- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2019 02:27 AM
Hi Folks,
I want to know how can i send state values of SIR incidents back to Splunk, i have OOB splunk integration setup but did not see any OOB REST message configured in Outbound Rest Message.
Solved! Go to Solution.
- Labels:
-
Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2019 06:51 AM
Hey there,
The current Splunk integration (3921 on Splunkbase - i.e. ServiceNow Security Operations Add-on) does not include the capability to send data back to Splunk for the purpose of changing the State on the originating event of the SIR, within Splunk:
- https://splunkbase.splunk.com/app/3921/
Are you by chance investigating -> passing the SIR State back to an originating Splunk Enterprise Security `Notable Event`, such that he corresponding event would show as "Closed" in the Splunk ES Incident Review Page?
It may be possible to create your own custom integration, that leverages a REST message configured in ServiceNow to send to Splunk.
There will be some consideration here if you take on a custom integration i.e. API differences between Splunk Cloud and Splunk Enterprise (on-premise), how do tie back an SIR that was created from Splunk - back to a unique Splunk event, authentication requirements, etc...
Splunk does have some good documentation on their Enterprise Security Notable Event API:
- https://docs.splunk.com/Documentation/ES/5.2.2/API/AbouttheSplunkEnterpriseSecurityAPI
- https://docs.splunk.com/Documentation/ES/5.2.2/API/NotableEventAPIreference#.2Fservices.2Fnotable_up...
- https://docs.splunk.com/Documentation/ES/5.2.2/API/NotableEventAPIreference
If you open up an SIR record that was generated by Splunk, look at the "External URL" field on that SIR record in ServiceNow. That can potentially be used as a quick way to navigate back to the originating Splunk event for your analysts for the interim time if you make this field visible on the form layout for certain conditions (e.g. SIR.Source = Splunk).
You can also submit a ServiceNow Product Enhancement Request to have this capability supported in future versions of the Splunk + SN SIR integration (be sure to specify whether you are using Splunk Core, Splunk Enterprise Security, Splunk Cloud, Splunk Enterprise (on-premise), etc:
- https://hi.service-now.com/kb_view.do?sysparm_article=KB0547257
- https://community.servicenow.com/community?id=community_question&sys_id=4a9beedcdba43b88200f0b55ca96197f
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2019 06:51 AM
Hey there,
The current Splunk integration (3921 on Splunkbase - i.e. ServiceNow Security Operations Add-on) does not include the capability to send data back to Splunk for the purpose of changing the State on the originating event of the SIR, within Splunk:
- https://splunkbase.splunk.com/app/3921/
Are you by chance investigating -> passing the SIR State back to an originating Splunk Enterprise Security `Notable Event`, such that he corresponding event would show as "Closed" in the Splunk ES Incident Review Page?
It may be possible to create your own custom integration, that leverages a REST message configured in ServiceNow to send to Splunk.
There will be some consideration here if you take on a custom integration i.e. API differences between Splunk Cloud and Splunk Enterprise (on-premise), how do tie back an SIR that was created from Splunk - back to a unique Splunk event, authentication requirements, etc...
Splunk does have some good documentation on their Enterprise Security Notable Event API:
- https://docs.splunk.com/Documentation/ES/5.2.2/API/AbouttheSplunkEnterpriseSecurityAPI
- https://docs.splunk.com/Documentation/ES/5.2.2/API/NotableEventAPIreference#.2Fservices.2Fnotable_up...
- https://docs.splunk.com/Documentation/ES/5.2.2/API/NotableEventAPIreference
If you open up an SIR record that was generated by Splunk, look at the "External URL" field on that SIR record in ServiceNow. That can potentially be used as a quick way to navigate back to the originating Splunk event for your analysts for the interim time if you make this field visible on the form layout for certain conditions (e.g. SIR.Source = Splunk).
You can also submit a ServiceNow Product Enhancement Request to have this capability supported in future versions of the Splunk + SN SIR integration (be sure to specify whether you are using Splunk Core, Splunk Enterprise Security, Splunk Cloud, Splunk Enterprise (on-premise), etc:
- https://hi.service-now.com/kb_view.do?sysparm_article=KB0547257
- https://community.servicenow.com/community?id=community_question&sys_id=4a9beedcdba43b88200f0b55ca96197f
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2022 07:29 AM
hello. hope that by now, you've managed to resolve this issue. i think your use case is easily achievable with a connector. we used such for similar purposes. it's called zigiops. take a look at it, just for reference. it might be useful.
