Set Correlation rules

Release version: Zurich

Updated March 12, 2026

1 minute to read

After you have created a profile for a scheduled notable event type ingestion, select a Splunk Enterprise Security correlation rule name for this profile for which you want to map corresponding notable events to a ServiceNow AI Platform Security Incident Response security incident.

Before you begin

Role required: sn_si.ingestion_profile_admin

Note:

Users with the sn_si.admin role can perform all operations available to a profile admin, as the sn_si.admin role inherits the required permissions by default.

About this task

View the available correlation rules in your ServiceNow AI Platform instance so you know the notable event types for which you want to ingest and create security incidents. Select a correlation rule. You can select one or more notable event from the list in this form.

Procedure

If you're not continuing from the previous section of the incident profile definition process, access the profile you're defining.
1. Navigate to All>Splunk ES Event Profile.
2. Select the profile you're continuing to define.
3. Select Notable Event Selection in the progress bar.
Clear All Correlation Rules Selected check box to select specific Correlation Rules.
Selecting this check box will retrieve latest Correlation Rules from Splunk ES for active profile.
In the Correlation Rules List search field, enter the Correlation Rule name created in the Splunk ES portal.
Select the Correlation Rule(s).
Use the right arrow ( >) to move the rule(s) from Available to Selected column.
Note:
Correlation rules must be unique across active profiles. A correlation rule associated with an active profile cannot be selected for another active profile. To reuse the rule, deactivate the profile it is currently associated with.
Select Continue.

What to do next

Map notable events