Splunk

Overview

As organizations face growing complexity in identity management, Cisco Identity Intelligence provides a centralized platform to detect, monitor, and gain actionable insights into identity-based threats. By correlating identity data and leveraging AI-powered Identity Threat Detection and Response (ITDR) and Security Posture Management, it offers deep visibility into user behaviors and risks, enabling security teams to mitigate threats proactively. To channel these critical insights directly into your security operations workflow, the Cisco Security Cloud application for Splunk offers a seamless integration engineered for reliability and actionability. It provides comprehensive event logging with assigned severity levels to help teams prioritize efforts, and crucially, it pinpoints the specific user information for each failed security check, delivering the granular, context-rich data needed to maintain operational integrity and accelerate response.

Why Is This Integration Useful for You?

Integrating Cisco Identity Intelligence with Splunk empowers your security operations by centralizing critical identity context within your primary analysis platform. This provides two key benefits:

1. Deeper User Insights: By sending identity intelligence detections and events to Splunk, your security teams can correlate this data with other sources (e.g., firewall logs, endpoint data). This enables deeper analysis and helps you detect, investigate, and respond to sophisticated threats more effectively.

2. Faster Incident Response: Centralizing identity data in Splunk allows you to leverage its powerful search capabilities and automate workflows. This accelerates investigations, reduces manual effort, and shortens the time from detection to remediation.

Prerequisites

Before you begin, please ensure you have the following:

1. Administrative access to your Cisco Identity Intelligence

2. Administrative access to your Splunk Enterprise or Splunk Cloud (Minimum Cisco Security Cloud version 3.0.0, Splunk Enterprise & Splunk Cloud 9.4, 9.3, 9.2, 9.1)

3. The Cisco Security Cloud application installed from Splunkbase

4. Appropriate permissions to configure a Splunk HTTP Event Collector (HEC) or manage AWS S3 buckets and Splunk data inputs

Configuration Methods

There are two primary methods to forward data from Cisco Identity Intelligence to Splunk. Choose the method that best fits your operational needs and infrastructure.

1. Method 1: Webhooks (Recommended for Real-Time Events)

2. Method 2: AWS S3 Bucket (Recommended for Batch Data)

Test Connectivity Between Splunk and Cisco Identity Intelligence

In Splunk:

1. Verify Test Application in Splunk:

   1. Navigate to Splunk and ensure the test application (test_splunk_demo) is listed in the My Apps table.

   2. Go to App Analytics and select the Cisco Identity Intelligence Dashboard from the list of available dashboards.

   
2. Check the Dashboard Data:

   1. If this is your first time using the dashboard, it is expected that no data will be displayed.

   2. If there is existing data, you could filter it by the index if you used a unique index during the setup process.

   

In Cisco Identity Intelligence (CII):

1. Go to Cisco Identity Intelligence and navigate to the Integrations section.

2. Under Notifications Targets table locate the integration entry:

   1. If you are using Webhook, search for the input named test_splunk_demo

   2. If you are using AWS S3, search for the input name s3-splunk-cii-demo-set-up (or s3-<name of your AWS bucket>)

3. Click on the three dots (menu icon) next to the integration entry.

4. Select Test Connectivity from the menu options.

5. A popup will appear in the lower left of the screen indicating the status Success

View the Test Event in Splunk

1. Go back to the Cisco Identity Intelligence Dashboard in Splunk.

2. Look for the test event that was activated during the connectivity test.

3. Upon successful integration, the test event should be visible within the dashboard.