Contact sales
Details

This workflow searches for events in the Splunk Cloud risk index (alerts) and ingest them in the XDR Data Analytics Platform (detection findings) for incident generation. The default query excludes : - XDR incident event collected by splunk and promoted as notables - threat_object_type not equals ip_address It is designed to run every X minutes (default 5) via schedule rule

Description

Installation and Configuration Instructions

  1. Install the Workflow

    • Ensure you have the Splunk Cloud integration enabled in XDR.
    • Install the workflow from XDR automate Exchange.
    • Set the Input variables

  2. Automate the Workflow

    • When prompted to "Automate it," add a scheduled automation rule or add it later.
    • The interval has to match the one configured in the input variable "Workflow Run Interval"

  3. Expected behavior

    • Workflow transforms each collected logs into a Custom Security Event
    • Events are stored as Detection Findings
    • Findings automatically participate in:
      • Correlation
      • Incident generation

  4. Verification

    • Navigate to Detection Findings Viewer in Cisco XDR
    • Confirm that:
      • Events are being ingested as Detection Findings
      • Detection Findings may be correlated into Incidents
Required targets

This workflow requires the following targets to be available before it can be run.

Integration targets

  • Splunk Cloud
  • Cisco XDR
About
Author
Ivan Berlinson
Version
v1.1
Intent
Custom Security Event
Integration
Average rating
No ratings yet
Authorship
Community
Contact and support information
ivberlin@cisco.com
External links

Content Licensing

Developer Community

Splunk Search Reference

Risk Notables in Splunk ES

Related workflows
Logo for Splunk Cloud
Splunk Cloud - Export Incident Summary to Index
Cisco Managed
This incident response workflow allows you to export a summary of an XDR incident to a Splunk Cloud index from a playbook or using an automation rule.
Incident Response
Learn more
Logo for Splunk Cloud
Splunk Cloud - Run Search for Observable via Prompt
Community
This workflows will run a Search Query for an Observable in Splunk Cloud via the Pivot Menu.
Pivot Menu
Learn more
Logo for Splunk Cloud
Splunk - Search Network Events (generic) - Cisco XDR Incident
Community
This workflow enhances security management by automating the process of identifying and managing network security events using Splunk and Cisco XDR.
Learn more
Logo for Splunk Cloud
Splunk Cloud - Create XDR Incident v2 - from Template
Community
This workflow searches for events in a Splunk Cloud instance and creates a new Cisco XDR incident (via private intelligence) or updates an existing one created by a workflow.
Learn more
Logo for Splunk Cloud
Custom Network Event Ingestion via Splunk Cloud - Custom Query
Community
This workflow searches for network detections events in a Splunk Cloud tenant based on a custom search query (see template) and ingest them in the XDR Data Analytics Platform (detection findings) for incident generation.
Custom Security Event
Learn more
Logo for Splunk Cloud
Splunk Cloud - Export XDR Detection Findings
Cisco Managed
This workflows exports XDR detection findings to Splunk Cloud every 5 minutes using a schedule automation rule.
Learn more