Create and name an event profile for the Splunk Enterprise Event Ingestion integration
Create an event profile in your ServiceNow AI Platform instance and determine which Splunk alerts create security incidents.
Before you begin
Role required: sn_si.ingestion_profile_admin
About this task
Before ServiceNow AI Platform Security Incident Response (SIR) security incidents are created from ingested alerts, the field values from alerts are displayed on a layout of a ServiceNow AI Platform security incident so that you can preview how the actual security incident is displayed.
From an integration perspective using available APIs, Splunk events are forwarded individually and manually as discreet events, or they are combined into triggered alerts that are automatically ingested into the Security Operations environment of your ServiceNow AI Platform instance. The integration workflows ingest different types of alerts such as unauthorized access attempts and malware, for example.
These alerts are ingested based on the profiles that you configure in the Security Operations environment of your instance. All alerts are initially ingested for a configured alert type in a profile. Ingested alerts can then be further filtered to specify which alerts create security incidents. For example, you may prefer filters that create security incidents only for alerts that are identified as high-risk. Before a profile is activated, and it creates security incidents from ingested alerts, individual field values on the filtered alerts are mapped to corresponding fields on a layout of security incident for a preview.
Alert names for event profiles in your ServiceNow AI Platform instance must be unique and can only be mapped to one active event profile at any given time. These are the triggered alert names that you configured in your Splunk service as part of the setup for the integration. For more information about configuring alerts in your Splunk Enterprise environment, see Save searches in your Splunk Enterprise console for the Splunk Enterprise Event Ingestion integration.
The ServiceNow AI Platform ingests specific alerts using the workflows of the integration. All alerts that meet the selection criteria in your Splunk enterprise console are initially ingested into your ServiceNow AI Platform instance.
A profile in your ServiceNow AI Platform is an encapsulation of a Splunk alert in your Splunk enterprise console. There is a one-to-one relationship between alerts that are ingested with a profile and connections to your Splunk enterprise console: one alert for one connection. There is a single https connection to a search head in your Splunk Enterprise console. Multiple alerts can come from a single search head. If you connect to multiple search heads in your Splunk Enterprise console, you must create multiple profiles in your ServiceNow AI Platform instance to ingest these alerts.
Steps to create profiles for scheduled alert ingestion
Procedure
-
Fill in the fields.
An example of a completed form follows the table.
Field Description Name Unique name for the profile. If names are not unique, duplicate profile names are not saved. Profile names in your ServiceNow AI Platform instance must be unique.
Active Check box is cleared by default. The Active option is disabled and not available for selection till you complete all the profile configuration steps and click Finish.
Type Select the profile type from the choice list. - Scheduled Alert Ingestion - This type of profile supports triggered alerts that are ingested on a schedule that you configure. Fill in the fields and click Continue to proceed to the Alert Selection step of the profile.
- Manual Event Forwarding - This type of profile supports individual events that are forwarded manually from your Splunk Enterprise console on demand. See the following steps to fill out the form for these types of profiles.
Source Type Splunk server or search end that you configured to ingest alerts. If you have multiple Splunk servers configured, select the appropriate server for the alert types that your are planning to ingest for the profile. You are required to enter a value. Order Default is 100. Leave this setting at the default. If you have created multiple profiles, this value provides a run time execution priority when two or more profiles share the same triggering conditions. The workflow in the profile with the lowest number has the highest priority.
(Optional) Description Text to help you distinguish this profile from other profiles. The following figure is an example of a completed form for a scheduled alert.
-
To create a profile that supports manual event forwarding, follow these
steps.
For events that you forward on-demand from your Splunk enterprise console, you can base the individual field mapping on any existing profile. Alternatively, you can create a new mapping grid for exported attachment data. Events that you forward manually are not scheduled in the event profile.
-
In the Mapping Option field that is displayed, from the choice list, choose
one mapping option to continue.
Refer to the following figures and tables for more information about the available mapping options in the Mapping Options choice list.
Figure 1. Create new field mapping option Table 1. Create New field mapping option Option or field Description Create new field mapping option New field mapping for your event. If you do not have an existing field mapping that is similar to the profile that you are creating, select this option to create a new map.
Default profile Default event forwarding profile for all Splunk events. Default is cleared (disabled).
When this option is enabled, this profile becomes the default profile for manual event forwarding. This profile is the only profile that is active and used for every Splunk event field mapping to a SIR security incident. One profile fits all forwarded events.
The Source field is unavailable if the default profile option is enabled.
Source type Splunk server.
This field is unavailable if the default profile option is enabled.
If available, the Source Type option permits unique event field mapping to security incident fields based on the Splunk source type.
If you want to manage firewall log events differently than endpoint detection events, and they have different Splunk source types, you can create different event profiles based on source types to accomplish this requirement.
Order Default is 100. Leave this setting at the default. If you have created a large number of profiles, this value provides a run time execution priority when two or more profiles share triggering conditions. The workflow in the profile with the lowest number has the highest priority.
(Optional) Description Text to help you distinguish this profile from other profiles. For a profile with a new field mapping, verify that you have entered a value in the Source type field and click Continue to proceed to the mapping step of the configuration.
For a profile with an existing field mapping, refer to the following figure and table for more information.
Figure 2. Select existing profile for field mapping option Table 2. Select existing profile for field mapping option Option or field Description Select existing profile for field mapping An existing field mapping for your event. The Copy from profile field is displayed.
Follow these steps to copy an existing field mapping for this profile.
- To the left of the Copy from profile field that is displayed, click the search icon.
- In the Splunk Event Profiles list that
is displayed, click the profile name that has the map that
you want to copy.
The profile name is displayed in the Copy from profile field.
Default profile Default event forwarding profile for all Splunk events. Default is cleared (disabled).
When this option is enabled, this profile becomes the default profile for manual event forwarding. This profile is the only profile that is active. It is used for every Splunk event field mapping to a SIR security incident. One profile fits all forwarded events.
The Source field is unavailable if the default profile option is enabled.
Source type Splunk server.
This field is unavailable if the default profile option is selected.
If available, the Source Type option permits unique event field mapping to security incident fields based on the Splunk source type.
If you want to manage firewall log events differently than endpoint detection events, and they have different Splunk source types, you can create different event profiles based on source types to accomplish this requirement.
Order Default is 100. Leave this setting at the default. If you have created multiple profiles, this value provides a run time execution priority when two or more profiles share triggering conditions. The workflow in the profile with the lowest number has the highest priority.
(Optional) Description Text to help you distinguish this profile from other profiles. At the bottom of the form for selecting an existing mapping for your profile, click Finish to complete the profile configuration.
-
In the Mapping Option field that is displayed, from the choice list, choose
one mapping option to continue.
What to do next
For profiles for scheduled alerts, the next step is to select alerts for automatic ingestion.