Key terms used in this integration

  • Release version: Xanadu
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Key Terms Used in this Integration

    This document outlines essential terms relevant to the integration between ServiceNow and Splunk, focusing on components necessary for installation and configuration. Understanding these terms will facilitate a smoother integration process and enhance operational efficiency.

    Show full answer Show less

    Key Features

    • ServiceNow AI Platform: This is the foundational enterprise product for ServiceNow, enabling various applications like Security Incident Response (SIR) and IT Service Management (ITSM).
    • ServiceNow Splunkbase Addon: An application installed on Splunk Enterprise Security that supports optional manual event forwarding; it is not required for automated event ingestion.
    • Security Incident Response (SIR): An application within the ServiceNow AI Platform designed to manage security incidents from discovery to closure.
    • Splunk Enterprise Security: A premium solution providing visibility and intelligence for security operations, requiring a paid license.
    • Splunk Enterprise Security Notable Event: Generated when a correlation search identifies specific events, crucial for incident identification.
    • Splunk Event: Data elements that lead to notable events, allowing tracking of incidents linked to specific data triggers.
    • MID Server: Facilitates data communication between ServiceNow and external applications, necessary for on-premises integrations, but not for Splunk Cloud instances.
    • Security Incident Admin (snsi.admin): A role responsible for overseeing the integration configuration with the SIR product.
    • Security Incident Analyst (snsi.analyst): A role focused on analyzing and managing security incidents within ServiceNow.

    Key Outcomes

    By understanding these key terms, ServiceNow customers can effectively navigate the integration process with Splunk, enabling enhanced security incident management and streamlined data communication across platforms.

    This section describes some of the key terms used in this integration.

    The following key terms are used during the installation and configuration. For more information about these terms, see the ServiceNow Product Documentation website and the Splunk website and resources on Splunk Resources page.

    ServiceNow AI Platform
    An enterprise ServiceNow product. The ServiceNow AI Platform is the base upon which individual components such as Security Incident Response (SIR), IT Service Management (ITSM), and other products are built.
    ServiceNow Splunkbase Addon
    A ServiceNow application that is installed on your Splunk Enterprise Security console that supports the manual event forwarding option of the integration. Manual event forwarding is an optional feature of the integration. This ServiceNow Splunkbase add-on is not required for the automated notable event ingestion that is provided by the integration which pulls events from Splunk.
    Security Incident Response (SIR)
    A ServiceNow AI Platform application that tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review and closure.
    Splunk Enterprise Security
    Splunk Enterprise Security helps teams gain organization-wide visibility and security intelligence for continuous monitoring, incident response, SOC operations, and providing executives a window into business risk. Splunk Enterprise Security is a premium security solution requiring a paid license. This service is on a host or a Splunk cloud offering that is referred to as a Splunk console in this guide.
    Splunk Enterprise Security notable event
    When a correlation search identifies an event or a pattern of events, it creates a notable event. Correlation searches filter the security data and correlate across events to identify a particular type of incident (or pattern of events) and then create notable events.
    Splunk event
    One or more data elements that result in the notable events of the Splunk service. From your ServiceNow AI Platform instance, you can look up which Splunk events triggered ServiceNow AI Platform security incidents.
    MID Server
    This application facilitates communication and movement of data between the ServiceNow AI Platform and external applications, data sources, and services. This application is typically required for integration with on-premises technologies, and, for this Splunk Enterprise Security event ingestion integration, the MID Server facilitates communication between the ServiceNow AI Platform and the on-premises instance of Splunk Enterprise Security. A MID Server is not required if you are integrating your ServiceNow AI Platform instance with a Splunk Cloud instance.
    Security incident admin (sn_si.admin)
    The user with this role oversees the configuration of the integration with the SIR product in your ServiceNow AI Platform instance.
    Security incident analyst (sn_si.analyst)
    The user with this role interacts with and analyzes security incidents in the ServiceNow Security Incident Response product.