Key terms used in this integration
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Key terms used in this integration
This content defines essential terminology related to integrating ServiceNow with Splunk, specifically for security incident management and event ingestion. Understanding these terms helps ServiceNow customers correctly install, configure, and operate the integration between ServiceNow AI Platform and Splunk Enterprise Security.
Show less
Key Terms and Their Roles
- ServiceNow AI Platform: The foundational enterprise platform on which applications like Security Incident Response (SIR) and IT Service Management are built.
- ServiceNow Splunkbase Addon: An optional ServiceNow application installed on the Splunk Enterprise Security console to support manual event forwarding. Not required for automated ingestion of notable events.
- Security Incident Response (SIR): A ServiceNow AI Platform application that manages the lifecycle of security incidents from discovery through resolution and review.
- Splunk Enterprise Security: A premium security solution providing organization-wide visibility, continuous monitoring, and incident response capabilities. It operates on a host or Splunk Cloud, referred to as the Splunk console.
- Splunk Enterprise Security notable event: Events created by correlation searches that identify specific security incidents or patterns by filtering and correlating security data.
- Splunk event: The underlying data elements that trigger notable events in Splunk and can be referenced within the ServiceNow AI Platform for incident analysis.
- MID Server: A ServiceNow component that enables communication and data transfer between the ServiceNow AI Platform and external systems. Required for integrating with on-premises Splunk Enterprise Security but not needed for Splunk Cloud integrations.
- Security incident admin (snsi.admin): The user role responsible for overseeing the integration configuration with the SIR product in ServiceNow AI Platform.
- Security incident analyst (snsi.analyst): The user role that interacts with and analyzes security incidents within the ServiceNow Security Incident Response application.
Practical Importance for ServiceNow Customers
Knowing these key terms enables customers to:
- Understand the components involved in integrating Splunk with ServiceNow AI Platform.
- Identify roles and responsibilities for managing and analyzing security incidents.
- Distinguish between manual and automated event forwarding options and their respective requirements.
- Recognize when a MID Server is necessary based on deployment type (on-premises vs. cloud).
This foundational knowledge supports a smoother implementation process and helps leverage the integration’s full capabilities for enhanced security incident management.
This section describes some of the key terms used in this integration.
The following key terms are used during the installation and configuration. For more information about these terms, see the ServiceNow Product Documentation website and the Splunk website and resources on Splunk Resources page.
- ServiceNow AI Platform
- An enterprise ServiceNow product. The ServiceNow AI Platform is the base upon which individual components such as Security Incident Response (SIR), IT Service Management (ITSM), and other products are built.
- ServiceNow Splunkbase Addon
- A ServiceNow application that is installed on your Splunk Enterprise Security console that supports the manual event forwarding option of the integration. Manual event forwarding is an optional feature of the integration. This ServiceNow Splunkbase add-on is not required for the automated notable event ingestion that is provided by the integration which pulls events from Splunk.
- Security Incident Response (SIR)
- A ServiceNow AI Platform application that tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review and closure.
- Splunk Enterprise Security
- Splunk Enterprise Security helps teams gain organization-wide visibility and security intelligence for continuous monitoring, incident response, SOC operations, and providing executives a window into business risk. Splunk Enterprise Security is a premium security solution requiring a paid license. This service is on a host or a Splunk cloud offering that is referred to as a Splunk console in this guide.
- Splunk Enterprise Security notable event
- When a correlation search identifies an event or a pattern of events, it creates a notable event. Correlation searches filter the security data and correlate across events to identify a particular type of incident (or pattern of events) and then create notable events.
- Splunk event
- One or more data elements that result in the notable events of the Splunk service. From your ServiceNow AI Platform instance, you can look up which Splunk events triggered ServiceNow AI Platform security incidents.
- MID Server
- This application facilitates communication and movement of data between the ServiceNow AI Platform and external applications, data sources, and services. This application is typically required for integration with on-premises technologies, and, for this Splunk Enterprise Security event ingestion integration, the MID Server facilitates communication between the ServiceNow AI Platform and the on-premises instance of Splunk Enterprise Security. A MID Server is not required if you are integrating your ServiceNow AI Platform instance with a Splunk Cloud instance.
- Security incident admin (sn_si.admin)
- The user with this role oversees the configuration of the integration with the SIR product in your ServiceNow AI Platform instance.
- Security incident analyst (sn_si.analyst)
- The user with this role interacts with and analyzes security incidents in the ServiceNow Security Incident Response product.