Difference between 'Splunk ES Integration for Security Operations' plugin & 'Splunk Enterprise Event Ingestion for Security Operations' plugin?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 04:10 AM
Can anyone please help me with the difference between the 2 plugins and what are there functionality?
What does a notable event mean in this perspective?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 05:13 AM
You need to select the "ES" version if your organization is using Splunk "Enterprise Security" (ES) version of Splunk. You will pick Splunk Enterprise otherwise.
A "notable event" is nothing more than a Splunk Search that creates a Splunk Alert. SN will poll (every 5 minutes by default) for those Alerts and ingest them. (You can also filter them on SN)
Go ahead and mark this as Helpful or Correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 06:10 AM
Hi,
With the ServiceNow Security Operations Event Ingestion Addon for Splunk ES, you can forward notable events from Splunk ES Incident Review to ServiceNow to create security incidents in ServiceNow Security Incident Response application. This Splunkbase app works in conjunction with the ServiceNow app store integration located here - https://store.servicenow.com/sn_appstore_store.do#!/store/home (search for Splunk ES to find specific integration)
Splunk Enterprise Security integration provides a security operations center (SOC) analyst with visibility to notable events and related contributing event data. This data can be integrated into Now Platform Security Incident Response (SIR) security incidents for further investigation and remediation. Profiles are created in your Now Platform instance to handle different notable event types that are created via correlation searches in Splunk Enterprise Security. These profiles customize how different Splunk event fields are displayed on SIR security incidents.
Please mark correct or helpful if this helps you.
Thanks
Swapnil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 07:52 AM
For what it's worth I recently was a part of integrating Splunk ES with ServiceNow and we found that trying to push data from splunk TO servicenow using a ServiceNow API and then mapping fields to Security Incident tickets was a pain in the butt, and half of them didn't work for some reason. This was using the Splunk Enterprise Event Ingestion for Security Operations integration.
Then we switched to using the "Splunk ES Integration for Security Operations" which is an integration that you set up in Service Now and Service Now will poll SPLUNK using the SPLUNK API instead of the other way around. It pulls in fully created Notable events from the notable index and you can map the fields to servicenow ticket fields. It was a much easier process and seems to work every time where the other integration was finicky. If the goal is to stop using Splunk ES for ticketing and move the ticketing/triage to SNow then I suggest using the Splunk ES Integration for Security Operations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2020 08:00 AM
Hi,
Agree with Kevin, this addons have there pros and cons with them. We have Splunk Core, Splunk ITSI and Splunk ES.
So we are using both the plugins where ES is used for Security Incidents only and ITSI and Core for normal event management process from which we create normal incidents and orchestration task.
We do the pulling of events for ES and not others modules. Meaning We use both Pull and Push concept here. So you need to decide what you want to use and where. Both are available for SecOps.
Coming back to notable event: It is event which is important to use and has to be converted to alert and we must react to it.
Thanks,
Ashutosh
