Splunk TA Add-On Installation - User Guide - 1.0 - Cortex XPANSE - Cortex - Security Operations

In the Splunk homepage, navigate to the app directory by clicking the Apps icon.

Click Browse more apps, and search for Expanse to find the Cortex Xpanse Expander add-on.

To install the Cortex Xpanse Expander add-on, click Install.

If the app is not viewable in the App store, you can download the Add-On by browsing to https://splunkbase.splunk.com/app/4622/ .

Once installed, click Go Home. The Cortex Xpanse Expander add-on is now ready to configure.

Once you’ve installed your add-on, find the navigation bar at the top of the screen, and select “Settings” → “Data” → “Data inputs” to access the Splunk Data Input Management page.

In the Data Input Management page, under Local inputs, select Expanse Expander → New to begin to configure your Cortex Xpanse Expander data as a Splunk data input.

The Cortex Xpanse Expander URL field automatically populates with the Cortex Xpanse Expander’s API endpoint URL. Specify your API token in the appropriate field.

(OPTIONAL) You can make the Cortex Xpanse Expander Add-on proxy aware by inputting an optional proxy server URL (proxy_url) and the path to a custom CA you trust, in PEM format (custom_ca_pem_path).

(OPTIONAL) You can configure your Cortex Xpanse Expander data input to refresh using a time window filter strategy (refresh_time_window_filter_days), refresh by limiting the number of results per API call (refresh_page_size), and use a custom data update interval (update_interval_hours ).

Click Next . Your Qadium Expander data is now set up as a Splunk data input.

In the homepage, click Search and Reporting to navigate to the Search page and begin querying.

Using Splunk data query practices, you can now access and query your Cortex Xpanse Expander data through Splunk.