Mapping alerts and events for the Splunk Enterprise Event Ingestion integration

  • Release version: Xanadu
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Mapping alerts and events for the Splunk Enterprise Event Ingestion integration

    This guide explains how ServiceNow customers using the Splunk Enterprise Event Ingestion integration can map incoming alerts and events from Splunk to the fields on a ServiceNow AI Platform Security Incident Response (SIR) security incident. Mapping is a critical step after identifying alert ingestion sources or manually forwarding events, enabling you to customize how event data populates security incidents in ServiceNow.

    Show full answer Show less

    Users with the snsi.ingestionprofileadmin role ingest sample alerts or export event data from Splunk Enterprise to visualize and configure field mappings. The default mapping grids provided for each event profile type can be edited to tailor which Splunk alert or event fields correspond to SIR incident fields.

    Key features

    • Fetch Sample Data: Automatically ingest sample alerts from Splunk to display available alert fields and their values. This data appears on the left side of the mapping form for review and configuration.
    • Manual Event Forwarding: Export event data as XML from Splunk and load it into ServiceNow for mapping when manual forwarding is used.
    • Customizable Mapping Grid: Drag and drop alert or event fields from Splunk into the mapping grid to associate them with SIR security incident fields. You can add or remove fields to customize the incident data.
    • Field Visualization and Validation: Color coding helps identify duplicated or overlooked fields, ensuring accurate mapping.
    • Filtering and Aggregation: Define filter conditions to control which alerts are ingested and set criteria to aggregate incoming alerts to existing incidents, reducing duplicate incidents and consolidating related event data.
    • Script Editor for Field Formatting: When Splunk event values don’t directly translate to SIR fields, use the script editor to format and normalize these values. For example, different alert types in Splunk can be mapped to a single category in the SIR incident.
    • Separate Process Flows for Scheduled Alerts and Manual Events: Different configuration workflows exist for scheduled alert profiles and manual event forwarding profiles, guiding you through ingestion and mapping steps.

    Practical outcomes for ServiceNow customers

    • Enables precise customization of how Splunk alerts and events populate security incidents in ServiceNow, improving incident accuracy and relevance.
    • Helps reduce incident noise by filtering unnecessary alerts and aggregating related events into single incidents, enhancing incident management efficiency.
    • Provides flexibility to handle complex or non-standard event data through scripting, ensuring consistent categorization and meaningful incident fields.
    • Supports both automated alert ingestion and manual event forwarding, accommodating varied operational needs.
    • Visual tools and default mappings accelerate configuration while allowing full control to adapt to your security environment.

    After you identify the sources for scheduled alert ingestion or manual event forwarding, the next step is to map individual event fields to the fields on a ServiceNow AI Platform Security Incident Response (SIR) security incident.

    Overview of Mapping alerts and events

    For the mapping step, as a user with the sn_si.ingestion_profile_admin role, you ingest sample alerts from your Splunk Enterprise console, or you export event data for a Splunk Enterprise event.

    The following figures are examples of the default mapping grids that are provided for each type of event profile. This default mapping can be edited. This modification allows you to customize the fields that populate the security incident. With the mapping step, you can visualize how adding or removing event fields impacts the SIR security incident field values.

    Select the Alert Name, and after you click to Fetch Sample Data, the Splunk alert field values are populated on the left side of the form when sample alerts are ingested by the profile. These are the Splunk alert fields that you map to the SIR security incident fields.

    Figure 1. Default mapping form for alerts
    Default mapping form for alerts.

    After you click to load attachment data for forwarded events, the Splunk event fields are populated on the left side of the form. These are the Splunk data fields that are mapped to the SIR security incident fields.

    Figure 2. Default mapping form for forwarded events
    Default mapping form for events.

    You may prefer to review a few sample alerts on your Splunk console to ingest for the field mapping configuration step. This step is labeled, Mapping on the progress bar. If this page is not displayed, click Mapping on the progress bar.

    Mapping alerts and exporting events on-demand from your Splunk enterprise console includes the following concepts and tasks:
    • Fetch Sample data for automatically ingested alert profiles. After data is fetched (pulled) from a fired alert on the Splunk Enterprise console, available alert fields and their corresponding values are displayed in a default mapping layout on the left side of the mapping form. Tabs are displayed for you to view the values for an alert ID that you pulled. Verify that all the critical fields from the Alert Sample Ingestion section on the left of the form are mapped to the grid on the right of the form.
    • If required, load event sample data for any manually forwarded event profiles. Sample data for these events is exported in a .xml file from the Splunk Enterprise console and loaded into your ServiceNow AI Platform® instance. The imported data is displayed in the Alert Sample Ingestion section on the left of the form.
    • Edit the mapping configuration by dragging alerts from the left side and dropping them on the mapping grid on the right. The mapping grid on the right associates the incoming alert field with an outgoing security incident field.
    • Customize the mapping grid by adding or removing fields. Track overlooked or duplicated fields with the color coding that is provided.
    • Set filter conditions so that you can specify which alerts are ingested into the SIR application, and which alerts are filtered out.
    • Define additional incident field criteria that aggregates an incoming alert to an existing SIR security incident to prevent duplicate incidents. This additional filtering can reduce the number of active, overlapping security incidents by placing all related security event data on a single security incident.
    • In certain cases, event field values in the Splunk Enterprise console may not translate directly to the fields on the SIR security incident. For these values, you can use a script editor to format field values on the security incident during the mapping step. Use the script editor if you want to format values that are similar, but not identical. For example, with the script editor, the Malware Alert and Virus Infection field values in the Splunk console both translate to Malicious Code Activity in the Category field on the SIR security incident.

    Scheduled alert profiles

    After creating a scheduled alert profile, the process flow for the configuration is shown in the following figure.

    Figure 3. Process flow for scheduled alert profiles
    Process flow for scheduled alert.

    Manual Event forwarding profiles

    After creating a profile for an event, the process flow for the configuration is shown in the following figure.

    Figure 4. Process flow for event profiles
    Process flow for event export.

    The next step is to ingest triggered alerts or export data and map values to the SIR security incident fields.