The Splunk ES Event Ingestion integration for Security Operations allows security operations center (SOC) analysts to generate Now Platform® Security Incident Response (SIR) incidents automatically when certain configured Splunk ES Notable Events are triggered. Analysts can also manually forward selected events on-demand from the Splunk ES console. Analysts respond to the security incidents that are created with workflows in the Now Platform that automate incident response activities and remediation.
This integration includes the following key features:
- Create multiple alert ingestion profiles to create SIR security incidents for specific types of threats, such as phishing and malware.
- Create multiple event profiles for on-demand event forwarding from your Splunk ES console to create SIR security incidents
- Drag-and-drop mapping of Splunk ES notable events and event field values to associated SIR security incident fields.
- A SIR security incident layout preview based on sample alerts or events to validate profile configuration.
- Ingest historical alerts and ongoing or future alerts at configurable intervals.
- Aggregate events or alerts to existing SIR security incidents based on matching field values to avoid duplicate security incidents.
Fixed:
- Issue where the CMDB_CI mapping is failed for the configuration item field.
- Issue where updated notables are not being ingested.
- Issue where the Security Incident Response admin (sn_si.admin) was unable to select the source in the Splunk ES profile due to scope issues.
The Security Incident Response Dependency plugin (com.snc.si_dep) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications required by the integration.
Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the order listed below to ensure a smooth installation.
- Security Incident Response
- Security Integration Framework
- Security Support Common
- Security Support Orchestration