Third-party monitoring tools, such as Splunk, can be integrated with Security Incident Response so that security
events imported from those tools automatically generate security incidents. You can also import
data from third-party tools into security alerts.
To integrate alert monitoring tools to Security Incident Response, you must use the REST API to write to the Security
Incident Import [sn_si_incident.import] table. Then, using the Security Incident
Transform
transform maps, the import set
source table is mapped to fields in the target Security Incident [sn_si.incident] table.
If you attempt to import CI records that are not recognized by the transform map, the
transform map script checks the record for the following (in this order) in an attempt to make
a match:
Note: If you find that the Security Incident Transform transform map is
not adequate for the third-party alert monitoring tool you are using, duplicate the transform
map, create a new one, and edit the fields, as needed.
