Ivanti have developed an integration for ISM and Splunk to provide details of Incident, Service Request and Problem records, as well as providing an alert action for using the ISM REST API to create an incident in ISM. The add-on also supports the creation of a Security Incident in ISM if the Security Operations content package has been installed in the target ISM instance.
This Technology Add-On (TA) requires either an API key (2019.3 or later) or username/password of an account capable of querying the REST API implemented in Ivanti ISM 2018.3 and later.
An accompanying app - the Ivanti ISM App for Splunk (https://splunkbase.splunk.com/app/4654/) provides dashboards that visualise the retrieved data and implement the 3 CIM Ticket Management data sets; incident, change and problem.
This TA has been developed and tested against the latest release of Splunk available at the time of development: 126.96.36.199. The inputs should work against Ivanti ISM 2019.2 or later. API key authentication requires ISM 2019.3 or later.
For ingestion of incident/service request/problem data, install the TA on an instance of Splunk Enterprise capable of running modular inputs. Typically this would be a heavy forwarder or Splunk Cloud-hosted Inputs Data Manager (IDM).
Install the Ivanti ISM App for Splunk (https://splunkbase.splunk.com/app/4654/) on search heads for dashboards and CIM-compliant tagging and field aliases.
For the custom alert action that generates an incident in ISM, install the TA on a search head or search head cluster.
For further guidance around ingestion refer to the Splunk 'Getting Data In' (https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain) or Cloud-focused GDI documentation (https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/IntroGDI).
Configure the TA with the URL of your ISM tenant/server and provide either a) an API key for the ISM Rest API or b) the username and password of a user with appropriate rights in ISM. The Service Desk Analyst role should suffice for both polling tickets and creating incidents
To ingest data from ISM, create inputs for the required business object; incidents, service requests or problems. Configure a polling interval to meet your reporting requirements.
When configuring an alert to generate a new incident, a valid employee LoginID must be provided. It is recommended that a generic account e.g. 'splunk.alerts' or 'security.alerts' be created in ISM, rather than the LoginID of a specific user. Note that the Internal Services account cannot be used for the creation of incidents.
To configure an alert action to generate a Security Incident, check the appropriate checkbox when configuring the alert action. This will cause the TA to create an instance of the new (2020) Security Incident business object rather than the standard Incident object.
Create a new alert (Splunk Enterprise) or configure a new alert as an Adaptive Response action in a Correlation Search (Enterprise Security).
Use the add-on's UI to configure a logging level of Debug when troubleshooting.
Search using index=_internal sourcetype="taivantiism:log" to see errors logged by the ISM TA during ingestion.
Search using index=_internal source="create_an_incident_in_ism_modalert.log" to see errors logged by the alert action.
For support, please raise a support call with Ivanti: https://www.ivanti.com.au/support/contact
Addressed concerns raised during Splunk Cloud vetting.
Rebuilt using Add-On Builder v4 to address jQuery and Python dependency issues.
Uploaded to github from latest SplunkBase release and fixed issue where password redaction was affecting the payload.
New icons and debug statements.
Rebuilt add-on (1.0.0) and turned off indexed_extractions (1.0.2)
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.