Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does the service now integration work as an ad hoc adaptive response?

BGrdickson
Explorer
‎08-09-2019 05:37 AM

Hi guys,

I have configured my servicenow integration with splunk and it works fine, we can create notables from any scheduled/correlation search. However, does anyone happen to know if we can use this integration to make a notable into a service now incident using an ad hoc adaptive response? It works if its configured as an alert action but we don't want every notable to go into servicenow. Our idea was that notables are tier 1 and then using this manual invocation of the adaptive response, they go into servicenow to become tier 2 events.

Does anyone know if this can be done? In this splunk dev article: http://dev.splunk.com/view/enterprise-security/SP-CAAAFBE under the "Determine whether your action supports ad hoc invocation" it says any action that uses the SENDALERT action should support ad hoc invocation but I'm unsure how to properly check this.

Any advice would be greatly appreciated.

Thanks,

Reply
1 Solution
Solved! Jump to solution
Solution

BGrdickson
Explorer
‎11-22-2019 01:19 AM

I don't have enough Karma points to attach files so I can't show you a screenshot to what it looks like when it works unfortunately.

I can't remember exactly how I came to this conclusion but I added the following config to alert_actions.conf on my deployer and pushed to our SHC.

[snow_incident]
param._cam = {\
"category" : ["others"],\
"task" : ["others"],\
"subject" : ["others"],\
"technology" : [{"vendor":"unknown", "product":"unknown"}],\
"supports_adhoc" : true\
}
param.state = 1
param.correlation_id = $job.sid$
param.configuration_item = splunk
param.contact_type =
param.assignment_group =
param.category =
param.subcategory =
param.account = splunk_integration
param.short_description =

All the param.* fields can be hard coded in this conf file to make the ad hoc invocation prepopulated if that's the way you want it. If you need any further help then let me know.

View solution in original post

Reply
Solved! Jump to solution

AbhishekD
Engager
‎10-17-2024 03:24 AM

To send specific notable events from the Enterprise Security Incident Review page for investigation, an add-on called the ServiceNow Security Operations Add-on is available. This add-on allows Splunk ES analysts to create security-related incidents and events in ServiceNow. It features on-demand single ServiceNow event or incident creation from Splunk Event Scheduled Alerts, enabling the creation of both single and multiple ServiceNow events and incidents.

For Detailed integrations steps refer The reverse integration between ServiceNow and Splunk for incident management can be achieved using ... 

If this reply is helpful, karma would be appreciated 🙂.

0 Karma
Reply
Solved! Jump to solution
Solution

BGrdickson
Explorer
‎11-22-2019 01:19 AM

I don't have enough Karma points to attach files so I can't show you a screenshot to what it looks like when it works unfortunately.

I can't remember exactly how I came to this conclusion but I added the following config to alert_actions.conf on my deployer and pushed to our SHC.

[snow_incident]
param._cam = {\
"category" : ["others"],\
"task" : ["others"],\
"subject" : ["others"],\
"technology" : [{"vendor":"unknown", "product":"unknown"}],\
"supports_adhoc" : true\
}
param.state = 1
param.correlation_id = $job.sid$
param.configuration_item = splunk
param.contact_type =
param.assignment_group =
param.category =
param.subcategory =
param.account = splunk_integration
param.short_description =

All the param.* fields can be hard coded in this conf file to make the ad hoc invocation prepopulated if that's the way you want it. If you need any further help then let me know.

Reply
Solved! Jump to solution

rhirasin
Engager
‎04-17-2024 03:00 AM

Hi,

Can we do the same for BMC remedy add-on?

Does the BMC integration work as an ad hoc adaptive response?

 

0 Karma
Reply
Solved! Jump to solution

burakatabay
Path Finder
‎03-11-2020 11:20 AM

My problem is same ? but ı use service manager.
I try this but, ı click the run adaptive response action on incident review page service manager not showing ?

0 Karma
Reply
Solved! Jump to solution

xbp
New Member
‎11-22-2019 12:17 AM

Bump - I could use this integration as well .

Regex examples would be elite. If the strings or scripts required could be shared for service-now integration I'd be grateful.

0 Karma
Reply
Solved! Jump to solution

BGrdickson
Explorer
‎11-22-2019 01:08 AM

I've got a solution to this now guys. I'll try and dig it out now.

0 Karma
Reply
Solved! Jump to solution

aruneysoc
New Member
‎02-27-2020 05:33 PM

Hi ,
Can we know the solutions for this case

0 Karma
Reply
Solved! Jump to solution

hettervik
Builder
‎11-21-2019 11:43 PM

Bump. I have the exact same problem.

0 Karma
Reply
Solved! Jump to solution

BGrdickson
Explorer
‎11-22-2019 01:08 AM

I've got a solution to this now guys. I'll try and dig it out now.

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top