Set up your ServiceNow AI Platform instance for the Splunk Enterprise Security integration

  • Release version: Xanadu
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Set up your ServiceNow AI Platform instance for the Splunk Enterprise Security integration

    This guide describes the essential setup tasks ServiceNow customers must complete in their ServiceNow AI Platform® instance before installing the Splunk Enterprise Security integration application from the ServiceNow Store. Proper setup ensures smooth installation, configuration, and operation of the integration, enabling automated or manual ingestion of notable events from Splunk Enterprise Security into ServiceNow AI Platform®.

    Show full answer Show less

    Prerequisites and Role Assignments

    • Required roles: Assign the snsi.ingestionprofileadmin role for managing event profiles, mappings, and ingestion schedules. The snsi.admin role inherits these permissions. The ServiceNow AI Platform® administrator (admin) installs the app and assigns roles.
    • Manual event forwarding: If you plan to forward notable events manually, assign users the snsecsplunkes.apiaccountaccess role to allow Splunk Enterprise Security administrators API access for manual ingestion. This role is not needed for automatic ingestion.
    • Security Analyst roles: Assign snsi.analyst in ServiceNow for incident handling and essanalyst in Splunk Enterprise Security for managing integration-related activities on the Splunk server.

    System and Environment Setup

    • Splunk API version: Ensure use of Splunk API version 7.2.6 or later, as earlier versions are unsupported.
    • MID Server: Install and configure a MID Server if connecting to an on-premises Splunk deployment within the corporate network. For Splunk Enterprise Security Cloud, a MID Server is not required.
    • ServiceNow core plugins and apps: Activate the Security Incident Response Dependency plugin (com.snc.sidep) to automatically install necessary dependencies for Security Incident Response. Then install and activate the Security Incident Response, Security Integration Framework, and Security Support Common applications from the ServiceNow Store in the specified order to ensure proper functionality.

    Next Steps

    After completing the setup tasks and verifying roles, API versions, MID Server configuration, and required plugins and applications, proceed to install the Splunk Enterprise Security Notable Event Ingestion application from the ServiceNow Store.

    If manual, on-demand event export from Splunk Enterprise Security is needed, additional configuration on the Splunk side is required. Detailed instructions for this are available separately.

    The following section lists the setup tasks that you are required to complete in your ServiceNow AI Platform® instance prior to installing the application from the ServiceNow Store.

    Role required: sn_si.ingestion_profile_admin.

    Note:
    Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

    Refer to the following table and verify that you have completed all the listed tasks before you download and install the application to ensure a smooth installation and configuration.

    1. Verify that you have assigned the required ServiceNow AI Platform® and Security Incident Response (SIR) roles.

      The following roles are required for the installation, setup, and use of the integration in your ServiceNow AI Platform® instance.

      • A user with the ServiceNow AI Platform® administrator role (admin) installs the application from the ServiceNow Store and assigns the security incident administrator (sn_si.admin) role.
      • If you want to forward notable events manually from Splunk Enterprise Security for this integration, a user with the ServiceNow AI Platform® admin role assigns a user with the (sn_sec_splunkes.api_account_access) role in the ServiceNow AI Platform®. This role permits a user with the Splunk Enterprise Security administrator role to access the API in the ServiceNow AI Platform® that is required for manual event forwarding for this integration.

        The (sn_sec_splunkes.api_account_access) role is not required for the integration if you are ingesting notable events automatically from Splunk Enterprise Security into your ServiceNow AI Platform® instance.

      • A user with the sn_si.ingestion_profile_admin role oversees the following tasks in the ServiceNow AI Platform®:
        • Names, creates, and edits event profiles.
        • Selects and maps values from Splunk Enterprise Security to ServiceNow AI Platform® security incidents.
        • Previews security incident details for accuracy prior to finalizing the configuration.
        • Schedules on-going notable event ingestion.
        • Enables notable event updates when a SIR incident is created and closed.
        • Assigns the security incident analyst (sn_si.analyst) role.
        • Users with the sn_si.analyst work with security incidents.

      For more information, see Managing roles.

    2. Assign the Splunk user role.

      Assign a Security Analyst (ess_analyst) user role in Splunk ES to perform all integration-related activities on the Splunk server.

    3. Verify that you are using version 7.2.6 or later of the Splunk API. Earlier versions are not supported.

      If you have access to the Splunk Enterprise Security console, you have access to the API that is required for this integration. There is no other special setup required for the API.

    4. Verify that you have installed and configured a MID Server.

      A MID Server in your ServiceNow AI Platform® instance is required to connect to the Splunk service if the Splunk server is deployed within your corporate network. For information, see MID Server.

      If you are using the Splunk Enterprise Security Cloud service, a MID Server is not required.

    5. Verify that the ServiceNow core applications that are required to support the integration are installed and activated.

      The Security Incident Response Dependency plugin (com.snc.si_dep) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications required by the integration.

      Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the following order to ensure a smooth installation.

      1. Security Incident Response
      2. Security Integration Framework
      3. Security Support Common

      For more information about installing the Security Operations core applications, see Get entitlement for a Security Operations product or application and Activate a ServiceNow Store application.

    You have successfully set up your ServiceNow AI Platform® instance for the integration. The next step is to install the Splunk Enterprise Security Notable Event Ingestion application from the ServiceNow Store for the integration. For more information, see Install and configure Splunk Enterprise Security Notable Event Ingestion integration.

    If you want to export notable events manually and on-demand from your Splunk Enterprise Security console for the integration, see Set up your Splunk environment for manual event ingestion for the Splunk Enterprise Security Notable Event Ingestion integration for more information.