Splunk Enterprise Event Ingestion integration for Security Operations by ServiceNow

  • Release version: Xanadu
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk Enterprise Event Ingestion integration for Security Operations by ServiceNow

    The Splunk Enterprise Event Ingestion integration with ServiceNow Security Incident Response (SIR) enables security analysts to collect, process, and analyze real-time security logs and events from Splunk. This integration facilitates automated ingestion of triggered alerts and manual forwarding of individual security events from the Splunk Enterprise interface into ServiceNow’s AI Platform, creating security incidents for investigation and remediation. It supports retrieving notable events from any search head in a Splunk search head cluster, providing SOC analysts with comprehensive visibility into security events and alerts.

    Show full answer Show less

    Profiles within ServiceNow customize how Splunk alert and event fields are displayed in SIR incidents, with default mappings that can be tailored to specific organizational needs.

    Key Features

    • Create multiple alert ingestion profiles to generate SIR incidents for distinct threat types such as phishing or malware.
    • Establish multiple event profiles to forward events on-demand from Splunk to ServiceNow.
    • Use drag-and-drop mapping to associate Splunk alert and event fields with SIR incident fields, including a preview function to validate configurations.
    • Ingest both historical and ongoing alerts at configurable intervals.
    • Aggregate incoming events or alerts into existing SIR incidents based on matching fields to prevent duplicate incidents.

    Requirements and Compatibility

    • ServiceNow AI Platform requires the com.snc.sidep plugin and installation of core Security Operations applications in a specified order: Security Integration Framework, Security Support, Common Security Support Orchestration, and Security Incident Response.
    • The ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise (available on Splunkbase) is only needed for manual event forwarding; it is not required for automated alert ingestion.
    • Supports Splunk Enterprise version 6.0 or later, including Splunk Enterprise Cloud.
    • A configured MID Server is necessary when connecting to on-premises Splunk servers but is not required for Splunk Cloud deployments.

    Installation and Setup Guidance

    Before installing the integration application from the ServiceNow Store, customers must prepare their ServiceNow AI Platform instance by completing prerequisite setup tasks. This includes installing and configuring the integration application, setting up event profiles to determine which Splunk alerts generate incidents, and ensuring all required Security Operations plugins and applications are activated.

    ServiceNow provides a checklist and step-by-step guidance to facilitate a smooth installation and configuration process, aligned with the platform’s latest user interfaces and releases.

    Integration Architecture

    The integration architecture supports secure and efficient ingestion of triggered alerts from Splunk Enterprise. It clarifies key concepts and external connection requirements, ensuring customers understand the operation and necessary setup steps for successful integration.

    The Splunk Enterprise event and alert data integration with the Security Incident Response (SIR) product allows security incident analysts to collect and process security logs and related event data.

    Overview

    Data is collected in real-time, and it is used by analysts to identify and report on potential cyber threats. The security events that are collected can be processed into triggered alerts that are ingested automatically with this integration. Also, individual security events can be manually forwarded on-demand from the Splunk Enterprise search and reporting interface into the Security Incident Response product of the ServiceNow AI Platform to create security incidents. You can retrieve notable events from Splunk Enterprise search with the search head cluster configuration. You can achieve this by using the URL and API port of any search head that is a part of the cluster.

    This integration provides a security operations center (SOC) analyst with visibility to events and related alert data. This data can be integrated into ServiceNow AI Platform Security Incident Response (SIR) security incidents for further investigation and remediation. Profiles for Splunk ongoing ingested alerts and forwarded events are created in your ServiceNow AI Platform instance. These profiles customize how different Splunk alert and event fields are displayed on SIR security incidents. A default mapping of alert fields is provided that can be edited and augmented to meet customer-specific needs.

    Key features

    This integration includes the following key features:

    • Create multiple alert ingestion profiles to create SIR security incidents for specific types of threats such as phishing and malware.
    • Create multiple event profiles for on-demand event forwarding from your Splunk console to create SIR security incidents.
    • Drag-and-drop mapping of Splunk alert and event field values to associated SIR security incident fields.
    • A preview of the SIR security incident layout based on sample alerts or events to validate profile configuration.
    • Ingest historical alerts as well as ongoing, future alerts on configurable intervals.
    • Aggregate events or alerts to existing SIR security incidents based on matching field values to avoid duplicate security incidents.

    Supported ServiceNow AI Platform versions

    The com.snc.si_dep plugin is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications.

    The following Security Operations applications must be installed and activated from the ServiceNow Store. Install and then activate one application at a time in the order listed below to ensure a smooth installation:
    1. Security Integration Framework
    2. Security Support Common
    3. Security Support Orchestration
    4. Security Incident Response

    For more information about installing the Security Operations core applications, see Get entitlement for a Security Operations product or application and Activate a ServiceNow Store application.

    ServiceNow Addons

    The ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise is required only if you prefer to forward events manually from your Splunk Enterprise console into your ServiceNow AI Platform instance. This ServiceNow addon is available in splunkbase.

    This ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise application in splunkbase is not required for the automated alert ingestion that is supported by the integration.

    Splunk Supported versions

    This integration supports version 6.0 or later of Splunk Enterprise. The integration also supports the Splunk Enterprise Cloud service.

    MID Server

    This integration requires an installed and configured MID Server in your ServiceNow AI Platform® instance to connect to the Splunk service if the Splunk server is deployed within your corporate network. If you are using the Splunk Cloud service, a MID Server is not required. For more information about MID Servers, see MID Server.

    Integration architecture and systems connection

    For more information about the architecture of the integration including key terms and external systems connection details, see Integration architecture and external systems connection for the Splunk Enterprise Event Ingestion integration.

    Checklist

    For a printable checklist of these topics, see Checklist for the Splunk Enterprise Security Notable Event Ingestion integration. You can use this list to monitor your progress as you work through the tasks of the integration.

    The images used in the following topics were generated for the Kingston release of the ServiceNow AI Platform. For information about the San Diego user interface, see Manage security threats using the Security Analyst Workspace.

    The following topics are numbered. Follow the topics listed below in the order that they are presented for a smooth installation and configuration of the application.