#### Installation and Configuration Instructions

1. **Install the Workflow**
    - Ensure you have the Splunk Enterprise integration enabled in XDR.
    - Install the workflow from XDR automate Exchange.
    - Set the Input variables

2. **Automate the Workflow** 
    - When prompted to "Automate it," add a scheduled automation rule or add it later.
    - The interval has to match the one configured in the input variable "Workflow Run Interval"

3. **Validate your custom search**
    - Edit the workflow and disable the automation rule until you have completed this step
    - In your Splunk tenant, go to the “Search and Reports” section and test your custom search query (input variable: Splunk Custom Search Query)
    - Make sure all mapped fields are filled in correctly; if not, correct the Splunk query
    - If the Splunk query is correct, enable the automation rule

 4. **Expected behavior**
    - Workflow transforms each collected logs into a Custom Security Event
    - Events are stored as Detection Findings
    - Findings automatically participate in:
      - Correlation
      - Incident generation

5. **Verification**
    - Navigate to Detection Findings Viewer in Cisco XDR
    - Confirm that:
      - Events are being ingested as Detection Findings
      - Detection Findings may be correlated into Incidents

Custom Event Ingestion via Splunk Enterprise - Custom Query

Set the default mitre tactic ID to use if not found in log and unable to deduce from indicator and Global Variable "Custom Event - Mitre Tactics Mapping" (ex : TA0040)

Input - XDR - Default Mitre Tactic

Set this value to reflect the schedule interval (in minutes)
Ex : if you schedule the workglow to run every 5 minutes, set this value to 5, if you schedule the workglow to run every 1 hour , set this value to 60

This settings is also used to calculate the query earliest time and max number of results

Input - Workflow Run Interval

Name of the Custom Event Module.  (default : Custom Event via Splunk)

It will be the name use as source of detections findings.
If the module doesn't exist, it will be created by the workflow.

Input - Module Instance Name

Your custom search query

Edit the template and replace "YOUR_VALUE*", 'YOUR_FIELD", "YOUR_SEARCH_FILTER" with the correct field name / Value

If a field doesn't exist in the log then replace "YOUR_FIELD" by NONE (example : rename NONE as src_mac if there is no source mac address field in the log

Input - Splunk Custom Search Query

Set the default Mitre Technique ID to use if not found in log and unable to deduce from indicator and global variable "Custom Event - Mitre Techniques Mapping" (ex : T1071) - Optional

Custom Event Ingestion via Splunk Enterprise - Custom Query

Description

Installation and Configuration Instructions

Integration targets