Splunk Enterprise Security

What are the differences between the Splunk App for ServiceNow and ServiceNow Security Operations?

nychawk
Communicator

Hello;

I am running Splunk Enterprise Security and would like to enable security events to trigger events in Service Now, and create a ServiceNow ticket.
I would like to also allow users and other non-ES applications to create ServiceNow tickets.

I was wondering what the differences between this app, and https://splunkbase.splunk.com/app/3192/ are?

Incidentally, I am running Helsinki; in case that matters.

0 Karma

jconger
Splunk Employee
Splunk Employee

The Splunk Add-on for ServiceNow and the Splunk App for ServiceNow are built and supported by Splunk. The ServiceNow Security Operations app was built by ServiceNow. The Helsinki release of ServiceNow introduced a different class of incidents and events that were more geared toward security rather than general. These integration endpoints for these classes of of incidents and events are different. So, ServiceNow created an app to integrate directly with these.

Check out the release notes for Helsinki here where the Splunk integration is mentioned -> https://docs.servicenow.com/bundle/helsinki-release-notes/page/release-notes/security-operations/r_S...

Summary:
The Splunk Add-on for ServiceNow is the foundation that collects data from ServiceNow and integrates with their APIs. There is very little user interface involved here and no out-of-the-box intelligence about the data. This add-on is built and supported by Splunk.

The Splunk App for ServiceNow depends on the Splunk Add-on for ServiceNow to collect data. The Splunk App for ServiceNow has out-of-the-box intelligence about the ServiceNow data and several dashboards. This app is built and supported by Splunk.

The ServiceNow Security Operations app adds security-specific incident and event integration. This app is Splunk Certified, but it is built and supported by ServiceNow.

goodsellt
Contributor

I've been playing with both, it seems the security app is more focused as a "alert action" or ES action item for notable events. The Splunk app and addon for ServiceNow seem to be focused on monitoring your servicenow environment using Splunk similar to other apps (such as the infrastructure focused apps), and working as an alternative to SNOWs reporting and performance analytics items. It also has the added benefits of creating incidents and events, though I don't think it is as refined as the "Security" app (but it is only for incidents).

I'm definitely interested to hear about this from an expert though. In my experience so far, if you're very good with the SNOW app for Splunk then you don't need to use the Security app, however the Security app is much easier to setup and use. In my situation, I'm planning on using the SNOW app on our "regular" search head for all of those items, but using the "Security" SNOW app on the ES search head to save time and resources on the devices.

0 Karma

nychawk
Communicator

My thoughts exactly, but my Service Now in house SME states that the Service Now Security Operations app requires a Service Now add on we do not have. Looking for feedback on what Service Now side apps the Splunk app requires.

0 Karma

ppablo
Retired

Thanks for the info. I added the official app tags for Splunk Enterprise Security and Splunk App for ServiceNow to get more visibility on you question. Hope you find an answer soon!

Patrick

0 Karma

ppablo
Retired

Hi @nychawk

To clarify for other users, are you trying to compare ServiceNow Security Operations with the Splunk App for ServiceNow? or are you trying to compare ServiceNow Security Operations with Splunk Enterprise Security?

0 Karma

nychawk
Communicator

I am looking for differences between ServiceNow Security Operations and the Splunk App for ServiceNow

Both of these allow creation of new tickets, the second one above seems to a lot of work to implement, the first I "believe" requires a Snow add on, not sure

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...