- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-12-2016 07:29 AM
Short of using event management to generate security incidents, what would be the best way to remotely generate security incidents via API call? I know I can create an import set and push to that, or create scripted rest API, but I wanted to first check to see if there's an existing method for remote systems to create security incidents. I really wouldn't want to expose API directly to security incident tables.
Before I go off and build something, I wanted to check to see if there's something already in place for inbound API requests to generate security incidents that I could leverage.
An example use case would be if I create a Splunk alert and have that run script to push relevant data to a security incident import table. While I'm aware that I could direct the Splunk data to event management and have that correlate and create a security incident, in that context event management is redundant to Splunk.
Another example would be to create security incident directly from DLP solutions via REST API call.
Thanks!
Jason
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-22-2016 08:16 AM
No default way to do it. We have imported items from Nessus Security Center to create Security Incidents based on priorities, by importing via REST (via MID server) into an import table and having the transform map decide what items are created into an SI. The same goes for inbound emails and event data.
If you need help walking through some options, feel free to contact me directly.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-22-2016 08:16 AM
No default way to do it. We have imported items from Nessus Security Center to create Security Incidents based on priorities, by importing via REST (via MID server) into an import table and having the transform map decide what items are created into an SI. The same goes for inbound emails and event data.
If you need help walking through some options, feel free to contact me directly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-22-2016 02:03 PM
Thanks Jarod.
That makes perfect sense. If there's no existing generic import table to use, I'll just create import tables as needed and transform to SI.
-J
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-22-2016 04:59 PM
As a follow up, I didn't see this before, but there's an import table already for security incident (sn_si_incident_import). if you use the ServiceNow Security Operations add-on for Splunk, that does a REST post to the import table... that's exactly what I wanted to do. The Splunk add-in made it that much easier.
ServiceNow Security Operations add-on for Splunk
So for incident creation, In order of complexity:
1. email to security incident (easy but not preferred)
2. ServiceNow Security Operations add-on for Splunk (since we log security event to splunk, this is easy and preferred)
3. Direct REST post to sn_si_incident_import. We'll use this in cases where we want to directly create the incident such as from 3rd party SOC.