Set Correlation rules

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:3分

    • After you have created a profile for a scheduled notable event type ingestion, select a Splunk Enterprise Security correlation rule name for this profile for which you want to map corresponding notable events to a ServiceNow AI Platform Security Incident Response security incident.

    始める前に

    Role required: sn_si.ingestion_profile_admin

    注:
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    このタスクについて

    View the available correlation rules in your ServiceNow AI Platform instance so you know the notable event types for which you want to ingest and create security incidents. Select a correlation rule. You can select one or more notable event from the list in this form.

    手順

    1. If you are not continuing from the previous section of the incident profile definition process, access the profile you are defining.
      1. Navigate to All>Splunk ES Event Profile.
      2. Select the profile you are continuing to define.
      3. Select Notable Event Selection in the progress bar.
    2. Clear All Correlation Rules Selected check box to select specific Correlation Rules.
      Selecting this check box will retrieve all active Correlation Rules from Splunk ES.
    3. In the Correlation Rules List search field, enter the Correlation Rule name created in the Splunk ES portal.
    4. Select the Correlation Rule(s).
    5. Use the right arrow ( >) to move the rule(s) from Available to Selected column.
      注:
      Correlation rules must be unique across active profiles. A correlation rule associated with an active profile cannot be selected for another active profile. To reuse the rule, deactivate the profile it is currently associated with.
      Splunk ES Event Profile: Select Notable Event
    6. Select Continue.

    次のタスク

    Map notable events