We are monitoring some PCI related systems for real-time system file changes.
If detected, we would like to fire off an email alert message, creating a ticket once that email is received.
Service Now is our help desk solution. Has anyone developed anything to address this type of situation?
Thanks!
Check out this Splunk for ServiceNow app, which does provide the capability to create tickets based on a search results.
I have no experience with Service Now, but alerts that fire an email are pretty simple. Assuming that your ticketing system has the ability to open a new ticket based on an email, you're set.
Personally, I might look into a more tight integration using a script fired as part of an alert and use the ticketing system's API to create a new ticket. This could give you more flexibility in how the ticket is made and what is put into it.
I think you've been given your answer, but it will require some work on your part. Splunk can call a script when an alert is triggered. That script can do anything you want it to do, including call a program that uses the ticketing system's API to submit a ticket. Splunk doesn't natively know about your ticketing system's API, and your ticketing system's API knows nothing of Splunk. But, your script can provide the glue between them. If you don't have programming skills, then this will be more difficult, and you should consult with someone who has the programming skills to help do this.
What kind of programming skills would be required for this? Can you please guide me on what type of script can be written to create incident in SNOW and also how the data can be passed to the script via Alert as when I got to edit alert action and add a new action of Run a script, I can only mention the path of the script.
Any detailed steps in this would help me.
I checked with support and received:
"Splunk can trigger alerts, and while natively we can't just interface with an API out of the box, you're certainly welcome to write a script and call that script as an alert action to one of your saved searches. This would be a function of your operating system."
From our Helpdesk folks I received:
"My first questions is can the system alerting utilize API calls to create the incidents? This is the preferred method. However, if e-mail is the only method, then in the e-mail generated, you would need to have value pairs to properly populate the fields."