR detection findings to Splunk Cloud every 5 minutes using a schedule automation rule.
Learn more