Use the script editor to format alert values for the Splunk Enterprise Event Ingestion integration
Use the script editor to format field values on the security incident during the mapping step.
Before you begin
In addition to the directly mapped fields from the pulled alert values, and the alert values you enter manually, you can optionally use the script editor to format field values on the security incident during the mapping step. The script editor changes the values of a Splunk alert so that values that are supported by the ServiceNow AI Platform® Security Incident Response security incident are mapped to the Category, Configuration item (CI), and Observable fields.
Role required: sn_si.ingestion_profile_admin
About this task
In certain cases, Splunk Enterprise alert values are mapped to the Category, Configuration item (CI), and Observable fields on the SIR incident and are not supported. You might prefer to edit the mapped values. If you want to translate the value of a Splunk Enterprise alert to a value that is supported by these fields on the SIR security incident, use the script editor.
Procedure
-
With the mapping form displayed, select the link to open the script editor.
-
Alternatively, in the SIR incident Field Mapping section, select the bracket icon [{}] next to a field to open the script editor for that field.
In certain instances, a script include may be appropriate for the Configuration item field. For an alert, for example, a value for the Configuration item may not be matched.
As shown in the following figure, if a match for a host name cannot be found in the ServiceNow AI Platform® CMBD for the Configuration item field, you can edit the rule so that if an IP address is found, it populates the Configuration item field. If there is no value for the alarm, the field on the security incident is set to null.
The editor opens with the field displayed in Destination Field. The following image shows the editor with the Configuration item field as the Destination Field.