Set up or change the instance where incidents or events are created

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 6 minutes to read

    • To set up or change the ServiceNow instance where new security incidents and security events are created, use the Setup action in the application list.

    Before you begin

    Role required: sn_si.admin

    Procedure

    1. Open Splunk.
    2. Click either the Apps gear icon, or the Manage Apps shortcut menu item.
    3. In the list of applications, search for ServiceNow apps using the filter.
    4. Look for the ServiceNow Security Operations Integration, and click the corresponding Set up action.
    5. On the form, fill in the fields.
      FieldDescription
      Specify ServiceNow Server  
      URL URL for your Splunk Enterprise Security console or Splunk Cloud instance. The URL should include the API port, for example: https://mysplunkserver.com:8089
      Auth type Option to select the authentication type. You can select Basic Authentication or OAuth 2.0 Authentication.
      • If you are using API Account User Name and API Password for configuration, enable the Basic Authenticationcheck box.

        Default is disabled.

      • If you are using OAuth 2.0 authentication for the configuration, enable the OAuth 2.0 Authentication check box.

        Default is disabled.
      Basic Authentication  
      Username User name that you created for your API user account on the Splunk Enterprise Security console.
      Password Password that you created for your API user account on the Splunk Enterprise Security console.
      Confirm Password Renter the password to confirm it.
      OAuth 2.0 Authentication  
      Client ID Client ID of the app created on the ServiceNow Server.
      Client Secret Client Secret of the app created on the ServiceNow Server.
      Redirect URL The URL to be redirected to. You can copy and paste this URL into your ServiceNow registry redirect URL.
      Optional Proxy  
      Proxy URL Proxy URL for your Splunk Enterprise Security console or Splunk Cloud instance.
      Port Address of the port.
      Username User name that you created for the Proxy account on the Splunk Enterprise Security console.
      Password Password that you created for the Proxy account on the Splunk Enterprise Security console.
      Confirm Password Renter the password to confirm it.
      Logging Level Setup  
      Logging Level The level of reporting logs generated by the integration, meaning the name of the type of information. You can also update the value to the following options:
      • info
      • error
      • warn
      • debug

      By default, the value is info.
      API Selection  
      API Selection Select one of the following APIs:
      • Table API
      • Import Set API

      ServiceNow Security Operations Integration set up on Splunk

    6. Click Save.
    7. Alternatively, look for the ServiceNow Event Ingestion Integration, and click the corresponding Set up action.
      The ServiceNow Event Ingestion Integration is configured into three different tabs.
      • Splunk Primary: The default or primary Splunk configuration.
      • Splunk Secondary: (Optional) The backup or second Splunk configuration.
      • Logging Level: The level of reporting logs generated by the integration, meaning the name of the type of information.
    8. Select the Splunk Primary tab.
    9. On the form, fill in the fields.
      FieldDescription
      Workflow action label

      Name of the Splunk Enterprise Security primary console or the Splunk Cloud primary instance used for the integration.

      Spaces are supported for names, but parentheses are not supported. For example, enter SplunkES2.
      URL URL for your Splunk Enterprise Security primary console or the Splunk Cloud primary instance. The URL should include the API port, for example: https://mysplunkserver.com:8089
      Endpoint Endpoint for your Splunk Enterprise Security primary console or the Splunk Cloud primary instance.
      Auth type Option to select the authentication type. You can select Basic Authentication or OAuth 2.0 Authentication.
      • If you are using API Account User Name and API Password for configuration, enable the Basic Authenticationcheck box.

        Default is disabled.

      • If you are using OAuth 2.0 authentication for the configuration, enable the OAuth 2.0 Authentication check box.

        Default is disabled.
      Basic Authentication  
      Username User name that you created for your API user account on the Splunk Enterprise Security console.
      Password Password that you created for your API user account on the Splunk Enterprise Security console.
      Confirm Password Renter the password to confirm it.
      OAuth 2.0 Authentication  
      Client ID Client ID of the app created on the ServiceNow Server. For information on how to get the Client ID, see Configure Application Registry on the ServiceNow instance
      Client Secret Client Secret of the app created on the Server. For information on how to get the Client Secret, see Configure Application Registry on the ServiceNow instance
      Redirect URL The URL to be redirected to. You can copy and paste this URL into your ServiceNow registry redirect URL. For information, see Configure Application Registry on the ServiceNow instance
      Optional Proxy Setup  
      Proxy URL Proxy URL for your Splunk Enterprise Security secondary console or Splunk Cloud secondary instance.
      Port Address of the port.
      Username User name that you created for the Proxy account on the Splunk Enterprise Security secondary console.
      Password Password that you created for the Proxy account on the Splunk Enterprise Security secondary console.
      Confirm Password Renter the password to confirm it.

      ServiceNow Event Ingestion Integration set up on Splunk

    10. Optional: Select the Splunk Secondary tab.
    11. Optional: On the form, fill in the fields.
      FieldDescription
      Workflow action label

      Name of the Splunk Enterprise Security secondary console or the Splunk Cloud secondary instance used for the integration.

      Spaces are supported for names, but parentheses are not supported. For example, enter SplunkES2.
      URL URL for your Splunk Enterprise Security secondary console or the Splunk Cloud secondary instance. The URL should include the API port, for example: https://mysplunkserver.com:8089
      Endpoint Endpoint for your Splunk Enterprise Security secondary console or the Splunk Cloud secondary instance.
      Auth type Option to select the authentication type. You can select Basic Authentication or OAuth 2.0 Authentication.
      • If you are using API Account User Name and API Password for configuration, enable the Basic Authenticationcheck box.

        Default is disabled.

      • If you are using OAuth 2.0 authentication for the configuration, enable the OAuth 2.0 Authentication check box.

        Default is disabled.
      Basic Authentication  
      Username User name that you created for your API user account on the Splunk Enterprise Security console.
      Password Password that you created for your API user account on the Splunk Enterprise Security console.
      Confirm Password Renter the password to confirm it.
      OAuth 2.0 Authentication  
      Client ID Client ID of the app created on the ServiceNow Server.
      Client Secret Client Secret of the app created on the ServiceNow Server.
      Redirect URL The URL to be redirected to. You can copy and paste this URL into your ServiceNow registry redirect URL.
      Optional Proxy Setup  
      Proxy URL Proxy URL for your Splunk Enterprise Security secondary console or Splunk Cloud secondary instance.
      Port Address of the port.
      Username User name that you created for the Proxy account on the Splunk Enterprise Security secondary console.
      Password Password that you created for the Proxy account on the Splunk Enterprise Security secondary console.
      Confirm Password Renter the password to confirm it.
    12. Select the Logging Level tab.
    13. On the form, fill in the fields.
      FieldDescription
      Log Level The level of reporting logs generated by the integration, meaning the name of the type of information. You can also update the value to the following options:
      • info
      • error
      • warn
      • debug

      By default, the value is info.
    14. Click Save.
      After validation is successfully completed, the Security Integrations page is displayed with each of your configurations. On each valid configuration tile, Update and Delete buttons are displayed as shown in the following figure.
      Note:
      You have to use either Basic Authentication or OAuth 2.0 Authetnication only. Enable one of the authentications and enter the corresponding authentication details. Enabling both will display an error.

      After it is successfully validated and submitted, each Event Ingestions Splunk server configuration is saved on the Security Integrations page as a tile. If your saved configuration tiles are not displayed on the Security Integrations page, on the top-right corner of the page, from the Show Configurations list, click Yes.