Notable creation as ServiceNow Incident:- The reverse integration between ServiceNow and Splunk for incident management can be achieved using an out-of-the-box method.
To send specific notable events from the Enterprise Security Incident Review page for investigation, an add-on called the ServiceNow Security Operations Add-on is available. This add-on allows Splunk ES analysts to create security-related incidents and events in ServiceNow. It features on-demand single ServiceNow event or incident creation from Splunk Event Scheduled Alerts, enabling the creation of both single and multiple ServiceNow events and incidents.
Another approach is to customize the Splunk Add-on for ServiceNow by modifying the /opt/splunk/etc/apps/Splunk_TA_snow/local/alert_actions.conf file with the following configuration, which should be applied to your deployer and pushed to your Search Head Cluster (SHC):
[snow_incident]
param._cam = {\
"category": ["others"],\
"task": ["others"],\
"subject": ["others"],\
"technology": [{"vendor": "unknown", "product": "unknown"}],\
"supports_adhoc": true\
}
param.state = 1
param.correlation_id = $job.sid$
param.configuration_item = splunk
param.contact_type =
param.assignment_group =
param.category =
param.subcategory =
param.account = splunk_integration
param.short_description =
Note: Using both add-ons will facilitate sending notables to the ServiceNow Incident Review.
2. Notable Closure:- Updating Splunk Notables When Incidents Are Opened or Closed in ServiceNow (Need to Configure at ServiceNow)
Step 1: Create an Outbound REST Message in ServiceNow
- Navigate to System Web Services > Outbound > REST Message in your ServiceNow instance.
- Click New to create a new REST message.
- Name the message and specify the endpoint, which should be the URL of your Splunk instance.
Step 2: Define HTTP Methods
- In the new REST message, go to the HTTP Methods related list.
- Create a new record and select the appropriate HTTP method (usually POST).
- In the Endpoint field, add the specific API endpoint for updating notables.
Step 3: Define Headers and Parameters
- If your Splunk instance requires specific headers or parameters, define them in this step.
- For example, you may need to set authentication headers or other required parameters.
Step 4: Create a Business Rule
- Navigate to System Definition > Business Rules in ServiceNow.
- Create a new business rule:
- Set the table to Incident.
- Define the conditions to trigger the rule, typically "After" an insert or update when the incident state changes to "Closed."
- In the Advanced tab, write a script to send the REST message when the specified conditions are met. Here’s a sample script:
// Sample script to send the REST message
var restMessage = new sn_ws.RESTMessageV2();
restMessage.setHttpMethod('POST'); // or 'PUT'
restMessage.setEndpoint('https://your-splunk-instance/api/update_notables'); // Update with your endpoint
restMessage.setRequestHeader('Content-Type', 'application/json');
restMessage.setRequestHeader('Authorization', 'Bearer your_api_token'); // If required
var requestBody = {
"incident_id": current.sys_id,
"state": current.state,
// Add other relevant fields here
};
restMessage.setRequestBody(JSON.stringify(requestBody));
var response = restMessage.execute();
var responseBody = response.getBody();
var httpStatus = response.getStatusCode();
// Handle the response as needed
Step 5: Test the Integration
- Close an incident in ServiceNow and verify whether the corresponding alert is also closed in Splunk.
- Ensure that you replace 'Your REST Message' and 'Your HTTP Method' with the actual names you provided when creating the REST message. Adjust parameters and headers as required by your Splunk instance's API.
Additional Configuration
- To properly configure the REST call for updating notables in Splunk, ensure you pass the necessary parameters and headers, particularly the ruleID as mentioned in below document.
NotableEventAPIreference /services/notable_update. - Splunk Notable Update Endpoint
https://<host>:<mPort>/services/notable_update
If this reply is helpful, karma would be appreciated 🙂.
