The security event command, snsecevent, creates an event in
ServiceNow with the Security classification.
These events can be reviewed on their own, or alert rules within ServiceNow or manual actions
can turn an event or collection of events into a security incident.
The following example defines the required parameters, as well as some additional data, and
shows the result (no error message) after a successful run.
If the event becomes a security incident and each parameter is sent into the event, this data
is used to populate the security incident as follows:
||Use in Security Incident
||The node represents the server or configuration item for the event. Ideally, this maps
to an existing CI within ServiceNow.
||The category of event.
||The affected resource.
||The origination of this data. By default, the Splunk server generates the data.
||The drilldown URL to use in ServiceNow to get back to the Splunk data regarding this
event. By default, this contains the result link for any alert, or a link to the default
Splunk search page.
||External URL accessed via the Drilldown button on the Security Incident form
|All other values (category, subcategory in the example above)
||Any field that is not part of the information field in the event and is used if a
security incident is created.
||If the field exists, and is not populated, the security incident uses that value – for
example, the category passed through the Event becomes the category of the new security
incident. If a field with this name does not exist, the value is placed in the activity log.