Splunk Enterprise Security

Update a notable once an incident is opened or closed in ServiceNow

niks987
Explorer

Hi All,

Hope you all are doing well.

I am very new to Splunk Enterprise security, and i need your help  to understand how i can create a reverse integration with ServiceNow.

So we are using ServiceNow Security Operation Integration to manually create incidents in ServiceNow for notables.

We have a new ask from SOC to update the notables when the incidents are being created and closed in ServiceNow.

We are using Splunk enterprise and wanted to know what endpoints we need to provide so that we can achieve reverse communication. I have created a user in splunk who has access to edit notables but i am not sure what endpoint i need to provide, is it just the url of my instance or do i need to add any services as well.

Please let me know if you have any other questions.

Thanks in advance.

Labels (1)
0 Karma

AbhishekD
Engager

Notable creation as ServiceNow Incident:- The reverse integration between ServiceNow and Splunk for incident management can be achieved using an out-of-the-box method.

  • To send specific notable events from the Enterprise Security Incident Review page for investigation, an add-on called the ServiceNow Security Operations Add-on is available. This add-on allows Splunk ES analysts to create security-related incidents and events in ServiceNow. It features on-demand single ServiceNow event or incident creation from Splunk Event Scheduled Alerts, enabling the creation of both single and multiple ServiceNow events and incidents.

  • Another approach is to customize the Splunk Add-on for ServiceNow by modifying the /opt/splunk/etc/apps/Splunk_TA_snow/local/alert_actions.conf file with the following configuration, which should be applied to your deployer and pushed to your Search Head Cluster (SHC):

 

 

[snow_incident]
param._cam = {\
"category": ["others"],\
"task": ["others"],\
"subject": ["others"],\
"technology": [{"vendor": "unknown", "product": "unknown"}],\
"supports_adhoc": true\
}
param.state = 1
param.correlation_id = $job.sid$
param.configuration_item = splunk
param.contact_type = 
param.assignment_group = 
param.category = 
param.subcategory = 
param.account = splunk_integration
param.short_description = 

 

  • All the param.* fields can be hardcoded in this configuration file to prepopulate the ad hoc invocation, if that is your preference. If you need any further assistance, please let me know.

Note: Using both add-ons will facilitate sending notables to the ServiceNow Incident Review.

2. Notable Closure:- Updating Splunk Notables When Incidents Are Opened or Closed in ServiceNow (Need to Configure at ServiceNow)

Step 1: Create an Outbound REST Message in ServiceNow

  • Navigate to System Web Services > Outbound > REST Message in your ServiceNow instance.
  • Click New to create a new REST message.
  • Name the message and specify the endpoint, which should be the URL of your Splunk instance.

Step 2: Define HTTP Methods

  • In the new REST message, go to the HTTP Methods related list.
  • Create a new record and select the appropriate HTTP method (usually POST).
  • In the Endpoint field, add the specific API endpoint for updating notables.

Step 3: Define Headers and Parameters

  • If your Splunk instance requires specific headers or parameters, define them in this step.
  • For example, you may need to set authentication headers or other required parameters.

Step 4: Create a Business Rule

  • Navigate to System Definition > Business Rules in ServiceNow.
  • Create a new business rule:
    • Set the table to Incident.
    • Define the conditions to trigger the rule, typically "After" an insert or update when the incident state changes to "Closed."
  • In the Advanced tab, write a script to send the REST message when the specified conditions are met. Here’s a sample script:

 

// Sample script to send the REST message
var restMessage = new sn_ws.RESTMessageV2();
restMessage.setHttpMethod('POST'); // or 'PUT'
restMessage.setEndpoint('https://your-splunk-instance/api/update_notables'); // Update with your endpoint
restMessage.setRequestHeader('Content-Type', 'application/json');
restMessage.setRequestHeader('Authorization', 'Bearer your_api_token'); // If required

var requestBody = {
    "incident_id": current.sys_id,
    "state": current.state,
    // Add other relevant fields here
};

restMessage.setRequestBody(JSON.stringify(requestBody));

var response = restMessage.execute();
var responseBody = response.getBody();
var httpStatus = response.getStatusCode();

// Handle the response as needed

 

Step 5: Test the Integration

  • Close an incident in ServiceNow and verify whether the corresponding alert is also closed in Splunk.
  • Ensure that you replace 'Your REST Message' and 'Your HTTP Method' with the actual names you provided when creating the REST message. Adjust parameters and headers as required by your Splunk instance's API.

Additional Configuration

  • To properly configure the REST call for updating notables in Splunk, ensure you pass the necessary parameters and headers, particularly the ruleID as  mentioned in below document.

    NotableEventAPIreference /services/notable_update. 
  • Splunk Notable Update Endpoint
    • Endpoint URL: 

 

https://<host>:<mPort>/services/notable_update​

 

  • HTTP Method: POST

If this reply is helpful, karma would be appreciated 🙂.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...