Using ServiceNow Security Operations Integration add-on

  • Release version: Xanadu
  • Updated October 7, 2025
  • 1 minute to read

    • Create security events and incidents directly from Splunk alerts after setting up ServiceNow Security Operations Integration add-on.

    Before you begin

    Role required: sn_si.integration_user, sn_si.analyst

    Procedure

    1. Log in to Splunk Enterprise.
    2. Navigate to Apps > Search & Reporting.
    3. Enter a keyword in the New Search field.
      A list of events with the keyword show up.
    4. Expand any of the events using (>) icon.
    5. Select Event Actions.
      • Create ServiceNow Security Event: Events are stored in the em_event table.
        Note:

        Install Event Management plugin to access the em_event table.

      • Create ServiceNow Security Incident: Incidents are stored in the sn_si_incident table.
        Note:
        The mapping is pre defined as we don't have a profile for this add-on.

      Event actions in Splunk enterprise