Use the script editor to format alert values for the Splunk Enterprise Security Event Ingestion integration
In addition to the directly mapped fields from the ingested notable event values, and the values you enter manually, use the script editor to format field values on the security incident during the mapping step.
Before you begin
Role required: sn_si.admin
About this task
In certain cases, Splunk Enterprise Security notable event values are mapped to the Category, Configuration item (CI), and Observable fields on the SIR incident are not supported. You might prefer to edit the mapped values. If you want to translate the value of a Splunk Enterprise Security notable event to a value that is supported by these fields on the SIR security incident, use the script editor.
Procedure
-
With the mapping form displayed, click the link to open the script editor.
-
Alternatively, in the SIR Incident Field Mapping section, click the bracket icon
[{}] next to a field to open the script editor for that
field.
In certain instances, a script include may be appropriate for the Configuration item field. For an notable event, for example, a value for the Configuration item may not be matched.
As shown in the following figure, if a match for a host name cannot be found in the ServiceNow AI Platform® CMDB for the Configuration item field, you can edit the rule so that if an IP address is found, it populates the Configuration item field. If there is no value for the alarm, the field on the security incident is set to null.
The editor opens with the field displayed in Destination Field. The following image shows the editor with the Configuration item field as the Destination Field.