ForwardAuditLogsToSplunkHEC v1.0.0

This pack allows you to setup a job to forward audit logs from XSOAR to Splunk HEC. This requires a Core REST API instance and Splunk Py instance.

Author:
Prasoon Agnihotri
Support:
community
URL:
https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/bd-p/Cortex_XSOAR_Discussions
agentixcloudcloud_runtime_securitycloud_posturexsiamEDR
Utilities

README

Forward Audit Logs To Splunk Pack

Note: This is a beta pack, which lets you implement and test pre-release software. Since the pack is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve

This content pack facilitates the seamless forwarding of Cortex XSOAR audit logs to Splunk. By leveraging a specialized playbook and automation, it ensures your security telemetry is centralized for long-term retention and analysis.

How it Works

The solution utilizes an automation to extract audit logs and transmit them to the Splunk HTTP Event Collector (HEC). To maintain data integrity and prevent redundancy, the automation references an XSOAR List to track the log offset, ensuring each entry is forwarded only once.

Required Configurations

To deploy this workflow, the playbook requires the following three inputs:

  • AuditLogCountList: The name of the XSOAR List created to store the log offset.
  • CoreRestInstanceName: The name of the Core REST API instance configured within your tenant.
  • SplunkInstanceName: The name of the Splunk integration instance configured for log ingestion.

Configure the playbook as a recurring job.

Playbook

Setup Account