Hi everyone! Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel - request access here) :

Q1:What is the best pattern for syslog data from Cisco devices?

• Splunk Technical Add-Ons
• Creating new sourcetypes/field extractions
• Documentation:
  • Custom: Create Sourcetypes in Splunk
  • Create Field Extractions in Splunk
  • Pre-Configured: Configure Inputs - Splunk Add-On For Cisco ASA

Q2: What is the best way to send data from Cisco switches/firewalls to Splunk?

• Rsyslog or Syslog NG combined with a Splunk forwarder
• Splunk Connect for Syslog (SC4S)
• Edge Processor with syslog
• Documentation: Splunk Validated Architecture for syslog data collection

Q3: How can I view and analyze incidents within Splunk ES using Cisco XDR as a data source? 

• Cisco Security Cloud Splunkbase App
• Cisco Cloud Security Add-on for Splunk
• Splunk Enterprise Security
• Additional resources:
  • Cisco Cloud Security Add-on for Splunk
  • Cisco Security Cloud Splunkbase App

Other Questions (check the #office-hours Slack channel for responses):

• Best practice for integration with Cisco products like FMC, FTD, AMP and Umbrella.
• How to manage log ingestion made by fluent like we do with splunk universal forwarder and props
• How will Splunk improve other Cisco security investments?
• I have on-prem Enterprise 9.2. What are some ways to surface issues that should be checked by a network engineer?  Is there a way to surface data based on a delta from a baseline?  For example, if our network globally has some baseline amount of logs of type A, is there a way to alert when the amount of logs of that type change by +10% in a given time period?
• How can I correlate what’s happening with my servers with what’s happening on my network?
• Example of typical XDR alerts and how they show up in ES.  What other sources of data would correlate with these alerts?
• OSINT / Threat intelligence ingestion
• Dashboards for Cisco