Send threats from Splunk UBA to ServiceNow
Create incidents in ServiceNow from threats in Splunk UBA.
You must have a ServiceNow account that Splunk UBA can log into and create incidents.
- Select Manage > Output Connectors.
- Click New Output Connector
- Select ServiceNow and click Next.
- Type a Name to identify the integration inside Splunk UBA.
For example, SOC ticketing system.
- Type a Server Name that matches the host name or IP address of the ServiceNow server.
- Type a username for a ServiceNow account that Splunk UBA can use to log in and create incidents.
- Type the password for the ServiceNow account.
- (Optional) Type a Reported By default user. Leave blank to use Splunk UBA.
- (Optional) Type a Category for all incidents created by Splunk UBA. Leave blank to use Threat, or set no category.
- (Optional) Type a Prefix for the ServiceNow incident number. By default the threats have a prefix of "UBA".
For example, the ServiceNow incident number for a threat with an ID of 82 will be UBA82.
- (Optional) Select the Auto Process check box to send all identified threats to ServiceNow. If you leave the check box deselected, you can use the Actions menu on a threat to send it to ServiceNow.
- Click OK to save the output connector.
Send Splunk UBA threats to analysts using email
Troubleshoot Splunk UBA event processing
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 220.127.116.11, 5.0.5, 18.104.22.168, 5.1.0, 22.214.171.124, 5.2.0, 5.3.0