Splunk and Cisco Use Cases

Cisco IOS

IOS is Cisco’s network operating system that runs mainly on their switches and routers. The IOS log data contains information about the operational state of the device and the network functions served by the device.

This data is used for troubleshooting the operations of Cisco devices running IOS. It can be used to confirm configuration settings that influence the functionality the device is expected to deliver. Examples include mismatched duplex settings, up and down state of ports, routing, and operating conditions, such as temperature and power.

In the Common Information Model, Cisco IOS data can be mapped to the Network Traffic and Change data models, depending on the field.

Adaptive Security Appliance

Cisco Adaptive Security Appliance (ASA) logs combine firewall, antivirus, intrusion prevention, and virtual private network (VPN) data. The logs provides data for the following devices and solutions: firewall, antivirus, antispam, intrusion detection, intrusion prevention, VPN devices, SSL devices, and content inspection. They provide information about proactive threat defense efforts that stop attacks before they spread through networks, both large and small. Cisco ASA software also integrates with other critical security technologies to deliver comprehensive solutions that meet continuously evolving security needs. This includes multi-site and multi-node clustering, high availability, context awareness, dynamic routing and site-to-site VPN, and unified communications.

Email Security Appliance (ESA)

Cisco Email Security Appliance (ESA) is a comprehensive email security solution designed to protect organizations from email-borne threats like malware, spam, and phishing. It offers advanced features such as antivirus, antimalware, antiphishing, antispam, data loss prevention (DLP), and email encryption, often integrating with Cisco's Advanced Malware Protection (AMP) for deeper threat analysis.

FireAMP

Cisco FireAMP (now known as Cisco Secure Endpoint or Advanced Malware Protection) is a cloud-based advanced malware analysis and protection solution that provides visibility and control over endpoint file activity. It detects and blocks malware, analyzes file behavior, and offers retrospective security to identify and remediate threats that may have initially bypassed defenses.

Firepower

Cisco Firepower is a next-generation firewall (NGFW) that provides advanced threat protection capabilities, including application control, intrusion prevention, anti-malware, and URL filtering. It delivers comprehensive visibility into client-side applications, operating systems, mobile devices, and networked devices, enabling proactive security monitoring and rapid incident response.

Identity Services Engine

Cisco Identity Services Engine (ISE) is a security policy management and control platform. It automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. You can use the Splunk platform to analyze Cisco ISE syslog data directly or use it as a contextual data source to correlate with other communication and authentication data.

In the Common Information Model, Cisco Identity Services data can be mapped to the Alerts, Authentication, Change, Endpoint, and Network Traffic data models, depending on the field.

Meraki

Cisco Meraki provides cloud-managed networking solutions, including switches, access points, and security appliances, offering centralized control and visibility across distributed environments. Data from Meraki devices includes network and security events, configuration changes, and device health, which can be collected via REST APIs and webhooks for monitoring and analysis.

Networking hardware

Cisco networking hardware encompasses a wide range of devices such as switches, routers, WLAN controllers, and access points. These devices generate log data about their operational state, network traffic, configuration changes, and performance indicators, which are crucial for network monitoring, troubleshooting, and identifying security threats or performance issues.

Umbrella Investigate

Cisco Umbrella Investigate provides internet-wide visibility of attacker's infrastructure, predictive intelligence to identify malicious domains, IPs, and ASNs, and all the real-time and historical domain information you need in a single source. With the Splunk Add-on for Cisco Umbrella Investigate, you can automatically enrich security events inside Splunk with Cisco’s intelligence on domains, IPs, and networks across the internet.

By leveraging Investigate’s threat intelligence from within Splunk Enterprise Security, you can gain more context about a domain, IP, or ASN related to the event, allowing you to make faster, more informed decisions when responding to critical incidents and researching potential threats.

Unified Computing System

Cisco Unified Computing System (UCS) is a data center architecture that integrates computing, networking, and storage resources into a single, unified system. It generates fault, inventory, and performance data from servers and infrastructure components, which is essential for monitoring system health, capacity planning, and ensuring the efficient operation of virtualized and cloud environments.

Webex

Cisco Webex is a comprehensive suite of collaboration tools, including video conferencing, team messaging, and online meetings. It generates data related to meeting details, participant activity, call quality, admin audit events, and security events, which can be leveraged for monitoring usage, troubleshooting performance issues, and analyzing collaboration patterns.

Web Security Appliance

Cisco Web Security Appliance (WSA), formerly known as IronPort AsyncOS for Web, is a secure web gateway solution that protects organizations from web-based threats and enforces internet usage policies. It collects access logs, L4TM (Layer 4 Traffic Monitor) logs, and system logs, providing insights into web traffic, blocked threats, and user activity for security analysis and compliance.