Cisco
Login
Search

Administration Integrations AI Defense Splunk Integration

Last updated: Aug 22, 2025

AI Defense Splunk Integration

Add Splunk integration to AI Defense

Prerequisites: In order to forward AI Defense events to Splunk, you must have the following in place:

Procedure: Follow these steps to connect AI Defense to Splunk:

  1. From your Splunk instance, gather the following values:

    • Splunk Collector URL, including the HTTP Port Number: The URL used to access the Splunk HTTP Event Collector (HEC).

      This URL has the format, https://<splunk-server>:<hec_port>/services/collector. For example, https://mysplunkserver.example.com:8088/services/collector.

    • HTTP Event Collector Token: The Splunk Token to allow AI Defense to communicate with Splunk.

    • Index Name: The name of the Splunk index that you will use for storing AI Defense events.

  2. In AI Defense, open the Administration: Integrations tab and find the card for Splunk.

  3. Click the Connect button and enter the Splunk HEC details (Splunk Collector URL, HTTP Event Collector Token, and Index Name).

  4. Once you fill in the details, click the Connect button and the Splunk card status will show as connected.

Set up the Splunk Technical Add-on (Splunk TA)

  1. Download and install Splunk Cisco Security Cloud.

  2. Open the Application Setup tab and find the card for AI Defense.

  3. Click Configure Application.

  4. In the Cisco AI Defense panel, set up the AI Defense Connection. Most fields here are preconfigured and can be left as-is.

    • In the Input Name field, specify the name to be used in this connection to refer to the AI Defense data input.

    • Optionally, you can edit the Index name where the events will be stored in Splunk.

  5. Click Save.

The connection appears in the My Apps list of the Application Setup panel.

Using the AI Defense Dashboard in Splunk

Once you've added the AI Defense connection:

  • The Data Integrity tab shows the health of the connection

  • The Resource Utilization tab shows the system resources being consumed by AI Defense

  • The Cisco AI Defense Dashboard is available in Splunk

Dashboard Contents

To see detailed reporting on AI Defense events, click App Analytics: Cisco AI Defense Dashboard. The dashboard displays:

  • Top Rule Match: The most frequently matched AI policy rules in AI runtime protection

  • Policy Action Overview: Percentage of prompts and responses that were allowed and blocked by AI runtime protection

  • Guardrail Distribution: A graph of the types of issues that triggers an AI runtime protection event

  • Top Models by Events: Ranked list of the LLMs whose interactions triggered the most events

  • Top Entities by Events: Ranked list of data types whose detections triggered the most events

  • Top Applications by Events: Ranked list of AI applications that triggered the most events

Previous topic Integrate with AWS Bedrock Next topic Applications