topic Re: What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations? in Splunk Enterprise Security

What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations?

nychawk — Tue, 06 Dec 2016 20:04:48 GMT

Hello;

I am running Splunk Enterprise Security and would like to enable security events to trigger events in Service Now, and create a ServiceNow ticket.
I would like to also allow users and other non-ES applications to create ServiceNow tickets.

I was wondering what the differences between this app, and https://splunkbase.splunk.com/app/3192/ are?

Incidentally, I am running Helsinki; in case that matters.

Re: What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations?

ppablo — Tue, 06 Dec 2016 20:27:03 GMT

Hi @nychawk

To clarify for other users, are you trying to compare ServiceNow Security Operations with the Splunk App for ServiceNow? or are you trying to compare ServiceNow Security Operations with Splunk Enterprise Security?

Re: What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations?

goodsellt — Tue, 06 Dec 2016 20:44:30 GMT

I've been playing with both, it seems the security app is more focused as a "alert action" or ES action item for notable events. The Splunk app and addon for ServiceNow seem to be focused on monitoring your servicenow environment using Splunk similar to other apps (such as the infrastructure focused apps), and working as an alternative to SNOWs reporting and performance analytics items. It also has the added benefits of creating incidents and events, though I don't think it is as refined as the "Security" app (but it is only for incidents).

I'm definitely interested to hear about this from an expert though. In my experience so far, if you're very good with the SNOW app for Splunk then you don't need to use the Security app, however the Security app is much easier to setup and use. In my situation, I'm planning on using the SNOW app on our "regular" search head for all of those items, but using the "Security" SNOW app on the ES search head to save time and resources on the devices.

Re: What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations?

ppablo — Tue, 06 Dec 2016 20:55:56 GMT

Thanks for the info. I added the official app tags for Splunk Enterprise Security and Splunk App for ServiceNow to get more visibility on you question. Hope you find an answer soon!

Patrick

Re: What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations?

nychawk — Fri, 09 Dec 2016 01:28:57 GMT

I am looking for differences between ServiceNow Security Operations and the Splunk App for ServiceNow

Both of these allow creation of new tickets, the second one above seems to a lot of work to implement, the first I "believe" requires a Snow add on, not sure

Re: What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations?

nychawk — Fri, 09 Dec 2016 01:33:08 GMT

My thoughts exactly, but my Service Now in house SME states that the Service Now Security Operations app requires a Service Now add on we do not have. Looking for feedback on what Service Now side apps the Splunk app requires.

Re: What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations?

jconger — Fri, 09 Dec 2016 16:06:52 GMT

The Splunk Add-on for ServiceNow and the Splunk App for ServiceNow are built and supported by Splunk. The ServiceNow Security Operations app was built by ServiceNow. The Helsinki release of ServiceNow introduced a different class of incidents and events that were more geared toward security rather than general. These integration endpoints for these classes of of incidents and events are different. So, ServiceNow created an app to integrate directly with these.

Check out the release notes for Helsinki here where the Splunk integration is mentioned -> https://docs.servicenow.com/bundle/helsinki-release-notes/page/release-notes/security-operations/r_SecurityIncidentResponseRN.html

Summary:
The Splunk Add-on for ServiceNow is the foundation that collects data from ServiceNow and integrates with their APIs. There is very little user interface involved here and no out-of-the-box intelligence about the data. This add-on is built and supported by Splunk.

The Splunk App for ServiceNow depends on the Splunk Add-on for ServiceNow to collect data. The Splunk App for ServiceNow has out-of-the-box intelligence about the ServiceNow data and several dashboards. This app is built and supported by Splunk.

The ServiceNow Security Operations app adds security-specific incident and event integration. This app is Splunk Certified, but it is built and supported by ServiceNow.