Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create incidents in ServiceNow for notables in Splunk ES.

niks987
Explorer
‎08-04-2024 11:03 PM

Hi Guys,

Hope you all the doing good.

I have recently started to use Splunk ES and i am trying to create security incidents in ServiceNow for notables. I am using ServiceNow Security Operations Integration addon for this and i have created a workflow action to create incident. I am using below search in the workflow action but i am not able to create any incidents. Please let me know if i am missing any thing.

Thanks in advance.

| expandtoken rule_title rule_description drilldown_searches
| fields title rule_description src dest user file_path file_hash file_name _time source severity event_hash
| eval src=coalesce(src, src_ip), dest = coalesce(dest, dest_ip)
| fillnull value=N/A dvc src dest user file_path file_hash file_name
| eval external_link = xyz
| eval md5_hash = if(file_hash == "N/A", "N/A", if(len(file_hash) == 32, file_hash, "N/A"))
| eval sha256_hash = if(file_hash == "N/A", "N/A", if(len(file_hash) == 64, file_hash, "N/A"))
| eval snow_event_ts = strftime(_time, "%m-%d-%Y %H:%M:%S")
| eval severity = case(severity=="informational", 0, severity=="low", 4, severity=="medium", 3, severity=="high", 2, severity=="critical", 1)
| eval ticket_contents = "short_description \"".title."\""
| eval ticket_contents = ticket_contents." assignment_group \"ABC\""
| eval ticket_contents = ticket_contents." contact_type \"SIEM\""
| eval ticket_contents = ticket_contents." description \"".rule_description."\""
| eval ticket_contents = ticket_contents." source_ip \"".src."\""
| eval ticket_contents = ticket_contents." dest_ip \"".dest."\""
| eval ticket_contents = ticket_contents." u_offence_id \"".event_hash."\""
| eval ticket_contents = ticket_contents." u_source \"".src."\""
| eval ticket_contents = ticket_contents." u_destination \"".dest."\""
| eval ticket_contents = ticket_contents." u_md5_hash \"".md5_hash."\""
| eval ticket_contents = ticket_contents." u_sha256_hash \"".sha256_hash."\""
| eval ticket_contents = ticket_contents." u_event_timestamp \"".snow_event_ts."\""
| eval ticket_contents = ticket_contents." u_event_name \"".source."\""
| eval ticket_contents = ticket_contents." severity \"".severity."\""
| return $ticket_contents

 

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...