- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-09-2021 04:03 PM
A few questions...
We are planning to use SNOW SIR (Security Incident Response) as our new Case Management / Ticketing System and we also have SOAR tool, Splunk Phantom.
1. What would be the best approach to integrate the two?
2. Do you have an available Splunk Phantom App for SNOW SIR (ServiceNow is available but not SNOW SIR)?
3. Where can I get the SNOW SIR api documentation?
Thanks in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2021 07:22 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2021 05:44 AM
Hi,
I double-checked our Store there is no Phantom app. A little while back I did this integration with a customer. Phantom has an awesome built-in toolset for integration with third-party tools, like SN!
Use the built-in Phantom tools to do REST Ineterationo to SN. SIR has a specific table designed for this. It is called the Security Incident Import [sn_si_incident.import] table. Once you write to that table, it will trigger the Security Incident Transform map to create the security incident. Of course, you will need to tweek the transform map to meet your needs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2021 06:29 AM
Thanks Chris,
I am actually doing some pre-work as our SNOW SIR is still in the process of being stood up.
In the past, were where able to to integrate to SNOW since a Phantom App was available. But for SNOW SIR, as you mentioned, no app is available as of the moment (Any plans of creating one, as I understand that Phantom is a competitor for SNOW SIR in the SOAR space)
Btw, in case no SNOW SIR Phantom app is released, would you know where I can get the API documentation for SNOW SIR? We'll probably dissect an existing SNOW phantom app and then update the functionalities based on the SNOW SIR Api doco.
Thanks again, appreciate.
CV
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2021 07:01 AM
Hi,
I do not know the plans around that. To be honest, it makes more sense to use the Phantom workbook to decide when to push to SN than have SN poll Phantom for work.
I'm not in sales... but both tools can happily co-exist. The one thing that gives you extra power using SN as a SOAR is that SN can have a deeper contextual understanding of the environment. What I mean is that SN has a CMDB that knows about the Asset as well as all of the organization's groups and users. SN knows about the Changes, Defects, Vulnerabilities etc.
You can draw on that rich set of metadata to make decisions when automating processes to address issues.
For what I was describing in my last post, you need to use the Table API. Check out the REST explorer to get an idea of how it works. I also use Postman to generate test data for development instances.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2021 07:18 AM
Yep I agree on you with that...
We'll definitely utilize both tools for enrichment, I'll also tryout the internal automation piece of SIR once we have the environment ready.
Thank again, the information you provided is very helpful.
Cheers,
CV
