In Cortex XSOAR you can ingest Splunk notable events, queries and alerts through one of the following:
Demisto Add-on for Splunk from the Splunkbase.
Demisto Add-on for Splunk works inside the Splunk platform. It is installed on Splunk and it is used to establish a connection between Splunk and Cortex XSOAR. You create an alert or event by selecting a Create Demisto Event. When sending a single alert or event, it needs to be configured every time in Cortex XSOAR.
SplunkPy
This tutorial uses the SplunkPy integration. It is set up on Splunk’s API port, so you control which events can be ingested into Cortex XSOAR, and you do not need to go to Splunk each time you ingest. Everything is configured when you map the fields in Cortex XSOAR.
The SplunkPy integration enables you to run queries on Splunk, edit notable events, fetch results from Splunk, and parse raw events, as well as do the following:
Splunk Notable Event Queries
In Cortex XSOAR, the query fetches notable events from Splunk Enterprise Security (ES). The integration uses the Splunk ES Notable macro, which leverages built-in Splunk ES capabilities that provide additional data with every notable fetched event.
Native enrichment
You can enable relevant enrichment for notable events when setting the integration instance parameters. The fetched notable events can contain the results of
drilldownsearches. Splunk searches are configured by the user within the Splunk alerts. Users can run additional searches, so those search results are returned in Cortex XSOAR incidents.When fetching incidents, data may be returned from the lookup table, which contains data about the assets and identities that are detected within the notable event. This means you do not need to run additional playbooks or view additional commands. This is all part of the initial fetch.
Mirroring
By enabling the mirroring option (can be inbound, outbound, or both), selected fields can be mirrored from Splunk ES to Cortex XSOAR and vice versa. Some specific fields are supported from Splunk to Cortex XSOAR, such as owner. Urgency and status can be mirrored in both directions. For example, if a Splunk user closes Notable Events this also closes the incident in Cortex XSOAR. Conversely, closing an incident in Cortex XSOAR closes it in Splunk
Mirroring from Cortex XSOAR to Splunk is available for version 6.2 and above.
You can use the
!splunk-notable-event-edit status=Cortex XSOAR command to update the status of an incident in Splunk.Possible values are: 0 - Unassigned, 1 - Assigned, 2 - In Progress, 3 - Pending, 4 - Resolved, 5 - Closed.
Onboarding
The Splunk content pack includes mappers, so that you can see all relevant fields that exist on the notable events, assets, identities, and on the drill down events. All of this data is easily mapped into incident fields in Cortex XSOAR.
In addition the content pack contains the Splunk Generic playbook, which enables you to manage cases and alerts.
Searching
You can search in Splunk using the
!splunk-search queryCortex XSOAR command and by creating a query using Splunk Search Processing Language (SPL):
To set up your SplunkPy integration you need to install the Splunk content pack from Marketplace.
Before you begin, ensure that you have your Splunk credentials.
Install the Splunk content pack.
Go to Marketplace.
Search for Splunk.
Click the content pack and click Install.
Click Install again to confirm the installation.
Configure the SplunkPy integration instance.
Note
For the purposes of this tutorial, use the default values for the parameters that are not mentioned in these steps. For information about all the parameters, see the SplunkPy integration documentation.
Before you configure the instance:
Ensure you have your Splunk authentication details.
Define your email sender integration and the SIEM admin email address.
Select → → → .
Click Add Instance.
Select Fetches incidents.
Under Classifier, select N/A.
You do not need to specify the classifier since all Splunk incidents are ingested as Splunk Notable Generic. As you become more familiar with Cortex XSOAR, you can create custom incident types as needed instead of using the Splunk Notable Generic incident type.
Under Incident Type, select Splunk Notable Generic.
Under Mapper (incoming), select Splunk - Notable Generic Incoming Mapper.
Under Mapper (outgoing), select Splunk - Notable Generic Outgoing Mapper.
Enter the Host - IP, Username, Password, and Port.
Tip
Use the default for Fetch events query, since Cortex XSOAR uses the Notable macro when ingesting events. You can create a more granular search by specifying specific conditions such as specific security domain or event ID.
(Optional) Set up mirroring between Splunk and Cortex XSOAR. Mirroring from Cortex XSOAR to Splunk is available for version 6.2 and above.
For this tutorial, set the following mirroring parameters. For more information on incident mirroring with Splunk, see the SplunkPy integration documentation.
In the Incident Mirroring Direction field, select Incoming and Outgoing.
Set the Timezone of the Splunk server, in minutes parameter. For example, if using GMT and the time zone is GMT +3 hours, set the time zone to +180. For UTC, set the time zone to 0. Set this only if the Splunk server is different than the Cortex XSOAR server. This is relevant only for fetching and mirroring Notable Events.
Select Close Mirrored XSOAR Incident and Close Mirrored Splunk Notable Event, so when closing in one environment, it closes in the other.
In the Enrichment Types field, select Asset, Drilldown , or Identity.
This enrichment provides additional information about assets, drilldown, and identities that are related to the notable events you ingest.
Click Test and then Save & exit.
Go to the Incidents page and verify that incidents are being ingested.
