Hi,
The notable event framework used in Splunk Apps for Enterprise Security or PCI Compliance is intended to provide basic tracking capabilities for security incidents, but it is not intended to replace more full featured systems for ticket management. There are several potential integrations between the two which are of interest.
1) At the simplest level, one might determine that a given correlation search produces notable events that are valuable for operations but do not demand the attention of a security analyst. These operationalized correlation searches can be modified to set an automatic status and ownership, then send an alert into the service desk or ticket system. Alerts may be forwarded in several ways, but for this use case simple email tends to suffice.
2) A more complex solution is to offer a security analyst the ability to send a given notable event into the ticket system or service desk. In this case, a Splunk workflow action is a good solution for executing a command or search. This workflow action will then send a basic set of information which is easily used to link back to the notable event in Splunk App for Enterprise Security or PCI Compliance. Email or REST APIs work equally well for this.
3) The most complex solution available is to bidirectionally link a notable event to a ticket or incident. In this case, a workflow action is used to initiate the relationship from Splunk to the ticket system; however, the other system must respond with an identifier which allows the ticket or incident to be found again. The resulting link can then be added to the notable event comments, either as a comment or as a custom field for rendering in a custom interface. Splunk can do this sort of work, but the implementations can be very site and product specific.
... View more