Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Third-party alert monitoring tool integration

Log in to subscribe to topics and get notified when content changes.

Third-party alert monitoring tool integration

Third-party monitoring tools, such as Splunk, can be integrated with Security Incident Response so that security events imported from those tools automatically generate security incidents. You can also import data from third-party tools into security alerts.

To integrate alert monitoring tools to Security Incident Response, you must use the the REST API to write to the Security Incident Import [sn_si_incident.import] table. Then, using the Security Incident Transform transform map, the import set source table is mapped to fields in the target Security Incident [sn_si.incident] table.

If you attempt to import CI records that are not recognized by the transform map, the transform map script checks the record for the following (in this order) in an attempt to make a match:
  • sys_id
  • CI name
  • fully-qualified domain name
  • IP address
Note: If you find that the Security Incident Transform transform map is not adequate for the third-party alert monitoring tool you are using, duplicate the transform map, create a new one, and edit the fields as needed.