Getting Started with Cisco Apps

The Splunk Add-on for Cisco ASA allows a Splunk software administrator to map Cisco ASA devices events to the Splunk CIM. You can then use the data with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance. The Splunk Add-on for Cisco ASA 5.2.0 introduces the following field changes. 1. Improved performance of the search-time mapping of "src" field 2. Support the latest version of Cisco ASA v9.20(2) 3. Support the newest version of CIM v5.3.2 4. Introduced a built-in dashboard to give insights of the Add-On: -Add-on version installed -Total number of Cisco ASA events ingested in Splunk -Time-series graph of the Cisco ASA events ingested in Splunk -Number of events ingested in respective of index and source -Top 10 message IDs -Trends of events by index -CIM supported events

The Splunk Add-on for Cisco WSA allows a Splunk software administrator to collect access and L4TM log data from Cisco Web Security Appliances (WSA) (formerly known as IronPort AsyncOS for Web). You can analyze these logs directly or use them as a contextual data source to correlate with other communication and authentication data in the Splunk platform. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

The Splunk Add-on for Cisco ESA allows the Splunk software administrator to leverage Textmail, HTTP, Consolidated Event Logs, AMP, Delivery, Bounce, and Authentication logs of Cisco ESA. You can use the Splunk platform to analyze these logs directly or use them as a contextual data source to correlate with other communication and authentication data in the Splunk platform. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk platform apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

DEPRECATION NOTICE: This Duo Splunk Connector will be deprecated 1-May-2025. Please update to the "Cisco Security Cloud" application on Splunkbase before this date (https://splunkbase.splunk.com/app/7404). Duo Splunk Connector allows administrators to easily import their Duo logs into their Splunk environment. Once configured, the connector automatically pulls in the following Duo logs for the last 7 days: Activity Logs Administrator Logs Authentication Logs (v1 and v2) Telephony Logs (v1 and v2) Endpoint Logs Trust Monitor Logs The connector comes populated with default dashboards for the above logs. Administrators can create new dashboards or manipulate the existing dashboards.

The Cisco Secure Endpoint Events App (formerly AMP for endpoints) provides a mechanism to create, update, and delete event streams in Cisco Advanced Malware Protection (AMP) for Endpoints via the API and index them in your Splunk® instance to make them searchable. All you need to do is provide your API host and credentials from your AMP for Endpoints account and specify the stream parameters. This app has been tested on Splunk v8.x, v9.0 and is cloud ready.

****Updates July 15th, 2024*** The current Cisco Secure Firewall app is EOL, and has been replaced by the Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404 The Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404 -- provides eStreamer SDK integration which will provide fully qualified event support for IDS, Malware, Connection and IDS Packet. The app is a hybrid TA/App combination that will enable support for connection and management to API and Host endpoints while also provided rich analytics to compliment SOC and monitoring use cases. ************************************ Cisco Secure Firewall App for Splunk presents critical security information from Threat Defense Manager (f.k.a. Firepower Management Center (FMC)) helping analysts focus on high priority security events. The app provides a number of dashboards and tables geared towards making Firepower event analysis productive in the familiar Spunk environment. It is an alternative user interface for some, and a complementary interface for others. Cisco is committed to continuously improving this app based on your direct feedback. Major Features Include - Threat Summary Dashboard - Advanced Impact Event analysis with directionality - Network Event data dashboard with IoCs and Firewall Rule usage (Allow/Block) - Context Explorer with Geo-location Map - Link back from Malware hash to FMC for File Trajectory - Link Back to FMC for Host Profile - Filters for CIDR Blocks and Allow/Block Rule actions TELL US WHAT WILL MAKE THIS APP BETTER FOR YOU! We want your feedback and any feature requests. Please email fp-4-splunk@cisco.com with any requests.

The Splunk Add-on for Cisco Meraki provides comprehensive network observability and security monitoring across your Meraki organizations. This add-on collects rich data via Cisco Meraki REST APIs and webhooks to deliver insights into network performance, security, and device health. Sample visualizations are also provided to help explore the data and create custom dashboards. The add-on provides Common Information Model (CIM) compatible knowledge to integrate with other Splunk solutions, including Splunk Enterprise Security and Splunk App for PCI Compliance. Data collection can be customized through scheduled API polling and real-time webhooks to match your monitoring requirements. Security & Event Monitoring: • Organization-wide security event tracking • Air Marshal wireless threat detection • Network device logging and audit trails • Rapid network alerts via webhooks Infrastructure & Performance Insights: • Device availability and uptime monitoring • Wireless and switching performance metrics • Ethernet status and packet loss analytics • Environmental sensor data tracking • Top device rankings by usage and utilization • Energy consumption monitoring for switches Network Operations: • Configuration change tracking • SD-WAN and VPN performance monitoring • Cellular gateway uplink status • API usage analytics and optimization • License and firmware auditing Supported Cisco Meraki Devices: • Access Points • Security Appliances • Switches • Cameras • Environmental Sensors • Cellular Gateways

This app allows management of a domain list on the Cisco Umbrella Security platform

This is the OFFICIAL Cisco Secure Network Analytics (SNA) Splunk Application. It provides a rich set of Splunk dashboards designed to interact with SNA and facilitate a workflow for incident response and investigation. Most of the queries in the dashboards leverage the SNA API and present the data on-demand. Because of this approach to fetching data, this app will not impact your Splunk license usage limits.

****Updates July 15th, 2024*** The current Cisco Secure Malware Analytics app is going EOL, limited support will be provided for the current implementation, please use the latest app, the Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404. ************************************ The Secure Malware Analytics App combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. With a robust, context-rich malware knowledge base, you will understand what malware is doing, or attempting to do, how large a threat it poses, and how to defend against it.

The Cisco Networks Add-on for Splunk Enterprise (TA-cisco_ios) sets the correct sourcetype and fields used for identifying data from Cisco Switches & Routers (Cisco IOS, IOS XE, IOS XR and NX-OS devices), WLAN Controllers and Access Points, using Splunk® Enterprise & Splunk® Cloud. Install this Add-On on your search head and indexers/heavy forwarders. Install the Cisco Networks (cisco_ios) App on your search head. Supported Cisco Devices: * Any Cisco Catalyst switch or router. Specific examples below: * Cisco Catalyst series switches (1000, 1200, 1300, 2960, 3650, 3750, 4500, 6500, 6800, 7600, 9000 etc.) * Cisco ASR - Aggregation Services Routers (900, 1000, 5000, 9000 etc.) * Cisco ISR - Integrated Services Routers (800, 1900, 2900, 3900, 4451 etc.) * Cisco Nexus Data Center switches (1000V, 2000, 3000, 4000, 5000, 6000, 7000, 9000 etc.) * Cisco Carrier Routing System * Other Cisco IOS based devices (Metro Ethernet, Industrial Ethernet, Blade Switches, Connected Grid etc.) * Cisco Access Points * Cisco WLC - WLAN Controller

The Splunk Add-on for Cisco ASA allows a Splunk software administrator to map Cisco ASA devices events to the Splunk CIM. You can then use the data with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance. The Splunk Add-on for Cisco ASA 5.2.0 introduces the following field changes. 1. Improved performance of the search-time mapping of "src" field 2. Support the latest version of Cisco ASA v9.20(2) 3. Support the newest version of CIM v5.3.2 4. Introduced a built-in dashboard to give insights of the Add-On: -Add-on version installed -Total number of Cisco ASA events ingested in Splunk -Time-series graph of the Cisco ASA events ingested in Splunk -Number of events ingested in respective of index and source -Top 10 message IDs -Trends of events by index -CIM supported events

The Splunk Add-on for Cisco WSA allows a Splunk software administrator to collect access and L4TM log data from Cisco Web Security Appliances (WSA) (formerly known as IronPort AsyncOS for Web). You can analyze these logs directly or use them as a contextual data source to correlate with other communication and authentication data in the Splunk platform. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

The Splunk Add-on for Cisco ESA allows the Splunk software administrator to leverage Textmail, HTTP, Consolidated Event Logs, AMP, Delivery, Bounce, and Authentication logs of Cisco ESA. You can use the Splunk platform to analyze these logs directly or use them as a contextual data source to correlate with other communication and authentication data in the Splunk platform. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk platform apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

The Splunk Add-on for Cisco ISE allows a Splunk software administrator to collect Cisco Identity Service Engine (ISE) syslog data. You can use the Splunk platform to analyze these logs directly or use them as a contextual data source to correlate with other communication and authentication data in the Splunk platform. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

This integration is deprecated. Please migrate to the Cisco DC Networking Application available at https://splunkbase.splunk.com/app/7777 This technology add-on collects data from Nexus 9k (standalone mode) to be used by the "Cisco Nexus 9k App for Splunk Enterprise ". Please ask questions by creating a TAC case on https://globalcontacts.cloudapps.cisco.com/contacts/contactDetails/en_US/c1o1-c2o2-c3o8 OR contact us at 1 800 553 2447 or 1 408 526 7209

The Splunk Add-on for Cisco UCS allows a Splunk software administrator to collect UCS fault, inventory, and performance data from Cisco UCS servers using the UCS API. This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk Enterprise apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

The Splunk Add-on for AppDynamics enables you to configure data inputs to collect and correlate data from Splunk AppDynamics REST APIs. Splunk AppDynamics is an application performance monitoring platform for hybrid and on-premises applications. The add-on provides modular inputs to collect data on application performance, business transaction performance, infrastructure performance, and health rule violations from Splunk AppDynamics. Use the add-on to correlate Splunk AppDynamics data with your other machine data (such as logs, wire data, server data, and infrastructure data) in the Splunk platform. The add-on also provides dashboards to monitor and troubleshoot add-on performance. The Splunk Add-on for AppDynamics contains seven input types: High Level Status Database Metrics Hardware Metrics Analytics Search Secure Application Data Events Data Custom Metrics Application BT Snapshots Controller Audit Records Controller License Usage

Cisco WebEx Meetings Add-on for Splunk uses Cisco's WebEx Meetings XML API to fetch data and ingest it into Splunk. The Add-on supports retrieving data from multiple API endpoints for Cisco WebEx meetings. This TA is deprecated and new version is available here, https://github.com/splunk/ta_cisco_webex_add_on_for_splunk You can download the packaged version under the releases https://github.com/splunk/ta_cisco_webex_add_on_for_splunk/releases

The Splunk Add-on for Cisco Meraki provides comprehensive network observability and security monitoring across your Meraki organizations. This add-on collects rich data via Cisco Meraki REST APIs and webhooks to deliver insights into network performance, security, and device health. Sample visualizations are also provided to help explore the data and create custom dashboards. The add-on provides Common Information Model (CIM) compatible knowledge to integrate with other Splunk solutions, including Splunk Enterprise Security and Splunk App for PCI Compliance. Data collection can be customized through scheduled API polling and real-time webhooks to match your monitoring requirements. Security & Event Monitoring: • Organization-wide security event tracking • Air Marshal wireless threat detection • Network device logging and audit trails • Rapid network alerts via webhooks Infrastructure & Performance Insights: • Device availability and uptime monitoring • Wireless and switching performance metrics • Ethernet status and packet loss analytics • Environmental sensor data tracking • Top device rankings by usage and utilization • Energy consumption monitoring for switches Network Operations: • Configuration change tracking • SD-WAN and VPN performance monitoring • Cellular gateway uplink status • API usage analytics and optimization • License and firmware auditing Supported Cisco Meraki Devices: • Access Points • Security Appliances • Switches • Cameras • Environmental Sensors • Cellular Gateways

This app integrates with Cisco Webex to implement investigative and genric actions

Cisco SD-WAN Add-on for Splunk Collects different types of Cisco Security logs and Netflow Data and stores them into Splunk indexes. The Add-on expects to receive Syslog Records, Netflow Records and Unified Logging

The Cisco DNA Center Add-on for Splunk allows a Splunk® Enterprise administrator to collect data from Cisco DNA Center APIs.

The ThousandEyes App For Splunk enables organizations to collect and analyze CEA (Cloud and Enterprise Agent) and Endpoint test results data, Event and Activity logs. Integrated with Splunk, it provides visibility into the health and performance of IT systems, applications, and network endpoints. The App also offers pre-built dashboards for easy analysis. This helps operational teams monitor performance, troubleshoot issues, and optimize both infrastructure and end-user experiences.