SNow-Splunk ES integration

Paolo6 · ‎09-29-2020

Hi all, I'm trying to integrate Splunk ES with Servicenow.

The objective is to let Splunk ES open SIR on SNow and, when the SIR is closed, let it know to Splunk ES.

I'm basically following this guide: https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-splunk-event-ingest/concept/splunk-event-ingest-overview-security.html

We have an on prem Splunk ES instance and the configuration through the mid-server went well (I successfully created a Splunk Enterprise Security - Event Ingestion" security integration).

I configured an event profile to test the integration (https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-splunk-event-ingest/task/splunk-event-ingest-create-profile-security.html#splunk-create-profile-security), but at the step "Mapping notable event fields for the Splunk Enterprise Security integration" when I click on "Fetch Sample Data" an error is returned: "error while fetching sample events".

I can't find any log in "System logs" to understand the cause of this error. Where can I find more info about this event?

I'm wondering also if privileges assigned to the Splunk account are corrects. I can't find any requirement about that. Any suggestion?

Thank you.

Paolo

Paolo6 · ‎10-09-2020

Hi all, I finally managed to resolve the problem.

First of all I need to configure the role "ess_analyst" on Splunk for the user used by ServiceNow.

This resolved problems in the communications between ServiceNow and Splunk.

There still was an error when ServiceNow try to fetch notable events from Splunk.

With the help of the support we find that the issue was caused due to the 30 seconds timeout of the MID server as the configured Splunk API in the instance is taking more than 30 seconds to fetch the results.

To overcome the 30 seconds timeout provided by the Platform, we have created a system property in the instance 'glide.http.outbound.max_timeout.enabled' and set this value to 'false'.

Hope this helps someone else.

Paolo

View solution in original post

Paolo6 · ‎10-16-2020

Hi Anshu,

following the details gave to me by the Support. They used a script to debug the problem

we executed similar code in background script with 'sn_sec_splunkes' scope. 'getSampleEventsSid' function is responsible for fetching the events. Here replace <profile_sys_id> with the sys id of the profile record. var r = new sn_sec_splunkes.SplunkESEventIngestionQueryAbstract(); var profile = new GlideRecord('sn_sec_splunkes_event_profile'); profile.get(<profile_sys_id>); r.getSampleEventsSid(profile);

Hope can help you.

Paolo

Kalyani35 · ‎10-28-2020

Hi Paolo,

Do you have any documentation prepared for this integration with steps?

Paolo6 · ‎10-28-2020

HI, I followed the official one from ServiceNow:

https://docs.servicenow.com/bundle/orlando-security-management/page/product/secops-integration-splunk-event-ingest/concept/splunk-event-ingest-overview-security.html

Paolo

camran · ‎04-14-2022

Hi Paolo,

I am trying to integrate SPLUNK with SecOps, you mentioned Mid Server, can you please guide why we need Mid Server here ? My understanding is SecOps directly connects to SPLUNK via API. Please correct me , if possible can you show me high level diagram of this integration. cheers,

Paolo6 · ‎04-14-2022

Hi camran,

I mentioned the Mid Server because our Splunk was on-premise, not exposed to the internet, so SN can't call the Splunk APIs.

I think that if you have Splunk Cloud you don't need a mid server.

Paolo