Create and name an event profile for the Splunk Enterprise Security event ingestion integration
-
- UpdatedJan 30, 2025
- 39 minutes to read
- Yokohama
- Splunk Enterprise Security Event Ingestion Integration
Create and name an event profile for the Splunk Enterprise Security event ingestion integration
You create an event profile in your ServiceNow AI Platform instance and determine which Splunk notable events create security incidents.
Before you begin
Role required: sn_si.ingestion_profile_admin
About this task
Before ServiceNow AI Platform Security Incident Response (SIR) security incidents are created from ingested notable events, the field values from alerts are displayed on a layout of a ServiceNow AI Platform security incident so that you can preview how the actual security incident will be created.
From an integration perspective using the available APIs, Splunk ES notable events are forwarded individually and manually as discrete notable events, or they’re automatically ingested into the Security Operations environment of your ServiceNow AI Platform instance depending on the profile type defined.
The integration workflows ingest different types of notable events such as unauthorized access attempts and malware, for example. These notable events are ingested based on the profiles that you configure in the Security Operations environment of your instance.
All notables are initially ingested for a configured correlation search type in a profile. Ingested notables can then be further filtered to specify which notables create security incidents. For example, you may prefer filters that create security incidents only for notable events that are identified as high-risk. Before a profile is activated, and it creates security incidents from ingested notable events, individual field values on the notable events are mapped to corresponding fields on a layout the security incident for a preview.
Procedure
Set up a profile for scheduled notable event ingestion
Depending on the profile defined, Splunk ES notable events are automatically ingested into the Security Operations environment of your ServiceNow AI Platform instance.
The following table shows the list of tasks you need to follow to set up a profile for scheduled ingestion of notable events:
Create profiles for scheduled notable event ingestion
You can set up a profile so that notable events are automatically ingested.
Before you begin
Role required: sn_si.admin
Procedure
What to do next
The next step is to select notable events for automatic ingestion.
Select notable events based on correlation rule name for the profile for Splunk ES Event Ingestion integration
After you have created a profile for a scheduled notable event type ingestion, select a Splunk Enterprise Security correlation rule name for this profile for which you want to map corresponding notable events to a ServiceNow AI Platform Security Incident Response security incident.
Before you begin
Role required: sn_si.admin
About this task
View the available correlation rules in your ServiceNow AI Platform instance so you know the notable event types for which you want to ingest and create security incidents. Select a correlation rule. You can select one or more notable event from the list in this form.
Procedure
What to do next
You have successfully selected a correlation rule for a scheduled Splunk Enterprise Security profile. The next step is map notable event values to fields on a security incident.
Mapping notable event fields for the Splunk Enterprise Security integration
After you identify the specific correlation rule and notable event type for the profile, the next step is to map individual notable event fields to the fields on a ServiceNow AI Platform Security Incident Response (SIR) security incident.
Overview
For the mapping step, you can ingest sample notable events for the selected correlation rule or export notable event data for manually forwarded notable events. The event mapping process is identical regardless of the profile type you are creating.
The following figures are examples of the default mapping configurations that are provided for each type of event profile. You can customize the fields that populate the security incident. During this mapping phase, you can ensure all relevant notable event field data is mapped to the appropriate place on the SIR incident form and then visualize the SIR incident in the preview section.
If Multiple correlations are used, then notable events can be fetched by selecting required Event. Use Alert Name to choose your alert if you have configured multiple alerts for ingestion.
After you click to fetch data, the Splunk notable event field names and corresponding values are populated on the left side of the form. These are the Splunk notable event fields that are available to map to the SIR security incident fields. Some fields can be mapped multiple times to the SIR security incident fields.

You may prefer to review a few sample notable events on your Splunk console to ingest for the field mapping configuration step. This step is labeled Mapping on the progress bar. If this page is not displayed, click Mapping on the progress bar. You can ingest up to five sample notable events from Splunk Enterprise Security to assist with the notable event field mapping process. There are options to either ingest the five most recent notable events for the correlation rule selected or ingest up to five specific notable events based on the notable event IDs.
- Scheduled Notable Event Sample Data Ingestion: For sample data that is used for automatically ingested notable event profiles, available notable event fields and their corresponding values are displayed in a default mapping layout on the left side of the mapping form once the sample data is retrieved. Tabs are displayed for you to view the values for a specific notable event ID that you pulled. Verify that all the critical fields from the notable event sample ingestion section on the left of the form are mapped to ServiceNow security incident fields on the right of the form.
- Field Mapping: Edit the mapping configuration by dragging notable event fields from the left side and dropping them on the ServiceNow SIR incident mapping section on the right. The mapping on the right associates the incoming notable event field with an outgoing security incident field.
- Mapping Experience: Customize the mapping grid by adding or removing fields using the + icon at the bottom of the SIR incident field mapping section. Track overlooked or duplicated fields with the color coding that is provided (mapped fields are greyed out, blue fields are unmapped).
- Incident Generation Conditions: Once the mapping section is complete, you can set filter conditions so that you can specify which notable events should create security incidents versus which notable events should be filtered out, for example, low priority notable events. This is done in the Incident Generation Conditions section located below the Notable Event Mapping section.
- Event Aggregation Criteria: Define additional Event Aggregation criteria that aggregates an incoming notable event to an existing SIR security incident instead pf creating similar, potentially duplicate incidents. Using field matching value criteria for each profile, this additional aggregation capability can reduce the number of active, overlapping security incidents by placing all related security notable event data on a single security incident.
- Format Field Translation: In certain cases, event field values in the Splunk Enterprise notable events may not translate directly to the fields on the SIR security incident. For these values, you can use a script editor to format field values on the security incident during the mapping step. Use the script editor if you want to format values that are similar, but not identical. For example, with the script editor, a category value of Malware Alert and Virus Infection may have different field values for the source category but both values can be translated to a common Malicious Code Activity in the Category field on the SIR security incident using the Format Field Translation functionality.
The next step is to ingest notable events and map values to the SIR security incident fields.
Create mappings for Splunk ES notable event incident review and contributing event details (scheduled ingestion)
During the notable event field-mapping step, you map individual event fields from notable events to fields on a ServiceNow AI Platform Security Incident Response (SIR) security incident.
Before you begin
Role required: sn_si.admin
About this task
The mapping grid can be customized for the notable event type selected in the correlation rule selection. Color-coding of the event fields helps you keep track of the event values that you have already mapped as they become grayed out while all remaining unmapped fields appear in blue. This helps you better visualize which field values have been added to the security incident and if any remaining important event information remains unmapped.
Map up to five notable events from the Notable Event Sample Ingestion column on the left of the form to the security incident fields in the SIR Incident Field Mapping column on the right.
Create custom mappings by adding or removing the fields on the mapping grid on the right side of the form. Default fields that are typically important field to populate on the security incident response form are displayed. However, these fields can be removed and any additional fields can be displayed using the + and - buttons. Create custom maps by adding or removing the fields on the mapping grid on the right side of the form. Customizing the fields permits you to map Splunk fields that are not displayed on the default-mapping grid on the SIR security incident.
Procedure
What to do next
The next step is to preview the values that you mapped on the security incident.
Preview the security incident for the Splunk Enterprise Security Event Ingestion integration
After you complete the mapping step, preview the values that you mapped in a ServiceNow AI Platform® Security Incident Response (SIR) security incident. This preview step permits you to verify that you have mapped all the notable fields that you want displayed on the security incident.
Before you begin
Role required: sn_si.admin
About this task
Preview a security incident and edit the mapping again as required to fix fields with errors or to populate any missing data. If the preview is not successfully completed, you cannot proceed to the scheduling step. Previews of SIR security incidents are not saved as actual incidents in the SIR product.
Procedure
What to do next
If no error messages are displayed, and you are satisfied with the field mapping on the security incident, the next step is to Schedule and retrieve alerts for the Splunk Enterprise Event Ingestion integration.
Schedule and retrieve new and updated notable events for the Splunk Enterprise Security Event Ingestion integration
For automated notable event ingestion profiles, this step is required in the event profile configuration. During this step, you can verify the default settings for notable event retrieval or modify the scheduling as needed. This step also permits you to retrieve historical notable events using a date range.
Before you begin
Role required: sn_si.admin
About this task
For profiles for automated notable event ingestion, you choose whether you want to ingest any historical notable events during the Scheduling step. You also choose how often you will poll for future new notable events and updated notable events that match the alert profile configuration.
For automated notable event ingestion profiles, before the profile is activated, you verify and modify the scheduling and alert retrieval. This is a required step for all event profile configuration process for scheduled alert profiles.
You configure these polling intervals on a per-profile basis. The performance of the Splunk event ingestion integration may be impacted by the different polling intervals. When scheduling, you may prefer to balance reducing polling overhead on the Splunk Enterprise Security server against a desire to be notified as soon as possible when a notable event is created or updated. A five-minute default value is set for any profile, but you may prefer to modify this setting to as low as one minute if required.
Pulling new and updated notable events
When the polling schedule is set, the scheduled job pulls both new and updated notable events that were pulled previously but did not meet the incident filtering criteria. This provides you with the flexibility to create incidents based on criteria that may not be present when a notable event is first created but becomes available after an update occurs, for example, during the investigation phase. Once an incident is created for a specific notable event, its subsequent updates are ignored since it is expected that the notable is now being treated as an active ServiceNow® security incident. However, all other notables that have been previously ingested but failed to meet the incident generation criteria, will continue to be pulled and checked against the incident generation criteria until they become part of an active incident.
Procedure
Automate notable event updates and closure based on SIR incident status
Security incidents can be created and updated after they are created with a bi-directional interface with the Splunk Enterprise Security integration.
Before you begin
The Splunk Enterprise Security integration has a bi-directional interface that allows notable events to create security incidents as well as update the notable events after the security incident is created and/or closed.
Relevant incident details include SIR incident number, assignment group, SIR incident URL. This section is the final portion of the profile configuration set-up that provides optional capabilities to update the Splunk Enterprise Security notable events.
Role required: sn_si.admin
Procedure
Set up a profile for manual event forwarding
Depending on the profile defined, Splunk ES notable events are forwarded manually as discrete notable events into the Security Operations environment of your ServiceNow AI Platform instance.
To set up a profile for manual forwarding of notable events:
Create profiles for manually forwarded events
You can set up a profile for manual forwarded events.
Before you begin
Role required: sn_si.admin
Procedure
For events that you forward on-demand from your Splunk Enterprise Security console, you can base the individual field mapping on any existing profile. Alternatively, you can create a new mapping grid for exported attachment data. Events that you forward manually are not scheduled in the event profile.
Create mappings for Splunk ES notable event incident review and contributing event details (manual forwarding)
During the notable event field mapping step, you map individual event fields from notable events to fields on a ServiceNow AI Platform Security Incident Response (SIR) security incident.
Before you begin
Role required: sn_si.admin
About this task
Map up to five notable events from the Notable Event Sample Ingestion column on the left of the form to the security incident fields in the SIR Incident Field Mapping column on the right.
Create custom mappings by adding or removing the fields on the mapping grid on the right side of the form. Default fields that are typically important field to populate on the SIR incident form are displayed. However, these fields can be removed and any additional fields can be displayed using the + and - buttons. Create custom maps by adding or removing the fields on the mapping grid on the right side of the form. Customizing the fields permits you to map Splunk fields that are not displayed on the default mapping grid on the SIR security incident.
Procedure
- If the mapping form is not displayed, click Mapping on the progress bar.
-
Follow these steps to upload attachment data in your ServiceNow AI Platform® instance.
- Follow steps 5 to 10 in the Create mappings for Splunk ES notable event incident review and contributing event details (scheduled ingestion) section.
Set up your Splunk environment for manual event ingestion for the Splunk Enterprise Security Notable Event Ingestion integration
Install and set up the ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise Security application in your Splunk enterprise console or Splunk Cloud instance if you want to export events manually and on-demand from your Splunk Enterprise Security console for this integration.
Before you begin
Installing and setting up the ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise Security application in your Splunk enterprise console or Splunk Cloud instance is optional.
Verify that you have installed the application for this integration from the ServiceNow Store prior to installing the addon plugin from splunkbase that is required for manual event ingestion. If you have not installed the application for the integration from the ServiceNow Store, see Install and configure the ServiceNow application for the Splunk Enterprise Security Notable Event Ingestion integration and follow the instructions to install it.
Role required: Splunk Enterprise Security administrator
About this task
If you want to export events manually and on-demand from your Splunk Enterprise console for the integration, download, install, and set up the ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise Security from splunkbase in your Splunk Enterprise Security console. This ServiceNow extension addon is required so that security incidents can be created from manually exported events in your ServiceNow AI Platform instance. This ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise Security application is available on splunkbase.
For manual event forwarding, you can identify up to two different ServiceNow AI Platform endpoints (instances) in your Splunk Enterprise Security console. You forward the events to the endpoint or endpoints manually to create security incidents. For example, you can specify both a staging (development) instance and a production instance. By specifying separate instances and naming primary and secondary workflows for each instance, you can choose where you want to forward different events.
Procedure
What to do next
If you have not already save searches in your Splunk Enterprise Security console, the next step is to save searches as alerts in your Splunk Enterprise Security console.
On this page
- Set up a profile for scheduled notable event ingestion
- Create profiles for scheduled notable event ingestion
- Select notable events based on correlation rule name for the profile for Splunk ES Event Ingestion integration
- Mapping notable event fields for the Splunk Enterprise Security integration
- Create mappings for Splunk ES notable event incident review and
contributing event details (scheduled ingestion)
- Preview the security incident for the Splunk Enterprise Security Event Ingestion
integration
- Schedule and retrieve new and updated notable events for the Splunk Enterprise Security Event Ingestion integration
- Automate notable event updates and closure based on SIR incident status
- Create profiles for scheduled notable event ingestion
- Set up a profile for manual event forwarding