Before you run the integration on your ServiceNow AI Platform® instance, complete these installation and configuration steps so the application properly integrates with the Security Incident Response and Security Operations products on your ServiceNow AI Platform® instance.

Before you begin

Role required: ess_analyst

Assign a Security Analyst (ess_analyst) user role in Splunk ES to perform all integration-related activities on the Splunk server.

Procedure

  1. If you have not installed the Splunk Enterprise Security Event Ingestion application from the ServiceNow Store for the integration, see Install a Security Operations integration and follow the steps to install it.
  2. After you have successfully installed the application, navigate to Integrations > Integrations Configurations and locate the Splunk Event Ingestions tile.
  3. To configure the application, click New.

    SplunkEvent Ingestions tile
  4. Alternatively, if a Configure button is displayed on a tile, click it to edit an existing configuration.
  5. In the Event Ingestions Configuration dialog that is displayed, fill in the fields.
    FieldDescription
    Name Name of the Splunk Enterprise Security console or Splunk Cloud instance used for the integration.

    Spaces are supported for names, but parentheses are not supported. For example, enter SplunkES2.
    Splunk API Base URL URL for your Splunk Enterprise Security console or Splunk Cloud instance. The URL should include the API port, for example: https://mysplunkserver.com:8089
    Basic Authentication Default is disabled.

    If you are using API Account User Name and API Password for configuration, enable the check box.
    API Account User Name User name that you created for your API user account on the Splunk Enterprise Security console.
    API Password Password that you created for your API user account on the Splunk Enterprise Security console.
    Token Based (available from version 12.0.0) Token that you created for your API user account on the Splunk Enterprise Security console.
    Token Token that you created for your API user account on the Splunk Enterprise Security console.
    On Premises Deployment Default is disabled.

    If you’re using an on-premise based version of Splunk Enterprise Security, verify that this check box is selected.
    MID Server Option to choose a particular MID Server to set up in your environment, which will be used by this integration to pull notable events into ServiceNow.
    You can select a specific MID Server from the list or select Any to enable an auto-selection of a valid MID Server from the list for this integration.
    Note:
    • The MID Server selected during this configuration time applies throughout this integration.
    • Only MID Servers that are active and validated are displayed on this list. By default, the value is set to Any.

    For example, there are three MID Servers A, B, and C. If you select Any, then one of these MID Servers is auto-selected and applies throughout this integration. If you select a specific MID Server, say C, then the selected MID Server C applies throughout this integration.

    If you want to change the MID Server, then you have to reconfigure it from the App Configuration tile.
    The following figure is an example of a completed form for a configuration of an on-premises version of Splunk Enterprise Security with a MID Server.
    Splunk Event Ingestion

    Each Splunk Enterprise Security notable event type that you ingest from your Splunk Enterprise Security incident review console requires a unique event profile in your ServiceNow AI Platform® instance. However, the source that you configure on the Event Ingestions Configuration form can be reused for multiple ServiceNow AI Platform® profiles as long as each profile ingests unique notable event types.

  6. Click Submit.
    After validation is successfully completed, the Security Integrations page is displayed with each of your configurations. On each valid configuration tile, Update and Delete buttons are displayed as shown in the following figure.
    Note: Users have to use either Basic Authentication or Token Based Authentication. Enabling both will give the following error.
    Splunk Event Ingestion Configuration
    Note: If users prefer to update the existing configuration tiles to token based, then they need to enable Activate this setting to update existing Splunk source configurations for token based authentication support setting in Splunk Enterprise Settings module.

    Update / Delete button

    After it is successfully validated and submitted, each Event Ingestions Splunk server configuration is saved on the Security Integrations page as a tile. If your saved configuration tiles aren’t displayed on the Security Integrations page, on the top-right corner of the page, from the Show Configurations list, select Yes.

What to do next

You have successfully installed and configured the application. The next step is to create an event profile.