Alerting

ServiceNow Security Operations Add-on - Error Creating Security Incidents

guarisma
Contributor

Hello,

I'm getting the following error when trying to Trigger an alert to ServiceNow

 

08-18-2021 18:42:04.461 -0400 INFO sendmodalert - Invoking modular alert action=sn_sec_multi_incident_alert for search="test" sid="scheduler__nobody_RGlmZW5kYS1UaHJlYXRIdW50aW5n__test_at_1629326520_324_E6AF4A46-E741-44E5-8200-C53A9BA036B3" in app="Alert App" owner="nobody" type="saved"
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - ERROR: Unexpected error: Traceback (most recent call last):
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - File "/opt/splunk/etc/apps/TA-ServiceNow-SecOps/bin/sn_sec_multi_incident_alert.py", line 47, in <module>
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - for result in csv.DictReader(csvResult):
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - File "/opt/splunk/lib/python3.7/csv.py", line 111, in __next__
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - self.fieldnames
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - File "/opt/splunk/lib/python3.7/csv.py", line 98, in fieldnames
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - self._fieldnames = next(self.reader)
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - _csv.Error: iterator should return strings, not bytes (did you open the file in text mode?)

 

Not sure what the problem is here, we upgraded from Splunk 7.3.3 to Splunk 8.1.5 and upgraded the ServiceNow Security Operations Add-on from 1.23.3 to 1.23.4

Labels (1)
Tags (1)
0 Karma

amtoyo
Loves-to-Learn

To anyone who is stumbling on this same error, I was able to resolve the issue:

Cause:  ServiceNow Security Operations Addon Version 1.23.4 is stated to work with Python3 but this is not the case. There needs to be an edit that will allow it to work for Python3. Because new versions of Splunk(8.1 and newer) does not come with Python2.7 interpreter, this script will not work. My assumption is that this app was tested with a 8.0.x Splunk instance that has both python 2.7 and 3 Interpreters.

Issue: When the alert tried to invoke the alert sn_sec_multi_incident_alert.py, there wan an error. The main clue is the following event:

 

 

08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - _csv.Error: iterator should return strings, not bytes (did you open the file in text mode?)

 

 

 

The issue is that the CSV in the script is improperly opened in Python3. By default, gzip will open it as bytes not a string. Once the mode is put to read as string the script will be able to run without error.

Solution: Change the csvReader to open the gzip file in "rt" mode

Old :

amtoyo_0-1633475063914.png

New:

amtoyo_1-1633475082949.png

 

DISCLAIMER:

This was only done for SN Multi Incident Alert Action. To use any of the other SN alerts, their corresponding scripts might have to be edited as well.

0 Karma

kevyip1
New Member

Thanks this worked.  After calling in support from Splunk side (wasnt able to help due to vendor app), totally understand, also called in support to Service now, which had no idea about the add-on (https://splunkbase.splunk.com/app/4770/)

 

this fixed our issue with getting notable events into service now for alerting by tweaking that (mode="rt")

Thanks

0 Karma

amtoyo
Loves-to-Learn

Hi,

 

Did you ever find the solution to this? I am also facing the same issue.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...