Send threats from Splunk UBA to ServiceNow
Create incidents in ServiceNow from threats in Splunk UBA.
You must have a ServiceNow account that Splunk UBA can log into and create incidents.
Steps
Complete the following steps to set up the sending of threats from UBA to ServiceNow:
- Select Manage > Output Connectors.
- Click New Output Connector
- Select ServiceNow and click Next.
- Enter a Name to identify the integration inside Splunk UBA.
For example, SOC ticketing system. - Enter a Server Name that matches the host name or IP address of the ServiceNow server.
- Enter a username for a ServiceNow account that Splunk UBA can use to log in and create incidents.
- Enter the password for the ServiceNow account.
- (Optional) Type a Reported By default user. Leave blank to use Splunk UBA.
- (Optional) Type a Category for all incidents created by Splunk UBA. Leave blank to use Threat, or set no category.
- (Optional) Type a Prefix for the ServiceNow incident number. By default the threats have a prefix of "UBA".
For example, the ServiceNow incident number for a threat with an ID of 82 will be UBA82. - (Optional) Select the Auto Process check box to send all identified threats to ServiceNow. If you leave the check box deselected, you can use the Actions menu on a threat to send it to ServiceNow.
- Click OK to save the output connector.
Send Splunk UBA threats to analysts using email | Troubleshoot Splunk UBA event processing |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!