Send threats from Splunk UBA to ServiceNow
Create incidents in ServiceNow from threats in Splunk UBA.
Prerequisites
You must have a ServiceNow account that Splunk UBA can log into and create incidents.
Steps
- Select Manage > Output Connectors.
- Click New Output Connector
- Select ServiceNow and click Next.
- Type a Name to identify the integration inside Splunk UBA.
For example, SOC ticketing system. - Type a Server Name that matches the host name or IP address of the ServiceNow server.
- Type a username for a ServiceNow account that Splunk UBA can use to log in and create incidents.
- Type the password for the ServiceNow account.
- (Optional) Type a Reported By default user. Leave blank to use Splunk UBA.
- (Optional) Type a Category for all incidents created by Splunk UBA. Leave blank to use Threat, or set no category.
- (Optional) Type a Prefix for the ServiceNow incident number. By default the threats have a prefix of "UBA".
For example, the ServiceNow incident number for a threat with an ID of 82 will be UBA82. - (Optional) Select the Auto Process check box to send all identified threats to ServiceNow. If you leave the check box deselected, you can use the Actions menu on a threat to send it to ServiceNow.
- Click OK to save the output connector.
Send Splunk UBA threats to analysts using email | Troubleshoot Splunk UBA event processing |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0
Feedback submitted, thanks!