The Splunk Enterprise Event Ingestion Integration for Security Operations allows security operations center (SOC) analysts to automatically generate Now Platform® Security Incident Response (SIR) incidents when certain configured Splunk Enterprise alerts are triggered. Analysts can also manually forward selected events on-demand from the Splunk console. Analysts respond to the security incidents created with workflows in the Now Platform that automate incident response activities and remediation.
This integration includes the following key features:
- Create multiple alert ingestion profiles to create SIR security incidents for specific threats such as phishing and malware.
- Create multiple event profiles for on-demand event forwarding from your Splunk console to create SIR security incidents
- Drag-and-drop the mapping of Splunk alert and event field values to the associated SIR security incident fields.
- A preview of the SIR security incident layout based on sample alerts or events to validate profile configuration.
- Ingest historical alerts and ongoing and future alerts on configurable intervals.
- Aggregate events or alerts to existing SIR security incidents based on matching field values to avoid duplicate security incidents.
New :
- Incorporated strategies to present data without relying on CMDB or identity tables in the integration.
The Security Incident Response Dependency plugin (com.snc.si_dep) is required. This plugin automatically installs all the dependencies required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications that are required for the integration.
Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the order listed below to ensure a smooth installation.
- Security Incident Response
- Security Integration Framework
- Security Support Common
- Security Support Orchestration
This integration requires Splunk Enterprise version 7.2.6 or later and supports the Splunk Enterprise Cloud functionality.
If the Splunk server is deployed within the corporate network, the integration requires an installed and configured MID Server in your Now Platform instance to connect to the Splunk service. If you are using Splunk Cloud, a MID Server is not required.
The ServiceNow Security Operations Event Ingestion addon application is required for forwarding events manually from your Splunk console to Security Operations in your Now Platform instance. The add-on is available in Splunkbase. Install and set up this ServiceNow add-on in your Splunk Enterprise console or Splunk Cloud instance. This add-on is not required for automated alert ingestion from your Splunk Enterprise console or Splunk Cloud instance.
For more information about the installation and configuration for this integration, see the Splunk Enterprise Event Ingestion installation and configuration guide available on the ServiceNow Store documentation website.