Key terms used in this integration
Summarize
Summary of Key terms used in this integration
This content defines important terms related to the integration between ServiceNow and Splunk, specifically focusing on the Yokohama release version as of July 31, 2025. Understanding these terms helps ServiceNow customers effectively install, configure, and operate the integration between their ServiceNow AI Platform and Splunk Enterprise Security.
Show less
Key Terms and Their Practical Significance
- ServiceNow AI Platform: The foundational ServiceNow product that supports various applications including Security Incident Response (SIR) and IT Service Management (ITSM).
- ServiceNow Splunkbase Addon: An optional ServiceNow app installed on the Splunk Enterprise Security console enabling manual event forwarding. It is not required for automated event ingestion, which happens directly from Splunk to ServiceNow AI Platform.
- Security Incident Response (SIR): A ServiceNow AI Platform application that manages security incidents through their lifecycle—from discovery through recovery and closure.
- Splunk Enterprise Security: A premium, licensed security solution providing enterprise-wide security intelligence, continuous monitoring, and SOC operations. It is hosted on-premises or via Splunk Cloud and referred to as the Splunk console in this context.
- Splunk Enterprise Security Notable Event: Events generated by correlation searches that identify patterns or incidents. These notable events are key triggers that link Splunk detections with ServiceNow security incidents.
- Splunk Event: The underlying data elements that result in notable events. ServiceNow AI Platform allows users to trace which Splunk events triggered specific security incidents.
- MID Server: Middleware facilitating secure data exchange between the ServiceNow AI Platform and external systems. It is required for on-premises Splunk Enterprise Security integrations but not necessary for Splunk Cloud integrations.
- Security Incident Admin (snsi.admin): The user role responsible for configuring the integration within the ServiceNow AI Platform’s Security Incident Response application.
- Security Incident Analyst (snsi.analyst): The user role tasked with interacting with and analyzing security incidents within the SIR application.
Why This Matters
For ServiceNow customers, understanding these terms ensures smooth setup and operation of the ServiceNow-Splunk integration. Knowing the roles, components, and event types involved helps optimize incident detection, response workflows, and security operations visibility.
What to Expect
By leveraging this integration, customers can automate the ingestion of security events from Splunk into ServiceNow, track and manage incidents efficiently via the SIR application, and enable secure communication through the MID Server when applicable. Optional manual event forwarding is also available through the ServiceNow Splunkbase Addon.
This section describes some of the key terms used in this integration.
The following key terms are used during the installation and configuration. For more information about these terms, see the ServiceNow Product Documentation website and the Splunk website and resources on Splunk Resources page.
- ServiceNow AI Platform
- An enterprise ServiceNow product. The ServiceNow AI Platform is the base upon which individual components such as Security Incident Response (SIR), IT Service Management (ITSM), and other products are built.
- ServiceNow Splunkbase Addon
- A ServiceNow application that is installed on your Splunk Enterprise Security console that supports the manual event forwarding option of the integration. Manual event forwarding is an optional feature of the integration. This ServiceNow Splunkbase add-on is not required for the automated notable event ingestion that is provided by the integration which pulls events from Splunk.
- Security Incident Response (SIR)
- A ServiceNow AI Platform application that tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review and closure.
- Splunk Enterprise Security
- Splunk Enterprise Security helps teams gain organization-wide visibility and security intelligence for continuous monitoring, incident response, SOC operations, and providing executives a window into business risk. Splunk Enterprise Security is a premium security solution requiring a paid license. This service is on a host or a Splunk cloud offering that is referred to as a Splunk console in this guide.
- Splunk Enterprise Security notable event
- When a correlation search identifies an event or a pattern of events, it creates a notable event. Correlation searches filter the security data and correlate across events to identify a particular type of incident (or pattern of events) and then create notable events.
- Splunk event
- One or more data elements that result in the notable events of the Splunk service. From your ServiceNow AI Platform instance, you can look up which Splunk events triggered ServiceNow AI Platform security incidents.
- MID Server
- This application facilitates communication and movement of data between the ServiceNow AI Platform and external applications, data sources, and services. This application is typically required for integration with on-premises technologies, and, for this Splunk Enterprise Security event ingestion integration, the MID Server facilitates communication between the ServiceNow AI Platform and the on-premises instance of Splunk Enterprise Security. A MID Server is not required if you are integrating your ServiceNow AI Platform instance with a Splunk Cloud instance.
- Security incident admin (sn_si.admin)
- The user with this role oversees the configuration of the integration with the SIR product in your ServiceNow AI Platform instance.
- Security incident analyst (sn_si.analyst)
- The user with this role interacts with and analyzes security incidents in the ServiceNow Security Incident Response product.