Overview

This integration provides a security operations center (SOC) analyst with visibility to notable events and related contributing event data. This data can be integrated into Now Platform Security Incident Response (SIR) security incidents for further investigation and remediation. Profiles are created in your Now Platform instance to handle different notable event types that are created via correlation searches in Splunk Enterprise Security. These profiles customize how different Splunk event fields are displayed on SIR security incidents.

Key features

This integration includes the following key features:

• Create multiple notable event ingestion profiles to create SIR security incidents for specific types of threats such as phishing and malware and unauthorized access attempts.
• Create multiple event profiles for on-demand event forwarding from your Splunk ES incident review console to create SIR security incidents.
• Drag-and-drop mapping of Splunk notable event field values to associated SIR security incident fields.
• A preview of the SIR security incident layout based on sample notable events to validate event mapping details.
• Ingest historical notable events as well as ongoing, new, and updated notable events on configurable intervals.
• Filter out notable events that do not meet SIR incident generation criteria, for example, low priority events, events that have yet to achieve a specific status, and so on.
• Aggregate events or alerts to existing SIR security incidents based on matching field values to avoid duplicate security incidents.
• Update notable events based on SIR incident creation and/or closure conditionals via a bi-directional interface to keep Splunk ESnotable event updates in sync with the ServiceNow SIR incident status.

Supported Now Platform versions

This integration supports the Madrid and New York Now Platform releases.

The com.snc.si_dep plugin is required for this integration. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications.

For more information about installing the Security Operations core applications, see Get entitlement for a Security Operations product or application and Activate a ServiceNow Store application.

ServiceNow Addons

The ServiceNow Security Operations Event Ingestion Addon for Splunk ES is required only if you prefer to forward events manually from your Splunk Enterprise Security Incident Review console into your Now Platform instance. This ServiceNow addon is available in splunkbase.

This ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise application in splunkbase is not required for the automated alert ingestion that is supported by the integration.

Splunk Supported versions

This integration supports version 5.3.1 of Splunk Enterprise Security and 7.2.6 of Splunk Enterprise. The integration also supports the Splunk Enterprise Security Cloud service.

MID Server

This integration requires an installed and configured MID Server in your Now Platform® instance to connect to the Splunk service when the Splunk server is deployed within your corporate network. If you are using the Splunk Cloud service, a MID Server is not required. See the ServiceNow Product Documentation website for more information about MID Servers.

References

Checklist

For a printable checklist of these topics, see Checklist for the Splunk Enterprise Security Notable Event Ingestion integration. You can use this list to monitor your progress as you work through the tasks of the integration.