The Splunk Enterprise Event Ingestion Integration for Security Operations allows security operations center (SOC) analysts to automatically generate Now Platform® Security Incident Response (SIR) incidents when certain configured Splunk Enterprise alerts are triggered. Analysts can also manually forward selected events on-demand from the Splunk console. Analysts respond to the security incidents created with workflows in the Now Platform that automate incident response activities and remediation.
This integration includes the following key features:
- Create multiple alert ingestion profiles to create SIR security incidents for specific threats such as phishing and malware.
- Create multiple event profiles for on-demand event forwarding from your Splunk console to create SIR security incidents
- Drag-and-drop the mapping of Splunk alert and event field values to the associated SIR security incident fields.
- A preview of the SIR security incident layout based on sample alerts or events to validate profile configuration.
- Ingest historical alerts and ongoing and future alerts on configurable intervals.
- Aggregate events or alerts to existing SIR security incidents based on matching field values to avoid duplicate security incidents.
Fixed:
- Issue related to the configuration item mapping.
The Security Incident Response Dependency plugin (com.snc.si_dep) is required. This plugin automatically installs all the dependencies required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications that are required for the integration.
Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the order listed below to ensure a smooth installation.
- Security Incident Response
- Security Integration Framework
- Security Support Common
- Security Support Orchestration