We recently emailed Splunk with some questions regarding the integration of Splunk Enterprise Security App into a ticketing system. Since the notable event assignment and tracking within the ES app / SIEM itself still has somewhat basic functionality, we were curious about using a full-fledged ticketing system for incident response workflow and how it would tie into Splunk ES.
Some possible use cases would be:
- Having ES create tickets and auto-populate relevant fields as well as attach event-associated source logs or reports.
- Feeding metrics from the ticketing system back into Splunk for reporting.
- Utilizing Splunk to search for information in ticket history (to check if event ABC perhaps also occurred XYZ months/years ago).
The questions we asked the Splunk guys were:
- What ticketing systems do you see your customers using most frequently? Remedy? Salesforce? JIRA? Custom-built?
- Of those ticketing systems you see tied in frequently, how is the integration usually done? Splunk professional services deployment? Integrated by the customer/developers? Pre-built Splunk apps used to access ticketing system API? Combination of some or all those methods?
- Are there any major gotchas / lessons learned you have seen in deployments that we should watch out for?
James B. from Splunk responded with some helpful info:
Here's what I have personally seen.
- Various integrations done with Remedy, ServiceNow, and Archer.
- Integrations with Remedy have been done with pyARS python module talking to Remedy's SOAP-based API.
- Integrations with Archer were done via our PS group for several customers.
- Integrations with ServiceNow can be accomplished with our co-developed free app that's available on apps.splunk.com.
An integration with Salesforce should be possible – we have two apps that integrate with SFDC but neither are creating cases automatically – this would require custom work. Same goes for JIRA. Both of those apps would work today, however, for querying ticket/issue/case history.
If any customers or Splunk employees want to share their knowledge or experiences on this topic, this may be a good thread for it.
we are using HP service manager as ticketing system. initially I download the HP app and after successful integration we can send alerts to HP service manager.
Now we want hp service manger ticketing option in our Splunk ES environment. Please share the procedure to accomplish this
We never used the HP app as I don't believe there was one available in 2016. Our integration was totally custom and done largely by Splunk professional services.
We have since moved away from HP Asset Manager and are now integrating our ticketing system through Phantom.
Sorry I couldn't be more help.
We had the some of the same questions when setting up our Splunk ES environment. We use HP Service Manager as our ticketing system and Netcool Omnibus to go between Splunk and Service Manager to accomplish this. We relied heavily on Splunk PS to help with the integration.
It definitely isn't a perfect system, but it works pretty well. We are able to import fields from notable events, and send those tickets to other support groups, or ourselves right from Splunk.
Its definitely possible to do.
Let me know if you have any questions.