Inbound API for security incident

jason_lau
Tera Contributor

Short of using event management to generate security incidents, what would be the best way to remotely generate security incidents via API call? I know I can create an import set and push to that, or create scripted rest API, but I wanted to first check to see if there's an existing method for remote systems to create security incidents. I really wouldn't want to expose API directly to security incident tables.

Before I go off and build something, I wanted to check to see if there's something already in place for inbound API requests to generate security incidents that I could leverage.

An example use case would be if I create a Splunk alert and have that run script to push relevant data to a security incident import table. While I'm aware that I could direct the Splunk data to event management and have that correlate and create a security incident, in that context event management is redundant to Splunk.

Another example would be to create security incident directly from DLP solutions via REST API call.

Thanks!

Jason

1 ACCEPTED SOLUTION

jarodm
Mega Guru

No default way to do it. We have imported items from Nessus Security Center to create Security Incidents based on priorities, by importing via REST (via MID server) into an import table and having the transform map decide what items are created into an SI.   The same goes for inbound emails and event data.



If you need help walking through some options, feel free to contact me directly.



View solution in original post

3 REPLIES 3

jarodm
Mega Guru

No default way to do it. We have imported items from Nessus Security Center to create Security Incidents based on priorities, by importing via REST (via MID server) into an import table and having the transform map decide what items are created into an SI.   The same goes for inbound emails and event data.



If you need help walking through some options, feel free to contact me directly.



jason_lau
Tera Contributor

Thanks Jarod.



That makes perfect sense. If there's no existing generic import table to use, I'll just create import tables as needed and transform to SI.



-J


As a follow up, I didn't see this before, but there's an import table already for security incident (sn_si_incident_import). if you use the ServiceNow Security Operations add-on for Splunk, that does a REST post to the import table... that's exactly what I wanted to do. The Splunk add-in made it that much easier.



ServiceNow Security Operations add-on for Splunk



So for incident creation, In order of complexity:


1. email to security incident (easy but not preferred)


2. ServiceNow Security Operations add-on for Splunk (since we log security event to splunk, this is easy and preferred)


3. Direct REST post to sn_si_incident_import. We'll use this in cases where we want to directly create the incident such as from 3rd party SOC.