What is the minimum set of roles that a user needs to create events and incidents from the Security Operations add-on for Splunk integration?

charlesleggett · ‎08-09-2017

Hello everyone,

I am setting up the Security Operations add-on for Splunk integration by following your documentation here:

https://docs.servicenow.com/bundle/jakarta-security-management/page/product/secops-integration-splun...

On that page it says: "Before performing Splunk integration setup procedures, ensure there is an integration user in ServiceNow with the sn_si.integration and sn_si_analyst roles."

I've found two issues with this:

1) There is no sn_si.integration role. Should this read sn_si.integration_user?

2) With only those roles, the user receives an authorization error when attempting to create a incident from Splunk. I know that the integration is configured properly otherwise b/c I can create incidents if I give the integration user the admin role.

What is the minimum set of roles that an integration user needs to create events and incidents?

peter_smith · ‎08-18-2017

Hi Charles,

The documentation in the link above has been corrected and will be visible when the next Jakarta patch is released. There is also a PRB associated with this issue (PRB1113095) and the fix for the authorization error will be in the next patch as well. In the short term, the admin role will work for creating events and security incidents.

Per issue #1: yes, the roles needed are:

sn_si.integration_user
sn_si.analyst

Additionally, in order to perform imports, the import_transformer role is needed, and the sn_si.integration_user role should have the import_transformer portion of the role.

View solution in original post

peter_smith · ‎08-18-2017

Hi Charles,

The documentation in the link above has been corrected and will be visible when the next Jakarta patch is released. There is also a PRB associated with this issue (PRB1113095) and the fix for the authorization error will be in the next patch as well. In the short term, the admin role will work for creating events and security incidents.

Per issue #1: yes, the roles needed are:

sn_si.integration_user
sn_si.analyst

Additionally, in order to perform imports, the import_transformer role is needed, and the sn_si.integration_user role should have the import_transformer portion of the role.

chanikya · ‎07-25-2018

1. i got Splunk Integration application from Servicenow app store and it was installed in servicncenow instance and added splunk role x_splu2_splunk_ser.Splunk to admin. ........now i can able to see Splunk integration application in my Dev -instance.

2. from Splunkbase i have downloaded 'ServiceNow Security Operations add‐on' into my laptop.

now what are the steps i have to flow now, what is the next step, what i have to do with downloaded file add_on

i just Dounloded ServiceNow Security Operations add‐on

as per below steps

The first step in setting up the ServiceNow-to-Splunk integration is to download the ServiceNow Security Operations application from Splunkbase.

Open Splunkbase.
Search for ServiceNow Security Operations Integration and download the application.

downloaded files and after that what i have to do

what are the steps i have to follow after downloaded...

....

shivanipatel · ‎08-21-2017

Charles,

We are glad you took advantage of the ServiceNow Community to learn more and to get your questions answered. The Customer Experience Team is working hard to ensure that the Community experience is most optimal for our customers.

If you feel that your question was answered, we would greatly appreciate if you could mark the appropriate thread as "Correct Answer". This allows other customers to learn from your thread and improves the ServiceNow Community experience.

If you are viewing this from the Community inbox you will not see the correct answer button. If so, please review How to Mark Answers Correct From Inbox View.

Thanks,

Shivani Patel