Splunk Enterprise - Export XDR Detection Findings
Details
This workflows exports XDR detection findings to Splunk Enterprise every 5 minutes using a schedule automation rule.
Description
This workflows exports XDR detection findings to Splunk Enterprise every 5 minutes using a schedule automation rule. More information about the XDR Query API and its schemas can be found here: https://developer.cisco.com/docs/cisco-xdr/exporting-xdr-detection-findings-exporting-xdr-detection-findings/
Targets: Automation APIs, Platform APIs, Query APIs, Splunk Enterprise
Steps:
- Check if a configuration was provided in the workflow
- If not, fetch it from the Splunk Enterprise integration
- Calculate and format the necessary timestamps
- For each page of findings:
- Fetch this page of findings
- For each finding returned, fetch its events and export them to Splunk
- Check if there's a next page
- If there isn't, end the loop
- If there is, update the paging variables
Required targets
This workflow requires the following targets to be available before it can be run.
Integration targets
- Cisco XDR
- Splunk Enterprise
About
Author
Cisco
Version
v1.3
Integration
Average rating
No ratings yet
Authorship
Cisco Managed
Contact and support information
External links
Related workflows
Cisco Managed
This incident response workflow allows you to export a summary of an XDR incident to a Splunk Enterprise index from a playbook or using an automation rule.
Community
This workflow searches for events in a Splunk Enterprise instance and creates a new Cisco XDR incident (via private intelligence) or updates an existing one created by a workflow.
Community
This workflow searches for network detections events in a Splunk Enterprise tenant based on a custom search query (see template) and ingest them in the XDR Data Analytics Platform (detection findings) for incident generation.