Contact sales
Details

This workflows exports XDR detection findings to Splunk Cloud every 5 minutes using a schedule automation rule.

Description

This workflows exports XDR detection findings to Splunk Cloud every 5 minutes using a schedule automation rule. More information about the XDR Query API and its schemas can be found here: https://developer.cisco.com/docs/cisco-xdr/exporting-xdr-detection-findings-exporting-xdr-detection-findings/

Targets: Automation APIs, Platform APIs, Query APIs, Splunk Cloud

Steps:

  • Check if a configuration was provided in the workflow
    • If not, fetch it from the Splunk Cloud integration
  • Calculate and format the necessary timestamps
  • For each page of findings:
    • Fetch this page of findings
    • For each finding returned, fetch its events and export them to Splunk
    • Check if there's a next page
      • If there isn't, end the loop
      • If there is, update the paging variables
Required targets

This workflow requires the following targets to be available before it can be run.

Integration targets

  • Splunk Cloud
  • Cisco XDR
About
Author
Cisco
Version
v1.5
Integration
Average rating
No ratings yet
Authorship
Cisco Managed
Contact and support information
https://support.cisco.com
External links

Content Licensing

Developer Community

Related workflows
Logo for Splunk Cloud
Splunk Cloud - Export Incident Summary to Index
Cisco Managed
This incident response workflow allows you to export a summary of an XDR incident to a Splunk Cloud index from a playbook or using an automation rule.
Incident Response
Learn more
Logo for Splunk Cloud
Splunk Cloud - Run Search for Observable via Prompt
Community
This workflows will run a Search Query for an Observable in Splunk Cloud via the Pivot Menu.
Pivot Menu
Learn more
Logo for Splunk Cloud
Splunk - Search Network Events (generic) - Cisco XDR Incident
Community
This workflow enhances security management by automating the process of identifying and managing network security events using Splunk and Cisco XDR.
Learn more
Logo for Splunk Cloud
Splunk Cloud - Create XDR Incident v2 - from Template
Community
This workflow searches for events in a Splunk Cloud instance and creates a new Cisco XDR incident (via private intelligence) or updates an existing one created by a workflow.
Learn more
Logo for Splunk Cloud
Custom Network Event Ingestion via Splunk Cloud - Custom Query
Community
This workflow searches for network detections events in a Splunk Cloud tenant based on a custom search query (see template) and ingest them in the XDR Data Analytics Platform (detection findings) for incident generation.
Custom Security Event
Learn more
Logo for Splunk Cloud
Splunk Cloud Risk Events (ip_address) - Custom Event Ingestion
Community
This workflow searches for events in the Splunk Cloud risk index (alerts) and ingest them in the XDR Data Analytics Platform (detection findings) for incident generation.
Custom Security Event
Learn more