Security incident automatic creation

Third-party monitoring tools, such as Splunk, can be integrated with Security Incident Response so that security events imported from those tools automatically generate security incidents. You can also import data from third-party tools into security alerts.

To integrate alert monitoring tools to Security Incident Response, you must use the REST API to write to the Security Incident Import [sn_si_incident.import] table. Then, using the Security Incident Transform transform maps, the import set source table is mapped to fields in the target Security Incident [sn_si.incident] table.

If you attempt to import CI records that are not recognized by the transform map, the transform map script checks the record for the following (in this order) in an attempt to make a match:
  • sys_id
  • CI name
  • fully qualified domain name
  • IP address
Note: If you find that the Security Incident Transform transform map is not adequate for the third-party alert monitoring tool you are using, the best practice is to duplicate the transform map, create a new one, and edit the fields, as needed.