We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

Best practice for integrating Splunk ES with Security Incident Respons

Erica Spirito
Tera Contributor

2 hours ago

 Hi everyone, 

I’m working on an integration between Splunk Enterprise Security and ServiceNow Security Incident Response (SIR).

Splunk ES currently generates around 250/300 notable events per day, and the objective is to bring all notable events into ServiceNow and manage them in SIR.

  • We want to automatically create and manage Security Incidents in SIR

  • SOC may operate primarily in ServiceNow

I would like to understand from those who have implemented this integration in production what is the recommended architectural approach?

  • Pull model (ServiceNow polling Splunk for notable events)
  • Push model (Splunk calling ServiceNow REST API)
  • official plugin “Splunk ES Integration for Security Operations” is the best-practice method?

If not using the official plugin:

  • What is the most robust alternative pattern?

  • Custom REST API integration?

 

Any real-world lessons learned would be greatly appreciated.

Thanks in advance!

0 Helpfuls
  • 37 Views
0 REPLIES 0