Where is the correlation_id value used?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2017 11:19 AM
Hello.. I have been trying to understand where is the correlation_id field is used in the security operations application when managing an incoming security event.
OOB, I think the SIEM (Splunk) sends a snsecevent message to SN. I get to see the correlation_id field in the additional field of the event table.
However, I am not able to find in the system where is that used for managing the creation of alerts for de-duplication purposes. Is there a place to check how it is used?
- Labels:
-
Security Incident Response

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2017 11:23 AM
Please check below for details
https://www.servicenowguru.com/integration/correlation-id-display-fields/
Regards,
sachin

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2017 11:33 AM
sachin.chinchkar.. Thank you for your reply. I am actually looking for the specific place in the security operations application where that field is used in managing duplicate events coming in from Splunk for example.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2017 11:46 AM
You can check related objects of security application by finding scripts contain corelation id.
Regards,
Sachin

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2017 12:05 PM
sachin.chinchkar. Thank you. Where do I start in the platform for the related objects?