correct. logs from my change mgmt software - ServiceNow are being pulled into splunk as well. trying to match those as best as i can to alerts . e.g a user added to my Domain Admin group

I don't have a solution specifically for Splunk and I'm also assuming ServiceNow does more than change management, like work orders, asset tracking, and project management?

We currently use our work order system to email out to specific stakeholders on who needs to be notified of the ticket status/resolution. So for this example, we would add the SOC email address for notification of ticket statuses. When the ticket was completed the work order system would generate an email to the SOC. The SOC would then keep a record of it for reference later if need be.

I'd also be interested if someone else has this all automated together, from initial user request, supervisor approval, work completed, and automatically logged into a SIEM to correlate the event alerts.

Just curious, how much time does it take to cross reference that manually? How much time would that save over a set period of time?

@tmekelburg1   You could use Change Tracker R2 to correlate with the chosen SIEM, including integrity checking on specific components, folders, and files etc. 

 

https://www.newnettechnologies.com/change-tracker-gen-7.html

 

Which can also be wholly independent and objective for audit and tracking purposes.

 

Also uses a lot of automation under the hood.

 

Regards

 

Caute_cautim

Thanks Caute! Do you have personal experience with this one or another similar solution? What's your current process to help correlate these together?

highly unlikely mgmt will approve any new purchases given the current environment. i have to make do with the tools i already have

I would see if their support could walk you through setting that up. Or at the very least they could let you know it's not possible with their current products.