Splunk Enterprise Security event ingestion integration

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Splunk Enterprise Security Event Ingestion Integration

    The Splunk Enterprise Security event ingestion integration with the Security Incident Response (SIR) product enables security incident analysts to gather and process notable event data continuously. This integration helps analysts identify and react to potential cyber threats by correlating security events into notable events within Splunk Enterprise Security, which can be automatically ingested into ServiceNow's SIR for incident management.

    Show full answer Show less

    Key Features

    • Create multiple notable event ingestion profiles tailored to specific threat types, including phishing and malware.
    • Facilitate on-demand event forwarding from the Splunk ES incident review console to create SIR security incidents.
    • Utilize drag-and-drop mapping of Splunk notable event fields to SIR security incident fields.
    • Preview the layout of SIR security incidents based on sample notable events for validation.
    • Ingest historical and ongoing notable events on configurable intervals while filtering out low-priority events.
    • Aggregate matching events to existing SIR incidents to prevent duplication.
    • Maintain synchronization of notable events with SIR incident statuses through bi-directional updates.

    Key Outcomes

    By implementing this integration, SOC analysts gain enhanced visibility into notable events and their contributing data, allowing for more effective investigation and remediation of security incidents. The integration streamlines the process of managing security incidents within the ServiceNow platform, ultimately improving the organization's security posture.

    Supported ServiceNow AI Platform Versions

    The integration requires the com.snc.sidep plugin, which must be installed prior to other Security Operations applications. The following applications should be activated in the specified order:

    • Security Integration Framework
    • Security Support
    • Common Security Incident Response

    ServiceNow Add-ons

    The ServiceNow Security Operations Event Ingestion Addon for Splunk ES is necessary for manual event forwarding but is not needed for automated alert ingestion.

    Splunk Supported Versions

    This integration is compatible with Splunk Enterprise version 10.0.0 and earlier and Splunk Enterprise Security application version 8.3.0 and earlier.

    MID Server Requirement

    A configured MID Server is required for connecting to the Splunk service if deployed within a corporate network; it is not needed for Splunk Cloud service users.

    References

    For additional resources, a checklist for monitoring integration tasks is available to assist in the implementation process.

    The Splunk Enterprise Security notable event ingestion integration with the Security Incident Response (SIR) product allows security incident analysts to collect and process notable event data (referred to as notables).

    Overview of Splunk Enterprise Security event ingestion integration

    Data is ingested continually based on a configured polling schedule and it is used by analysts to identify and respond to potential cyber threats. Security events that are collected can be correlated into notable events in Splunk Enterprise Security and then ingested automatically with this integration. Also, individual notable events can be manually forwarded on-demand from the Splunk Enterprise Security Incident Review console and reporting interface into the Security Incident Response product of the ServiceNow AI Platform to create security incidents.

    This integration provides a security operations center (SOC) analyst with visibility to notable events and related contributing event data. This data can be integrated into ServiceNow AI Platform Security Incident Response (SIR) security incidents for further investigation and remediation. Profiles are created in your ServiceNow AI Platform instance to handle different notable event types that are created via correlation searches in Splunk Enterprise Security. These profiles customize how different Splunk event fields are displayed on SIR security incidents.

    Key features

    This integration includes the following key features:

    • Create multiple notable event ingestion profiles to create SIR security incidents for specific types of threats such as phishing and malware and unauthorized access attempts.
    • Create multiple event profiles for on-demand event forwarding from your Splunk ES incident review console to create SIR security incidents.
    • Drag-and-drop mapping of Splunk notable event field values to associated SIR security incident fields.
    • A preview of the SIR security incident layout based on sample notable events to validate event mapping details.
    • Ingest historical notable events as well as ongoing, new, and updated notable events on configurable intervals.
    • Filter out notable events that do not meet SIR incident generation criteria, for example, low priority events, events that have yet to achieve a specific status, and so on.
    • Aggregate events or alerts to existing SIR security incidents based on matching field values to avoid duplicate security incidents.
    • Update notable events based on SIR incident creation and/or closure conditionals via a bi-directional interface to keep Splunk ES notable event updates in sync with the ServiceNow SIR incident status.

    Supported ServiceNow AI Platform versions

    The com.snc.si_dep plugin is required for this integration. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before installing and activating the other Security Operations applications.

    The following Security Operations applications must be installed and activated from the ServiceNow Store. Install and then activate one application at a time in the order listed below to ensure a smooth installation:
    1. Security Integration Framework
    2. Security Support Common
    3. Security Incident Response

    For more information about installing the Security Operations core applications, see Get entitlement for a Security Operations product or application and Activate a ServiceNow Store application.

    ServiceNow Addons

    The ServiceNow Security Operations Event Ingestion Addon for Splunk ES is required only if you prefer to forward events manually from your Splunk Enterprise Security Incident Review console into your ServiceNow AI Platform instance. This ServiceNow addon is available in splunkbase.

    This ServiceNow Security Operations Event Ingestion Addon for Splunk Enterprise application in splunkbase is not required for the automated alert ingestion that is supported by the integration.

    Splunk Supported versions

    This integration has been tested with:
    • Splunk Enterprise version 10.0.0 and earlier.
    • Splunk Enterprise Security application version 8.3.0 and earlier.

    MID Server

    This integration requires an installed and configured MID Server in your ServiceNow AI Platform® instance to connect to the Splunk service when the Splunk server is deployed within your corporate network. If you are using the Splunk Cloud service, a MID Server is not required. See MID Server for more information about MID Servers.

    References

    Reference Document Identifier Document Title
    1

    Splunk product website

    		 Splunk Enterprise Security product website.

    Checklist

    For a printable checklist of these topics, see Checklist for Splunk Enterprise Security Notable Event Ingestion integration. You can use this list to monitor your progress as you work through the tasks of the integration.