Can someone help me with the below queries?
We are in process of integrating splunk with XSOAR.
It’s a cloud service and can be accessed via SplunkCloud and SplunkEnterpriseSecuritySuite.
It should be integrated via SplunkCloud or SplunkEnterpriseSecuritySuite?
What changes/configuration is needed at Splunk end to enable the integration.
Thanks in advance
My understanding is that Splunk Cloud is the base installation (SaaS version) and Enterprise Security is an app that sits on top of the base installation.
The Splunk integration is by default configured to fetch "notable" events which are a kind of event that is defined by the ES app, but the actual API that does the query used for fetching is a feature of the base Splunk and not ES.
The Splunk integration has a lot of additional features (KV lookups, Mirroring, enrichment) that you can find described here: https://xsoar.pan.dev/docs/reference/integrations/splunk-py#splunk-enterprise-security-users but for basic incident fetching all you need is the ability to execute queries against your Splunk cloud.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!