Set Correlation rules

Freigeben Version: Australia

Aktualisiert 12. März 2026

1 Minute Lesedauer

After you have created a profile for a scheduled notable event type ingestion, select a Splunk Enterprise Security correlation rule name for this profile for which you want to map corresponding notable events to a ServiceNow AI Platform Security Incident Response security incident.

Vorbereitungen

Role required: sn_si.ingestion_profile_admin

Hinweis:

Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

Warum und wann dieser Vorgang ausgeführt wird

View the available correlation rules in your ServiceNow AI Platform instance so you know the notable event types for which you want to ingest and create security incidents. Select a correlation rule. You can select one or more notable event from the list in this form.

Prozedur

If you are not continuing from the previous section of the incident profile definition process, access the profile you are defining.
1. Navigate to All>Splunk ES Event Profile.
2. Select the profile you are continuing to define.
3. Select Notable Event Selection in the progress bar.
Clear All Correlation Rules Selected check box to select specific Correlation Rules.
Selecting this check box will retrieve all active Correlation Rules from Splunk ES.
In the Correlation Rules List search field, enter the Correlation Rule name created in the Splunk ES portal.
Select the Correlation Rule(s).
Use the right arrow ( >) to move the rule(s) from Available to Selected column.
Hinweis:
Correlation rules must be unique across active profiles. A correlation rule associated with an active profile cannot be selected for another active profile. To reuse the rule, deactivate the profile it is currently associated with.
Select Continue.

Nächste Maßnahme

Map notable events