icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Ivanti Service Manager Add-On for Splunk
SHA256 checksum (ivanti-service-manager-add-on-for-splunk_120.tgz) a79c39f2a15c0668c2bc92d5880e31c117b6edf0cf088535154c9445579c1c22 SHA256 checksum (ivanti-service-manager-add-on-for-splunk_119.tgz) 421a195e7e99c4fbcb7348ca1aa91471b0b30894146d968cbbaa5734db109cf8 SHA256 checksum (ivanti-service-manager-add-on-for-splunk_118.tgz) ae7f28f5d3016d2730b98b5afa866d4c38f3b7a26270c3397780aea03cd9f56e SHA256 checksum (ivanti-service-manager-add-on-for-splunk_117.tgz) 2832421d6b1e40a9c1ada17b9d34eacc4bda65d022d575fea22401f24c53f815 SHA256 checksum (ivanti-service-manager-add-on-for-splunk_102.tgz) a31b44d080faa898652efa0d8965292c442e05ae6a2272e0ac3efa59f7802513 SHA256 checksum (ivanti-service-manager-add-on-for-splunk_101.tgz) 0d7afc92fa9ed37b8a6a3996fcbca58b081603b90a658159522169bd49fec140 SHA256 checksum (ivanti-service-manager-add-on-for-splunk_100.tgz) 230006f224bbe4ee9ce1b6ce3c89b30b8f3ce37ea47ce1deecdb908d2e954091
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Ivanti Service Manager Add-On for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The Ivanti Service Manager Add-on for Splunk enables a Splunk administrator to gather data from Service Manager and create Service Manager incidents from Splunk.

You can import incidents, service requests, and problems from Ivanti Service Manager via Service Manager REST APIs. You can view the data using the pre-built dashboards included with the Ivanti Service Manager App for Splunk. This add-on also allows Splunk administrators to use custom commands, alert actions, and scripts to create new incidents in your Service Manager instance, as well as update the incidents created from the Splunk platform.

This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

Supported Versions of Ivanti Service Manager
- Ivanti Service Manager Cloud
- Ivanti Service Manager On-Premises 2018.1 or later

Overview

Ivanti have developed an integration for ISM and Splunk to provide details of Incident, Service Request and Problem records, as well as providing an alert action for using the ISM REST API to create an incident in ISM. The add-on also supports the creation of a Security Incident in ISM if the Security Operations content package has been installed in the target ISM instance.

This Technology Add-On (TA) requires either an API key (2019.3 or later) or username/password of an account capable of querying the REST API implemented in Ivanti ISM 2018.3 and later.

An accompanying app - the Ivanti ISM App for Splunk (https://splunkbase.splunk.com/app/4654/) provides dashboards that visualise the retrieved data and implement the 3 CIM Ticket Management data sets; incident, change and problem.

Requirements

This TA has been developed and tested against the latest release of Splunk available at the time of development: 8.0.4.1. The inputs should work against Ivanti ISM 2019.2 or later. API key authentication requires ISM 2019.3 or later.

Installation

For ingestion of incident/service request/problem data, install the TA on an instance of Splunk Enterprise capable of running modular inputs. Typically this would be a heavy forwarder or Splunk Cloud-hosted Inputs Data Manager (IDM).

Install the Ivanti ISM App for Splunk (https://splunkbase.splunk.com/app/4654/) on search heads for dashboards and CIM-compliant tagging and field aliases.

For the custom alert action that generates an incident in ISM, install the TA on a search head or search head cluster.

For further guidance around ingestion refer to the Splunk 'Getting Data In' (https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain) or Cloud-focused GDI documentation (https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/IntroGDI).

Configuration

Configure the TA with the URL of your ISM tenant/server and provide either a) an API key for the ISM Rest API or b) the username and password of a user with appropriate rights in ISM. The Service Desk Analyst role should suffice for both polling tickets and creating incidents

To ingest data from ISM, create inputs for the required business object; incidents, service requests or problems. Configure a polling interval to meet your reporting requirements.

When configuring an alert to generate a new incident, a valid employee LoginID must be provided. It is recommended that a generic account e.g. 'splunk.alerts' or 'security.alerts' be created in ISM, rather than the LoginID of a specific user. Note that the Internal Services account cannot be used for the creation of incidents.

To configure an alert action to generate a Security Incident, check the appropriate checkbox when configuring the alert action. This will cause the TA to create an instance of the new (2020) Security Incident business object rather than the standard Incident object.

Configuration workflow in ISM

  1. Create an API key (recommended over the use of username/password)
  2. If using the TA for alerting, create a generic account to be used for new incidents created from Splunk (recommended over using an existing user account)

Configuration workflow in Splunk - Ingestion

  1. Install the TA
  2. Browse to the TA in Splunk Web and select the Configuration tab, then Add-On Settings
  3. Provide the Tenant URL e.g. https://apacdemo1-try.saasitau.com. Include the protocol (http/https) and port if non-standard
  4. Provide either an API key (e.g. 1A8AE0B10C95FE8C135464F5ED38FBFA) or Username and Password
  5. Provide the Role if not using API key for authentication
  6. Leave the box checked for server certificate verification unless absolutely required e.g. targeting against a test instance with a self-signed cert
  7. Go to the Inputs tab and setup one or more inputs e.g.
  8. Create New Input
  9. Name: acme_ism_incidents
  10. Interval: 600
  11. Index: ISM (any valid Splunk index can be used)
  12. Parameters - leave as the default a different filter is required. The default filter for incidents, for example, queries the state of all Active and Logged incidents
  13. Wait for the first poll then view results by either using the ISM App (https://splunkbase.splunk.com/app/4654/) or searching manually e.g. index=main sourcetype=ivanti:ism:incident

Configuration workflow in Splunk - Alert creation

Create a new alert (Splunk Enterprise) or configure a new alert as an Adaptive Response action in a Correlation Search (Enterprise Security).

Troubleshooting

Use the add-on's UI to configure a logging level of Debug when troubleshooting.

Search using index=_internal sourcetype="taivantiism:log" to see errors logged by the ISM TA during ingestion.

Search using index=_internal source="create_an_incident_in_ism_modalert.log" to see errors logged by the alert action.

Support

For support, please raise a support call with Ivanti: https://www.ivanti.com.au/support/contact

Products Supported

  • Ivanti ISM 2019.3 onwards

Authors

Intalock (www.intalock.com.au)

  • Greg Ford

Release Notes

Version 1.1.9

v1.1.9

  • New: Support for ISM Security Incident creation as an alert action

Version 1.1.x

v1.1.x

  • New: Support for ISM Problems input
  • New: Support for API key as an alternative to username:password for auth
  • New: Option to enforce SSL server cert checks (enabled by default)

Release Notes

Version 1.2.0
May 5, 2021

Uploaded to github from latest SplunkBase release and fixed issue where password redaction was affecting the payload.

Version 1.1.9
Aug. 19, 2020

New icons and debug statements.

Version 1.1.8
July 7, 2020

- New: Ivanti Logo
- New: Create incidents
- New: Import problems
- New: Support for Splunk versions 8.0
- New: CIM compliance
- New: Support for API key as an alternative to username:password for auth
- New: Option to enforce SSL server cert checks (enabled by default)

Version 1.1.7
July 6, 2020

Version 1.0.2
Aug. 27, 2019

Rebuilt add-on (1.0.0) and turned off indexed_extractions (1.0.2)

Version 1.0.1
Aug. 27, 2019

Version 1.0.0
Aug. 22, 2019

- New: Import incidents
- New: Import change requests

26
Installs
181
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.