Cisco Security and Splunk SIEM

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Product Integrations

• Cyber Vision: Pull information on your industrial assets, their vulnerabilities, activities and security events from Cisco Cyber Vision and send to Splunk using the OT Add On available on Splunkbase.
• ISE: Combining Splunk software with Cisco Identity Services Engine (ISE) provides analysts with the context they need to quickly assess and respond to network and security events in Cisco network environments.
• Secure Endpoint: The Cisco Security Endpoint Events Input provides a mechanism to create, update, and delete event streams in Cisco Security Endpoint. Events are indexed for searching in Splunk. Phantom Splunk SOAR Supported Actions for Cisco Security Endpoint: 1) Test connectivity - Validate the asset configuration by attempting to connect and getting the version of the API 2) List endpoints - List all of the endpoints connected to Cisco 3) Hunt file - Search for a file matching a SHA256 hash across all endpoints 4) Hunt IP - Search for a given IP 5) Hunt URL - Search for a given URL 6) Get device info - Get information about a device given its connector GUID
• Secure Malware Analytics: The Malware Analytics App for Splunk allows the user to visualize the TG intelligence for the Organization, within Splunk’s dashboard: 1) Samples submitted 2) Top domains being looked up 3) Top IP addresses 4) Top behaviors 5) Submissions with a Threat Score of 95 or higher Phantom Splunk SOAR Supported Actions for Malware Analytics: 1) Detonate file - run the file in the Malware Analytics sandbox and retrieve analysis results 2) Get report - query for results of completed tasks in Malware Analytics 3) Detonate URL - load URL in Malware Analytics and retrieve the results
• Secure Firewall: Firepower can send all security event logs in their entirety to Splunk using an eStreamer client available on Splunkbase or via Syslog direct from the FTD devices. Splunk users can also install a powerful Firepower app to view key information about threats, high priority events, and indications of compromise (IoCs).
• Secure Firewall ASA: Splunk supports ASA’s syslog event data.
• Secure Network Analytics: SNA has two integrations, we have a custom dashboard app and alerts via a professional service and we also have generic integrations for our alerts to Splunk via syslog or webhook.
• SecureX Threat Response: Cisco SecureX Threat Response add-on for Splunk provides a custom search command allowing users to query threat response for targets and verdicts from observables within a Splunk instance. Phantom threat response plug-in enables a user, or an automated playbook/action, initiates a query to threat response for Verdicts or Sightings of an observable and render in a table. Cisco Endpoint Security Analytics (CESA) delivers Cisco AnyConnect endpoint data to prebuilt Splunk analytics and dashboards. This add-on enables SecureX threat response investigations to access telemetry that has been generated by the AnyConnect Network Visibility Module. Supported observable types include IPv4 addresses, IPv6 addresses, domains, file names and SHA256 file hashes. The Splunk module for SecureX enables an investigator to collect Sightings from many data sources, by using the Splunk CIM as a translation layer between data models. The user starts an investigation in the SecureX threat response UI, or queries the API via the SecureX ribbon, where Splunk is a module for Threat Response, allowing it to be a data source for log files.