The Splunk ES Event Ingestion integration for Security Operations allows security operations center (SOC) analysts to generate Now Platform® Security Incident Response (SIR) incidents automatically when certain configured Splunk ES Notable Events are triggered. Analysts can also manually forward selected events on-demand from the Splunk ES console. Analysts respond to the security incidents that are created with workflows in the Now Platform that automate incident response activities and remediation.
This integration includes the following key features:
- Create multiple alert ingestion profiles to create SIR security incidents for specific types of threats, such as phishing and malware.
- Create multiple event profiles for on-demand event forwarding from your Splunk ES console to create SIR security incidents
- Drag-and-drop mapping of Splunk ES notable events and event field values to associated SIR security incident fields.
- A SIR security incident layout preview based on sample alerts or events to validate profile configuration.
- Ingest historical alerts and ongoing or future alerts at configurable intervals.
- Aggregate events or alerts to existing SIR security incidents based on matching field values to avoid duplicate security incidents.
Fixed:
The following defects as part of this release:
- Supports adding multiple affected users during Splunk Enterprise event ingestion for Security Operations.
- sys_scope issue on the Xanadu instance that prevented linking a created source to the profile using the sn_si.admin role.
- An issue where the Splunk ES Event Profiles were not updating the existing notables and only new notables were being ingested.
- An issue where updated notables were not ingested if the correlation rule name contained a trailing space.
- When there is an issue in data for any record in the Splunk raw data table, event import was failing for remaining entries, these remaining entries are now executed as expected.
The Security Incident Response Dependency plugin (com.snc.si_dep) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications required by the integration.
Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the order listed below to ensure a smooth installation.
- Security Incident Response
- Security Integration Framework
- Security Support Common
- Security Support Orchestration