Set Correlation rules

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • After you have created a profile for a scheduled notable event type ingestion, select a Splunk Enterprise Security correlation rule name for this profile for which you want to map corresponding notable events to a ServiceNow AI Platform Security Incident Response security incident.

    Avant de commencer

    Role required: sn_si.ingestion_profile_admin

    Remarque :
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    Pourquoi et quand exécuter cette tâche

    View the available correlation rules in your ServiceNow AI Platform instance so you know the notable event types for which you want to ingest and create security incidents. Select a correlation rule. You can select one or more notable event from the list in this form.

    Procédure

    1. If you are not continuing from the previous section of the incident profile definition process, access the profile you are defining.
      1. Navigate to All>Splunk ES Event Profile.
      2. Select the profile you are continuing to define.
      3. Select Notable Event Selection in the progress bar.
    2. Clear All Correlation Rules Selected check box to select specific Correlation Rules.
      Selecting this check box will retrieve all active Correlation Rules from Splunk ES.
    3. In the Correlation Rules List search field, enter the Correlation Rule name created in the Splunk ES portal.
    4. Select the Correlation Rule(s).
    5. Use the right arrow ( >) to move the rule(s) from Available to Selected column.
      Remarque :
      Correlation rules must be unique across active profiles. A correlation rule associated with an active profile cannot be selected for another active profile. To reuse the rule, deactivate the profile it is currently associated with.
      Splunk ES Event Profile: Select Notable Event
    6. Select Continue.

    Que faire ensuite

    Map notable events