Overview

Details

The Ivanti Service Manager Add-on for Splunk enables a Splunk administrator to gather data from Service Manager and create Service Manager incidents from Splunk.

You can import incidents, service requests, and problems from Ivanti Service Manager via Service Manager REST APIs. You can view the data using the pre-built dashboards included with the Ivanti Service Manager App for Splunk. This add-on also allows Splunk administrators to use custom commands, alert actions, and scripts to create new incidents in your Service Manager instance, as well as update the incidents created from the Splunk platform.

This add-on provides the inputs and CIM-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

Supported Versions of Ivanti Service Manager
- Ivanti Service Manager Cloud
- Ivanti Service Manager On-Premises 2018.1 or later

Overview

Ivanti have developed an integration for ISM and Splunk to provide details of Incident, Service Request and Problem records, as well as providing an alert action for using the ISM REST API to create an incident in ISM. The add-on also supports the creation of a Security Incident in ISM if the Security Operations content package has been installed in the target ISM instance.

This Technology Add-On (TA) requires either an API key (2019.3 or later) or username/password of an account capable of querying the REST API implemented in Ivanti ISM 2018.3 and later.

An accompanying app - the Ivanti ISM App for Splunk (https://splunkbase.splunk.com/app/4654/) provides dashboards that visualise the retrieved data and implement the 3 CIM Ticket Management data sets; incident, change and problem.

Requirements

This TA has been developed and tested against the latest release of Splunk available at the time of development: 8.0.4.1. The inputs should work against Ivanti ISM 2019.2 or later. API key authentication requires ISM 2019.3 or later.

Installation

For ingestion of incident/service request/problem data, install the TA on an instance of Splunk Enterprise capable of running modular inputs. Typically this would be a heavy forwarder or Splunk Cloud-hosted Inputs Data Manager (IDM).

Install the Ivanti ISM App for Splunk (https://splunkbase.splunk.com/app/4654/) on search heads for dashboards and CIM-compliant tagging and field aliases.

For the custom alert action that generates an incident in ISM, install the TA on a search head or search head cluster.

For further guidance around ingestion refer to the Splunk 'Getting Data In' (https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain) or Cloud-focused GDI documentation (https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/IntroGDI).

Configuration

Configure the TA with the URL of your ISM tenant/server and provide either a) an API key for the ISM Rest API or b) the username and password of a user with appropriate rights in ISM. The Service Desk Analyst role should suffice for both polling tickets and creating incidents

To ingest data from ISM, create inputs for the required business object; incidents, service requests or problems. Configure a polling interval to meet your reporting requirements.

When configuring an alert to generate a new incident, a valid employee LoginID must be provided. It is recommended that a generic account e.g. 'splunk.alerts' or 'security.alerts' be created in ISM, rather than the LoginID of a specific user. Note that the Internal Services account cannot be used for the creation of incidents.

To configure an alert action to generate a Security Incident, check the appropriate checkbox when configuring the alert action. This will cause the TA to create an instance of the new (2020) Security Incident business object rather than the standard Incident object.

Configuration workflow in ISM

Create an API key (recommended over the use of username/password)
If using the TA for alerting, create a generic account to be used for new incidents created from Splunk (recommended over using an existing user account)

Configuration workflow in Splunk - Ingestion

Install the TA
Browse to the TA in Splunk Web and select the Configuration tab, then Add-On Settings
Provide the Tenant URL e.g. https://apacdemo1-try.saasitau.com. Include the protocol (http/https) and port if non-standard
Provide either an API key (e.g. 1A8AE0B10C95FE8C135464F5ED38FBFA) or Username and Password
Provide the Role if not using API key for authentication
Leave the box checked for server certificate verification unless absolutely required e.g. targeting against a test instance with a self-signed cert
Go to the Inputs tab and setup one or more inputs e.g.
Create New Input
Name: acme_ism_incidents
Interval: 600
Index: ISM (any valid Splunk index can be used)
Parameters - leave as the default a different filter is required. The default filter for incidents, for example, queries the state of all Active and Logged incidents
Wait for the first poll then view results by either using the ISM App (https://splunkbase.splunk.com/app/4654/) or searching manually e.g. index=main sourcetype=ivanti:ism:incident

Configuration workflow in Splunk - Alert creation

Create a new alert (Splunk Enterprise) or configure a new alert as an Adaptive Response action in a Correlation Search (Enterprise Security).

Troubleshooting

Use the add-on's UI to configure a logging level of Debug when troubleshooting.

Search using index=_internal sourcetype="taivantiism:log" to see errors logged by the ISM TA during ingestion.

Search using index=_internal source="create_an_incident_in_ism_modalert.log" to see errors logged by the alert action.

Support

For support, please raise a support call with Ivanti: https://www.ivanti.com.au/support/contact

Products Supported

Ivanti ISM 2019.3 onwards

Authors

Intalock (www.intalock.com.au)

Greg Ford

Release Notes

Version 1.1.9

v1.1.9

New: Support for ISM Security Incident creation as an alert action

Version 1.1.x

v1.1.x

New: Support for ISM Problems input
New: Support for API key as an alternative to username:password for auth
New: Option to enforce SSL server cert checks (enabled by default)

Release Notes

Version 1.4.1

May 27, 2025

1.41 May 27, 2025
--------
Updated AOB scripts and addressed other Splunk Cloud vetting issues

Version 1.4.0

May 27, 2025

1.40 May 27, 2025
--------
Updated AOB scripts and addressed other Splunk Cloud vetting issues

Version 1.3.3

Dec. 21, 2021

Two lines of logging disabled due to concern from Cloud Vetting that the URL requested is client-sensitive data.

Version 1.3.2

Dec. 2, 2021

Added redundant checks to ism.py to appease the cloud vetting https-only requirement

Version 1.3.1

Aug. 25, 2021

Addressed concerns raised during Splunk Cloud vetting.

Version 1.3.0

Aug. 18, 2021

Rebuilt using Add-On Builder v4 to address jQuery and Python dependency issues.

Version 1.2.0

May 5, 2021

Uploaded to github from latest SplunkBase release and fixed issue where password redaction was affecting the payload.

Version 1.1.9

Aug. 19, 2020

New icons and debug statements.

Version 1.1.8

July 7, 2020

New: Ivanti Logo
New: Create incidents
New: Import problems
New: Support for Splunk versions 8.0
New: CIM compliance
New: Support for API key as an alternative to username:password for auth
New: Option to enforce SSL server cert checks (enabled by default)

Version 1.1.7

July 6, 2020

Version 1.0.2

Aug. 27, 2019

Rebuilt add-on (1.0.0) and turned off indexed_extractions (1.0.2)

Version 1.0.1

Aug. 27, 2019

Version 1.0.0

Aug. 22, 2019

New: Import incidents
New: Import change requests

2,067

Downloads

Share Subscribe

Version

Built by

Ivanti Development

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate

App Contents: Alert Actions