Best practice for integrating Splunk ES with Security Incident Respons

Erica Spirito · 4 hours ago

Hi everyone,

I’m working on an integration between Splunk Enterprise Security and ServiceNow Security Incident Response (SIR).

Splunk ES currently generates around 250/300 notable events per day, and the objective is to bring all notable events into ServiceNow and manage them in SIR.

We want to automatically create and manage Security Incidents in SIR
SOC may operate primarily in ServiceNow

I would like to understand from those who have implemented this integration in production what is the recommended architectural approach?

Pull model (ServiceNow polling Splunk for notable events)
Push model (Splunk calling ServiceNow REST API)
official plugin “Splunk ES Integration for Security Operations” is the best-practice method?

If not using the official plugin:

What is the most robust alternative pattern?
Custom REST API integration?

Any real-world lessons learned would be greatly appreciated.

Thanks in advance!

Tanushree Maiti · an hour ago

Hi @Erica Spirito

For me "Splunk ES Integration for Security Operations" application should be recommended approach because it is built and supported by ServiceNow and Splunk to work seamlessly with Security Incident Response (SIR).

"Splunk ES Integration for Security Operations" application it supports pull model. (Ref: https://www.servicenow.com/community/secops-forum/difference-between-splunk-es-integration-for-secur....)

I have not worked with Splunk ES Integration for Security Operations for SIR, but we have Splunk integration for events -> incidents using Splunk Integration app .

Concept is a bit similar , that's why sharing it with you. (pic has been taken from store)

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin: