Where is the correlation_id value used?

randytangco
Mega Guru

‎11-30-2017 11:19 AM

Hello..   I have been trying to understand where is the correlation_id field is used in the security operations application when managing an incoming security event.

OOB, I think the SIEM (Splunk) sends a snsecevent message to SN.   I get to see the correlation_id field in the additional field of the event table.

However, I am not able to find in the system where is that used for managing the creation of alerts for de-duplication purposes.     Is there a place to check how it is used?

Labels:
0 Helpfuls
  • 7,760 Views
6 REPLIES 6

sachin_namjoshi
Kilo Patron
Kilo Patron

‎11-30-2017 11:23 AM

Please check below for details



https://www.servicenowguru.com/integration/correlation-id-display-fields/



Regards,


sachin


0 Helpfuls

randytangco
Mega Guru
In response to sachin_namjoshi

‎11-30-2017 11:33 AM

sachin.chinchkar..   Thank you for your reply.   I am actually looking for the specific place in the security operations application where that field is used in managing duplicate events coming in from Splunk for example.


0 Helpfuls

sachin_namjoshi
Kilo Patron
Kilo Patron
In response to randytangco

‎11-30-2017 11:46 AM

You can check related objects of security application by finding scripts contain corelation id.



Regards,


Sachin


0 Helpfuls

randytangco
Mega Guru
In response to sachin_namjoshi

‎11-30-2017 12:05 PM

sachin.chinchkar.   Thank you.   Where do I start in the platform for the related objects?


0 Helpfuls
Related Content