"Splunk ES Integration for Security Operations" Integration, Security Incidents are not Being Created in the SN Instances as Expected


Description

Using the "Splunk ES Integration for Security Operations" integration, Security Incidents were not being created in the SN instances as expected.

On the Splunk side there are Notable IDs created, but there are no entries for these Notable IDs in the instance's import set table sn_sec_splunkes_event_import.

As these do not exist in the instance's import set table, there is no chance to create Security Incidents for them.

Release or Environment

Applies to the "Splunk ES Integration for Security Operations" integration on versions below 10.4.0.

Cause

These Notable IDs are missing because of the delay in Splunk indexing of these notables events after they are created in the Splunk. The Splunk REST API didn't contain these notable events when the REST call was made to Splunk from ServiceNow's Splunk ES integration so these notables were missed in the instance.

This is a known issue from Splunk and an enhancement was made in the Splunk ES release 10.4.0 to handle this issue and pull the notables in the subsequent polls if they are missed for the first time.


Resolution

Please upgrade the "Splunk ES Integration for Security Operations" plugin on the instance to at least 10.4.0 to address this issue.

Here is the store link for "Splunk ES Integration for Security Operations" release 10.4.0: https://store.servicenow.com/sn_appstore_store.do#!/store/application/b603f357e556f300a36baaf2972ed766/10.4.0

Note: Ensure that the affected notable ID(s) are created in the past seven days as Splunk ES integration only pulls the notable events which are created in the last seven days.

Check this screenshot from there for the Release Notes which mentions the above enhancement: