Configure an Splunk external application in Cortex XDR to forward cases and issues to a Splunk instance.
Add the IP addresses for your tenant region to your firewall. For more information, refer to the list of ingress IPs in Enable access to required PANW resources.
Before forwarding cases or issues to Splunk, you need to configure egress. Only a user with Account Admin or Instance Admin permissions can configure egress.
To configure egress, you need to enter the FQDN (fully qualified domain name), without including the port or the path. For example, if the full URL is https://splunk..mycompany.com:8088/services/collector, you would enter splunk.mycompany.com.
In the Cortex Gateway, go to → → .
Select the account name and tenant.
In the Flow field, select Splunk.
Enter the FQDN (full qualified domain name) of the Splunk instance. For example,
splunk.mycompany.com. Note that the path does not include HTTP or HTTPS.Add the configuration.
Go to → → → → and select Splunk.
Enter the Splunk HTTP event collector URL. The URL can include a port, but the connection must be HTTPS.
Click Verify. If egress has not been configured in the Cortex Gateway, verification will fail.
After verification is successful, enter the instance name and optional description.
Enter the authentication token for secure access to your Splunk instance.
Click Test to verify the connection, then click Connect.
Follow the instructions for Configure notification forwarding.