Splunk Enterprise Security

Splunk Enterprise Security and Splunk App/Add-on for ServiceNow: How to dreate SNOW incidents from ES incidents?


Using the latest Splunk Entperirse Security and Splunk App/Add-on for ServiceNow.

I'm trying to get incidents in ES to push over to ServiceNow. Has anyone been successful with doing so? I've tried using the snow_incident.py script and have tried modifying the searches in correlations to use the custom search option passing the required fields.

I didn't see a way to integrate the snow custom alerts to anything in ES either. Just looking for some direction or tips on how to facilitate this.

Any help is greatly appreciated!

Path Finder

Hi,I assume you want to send an event to SNOW to create an incident.

The best thing is to save your query as an alert.

Once done that in the trigger action column in alerts,you'll find an action as "SNOW incident managment".

through this you can send your events from an alert to SNOW.

Assume,you have many rows of data like hostname,usage,which can be sent by mentioning it as $result.ur fieldname$

0 Karma

0 Karma

Splunk Employee
Splunk Employee

I have heard that if you can successfully do so using the custom search commands. Are you having any problem doing so? If so,, whats the error?

0 Karma

Splunk Employee
Splunk Employee

can you put the script name directly ?
example: snow_incident_m.py

and add the Splunk_TA_snow as an import on ES.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!