ServiceNow Security Operations Add-on - Error Crea...

guarisma · ‎08-18-2021

Hello,

I'm getting the following error when trying to Trigger an alert to ServiceNow

08-18-2021 18:42:04.461 -0400 INFO sendmodalert - Invoking modular alert action=sn_sec_multi_incident_alert for search="test" sid="scheduler__nobody_RGlmZW5kYS1UaHJlYXRIdW50aW5n__test_at_1629326520_324_E6AF4A46-E741-44E5-8200-C53A9BA036B3" in app="Alert App" owner="nobody" type="saved"
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - ERROR: Unexpected error: Traceback (most recent call last):
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - File "/opt/splunk/etc/apps/TA-ServiceNow-SecOps/bin/sn_sec_multi_incident_alert.py", line 47, in <module>
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - for result in csv.DictReader(csvResult):
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - File "/opt/splunk/lib/python3.7/csv.py", line 111, in __next__
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - self.fieldnames
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - File "/opt/splunk/lib/python3.7/csv.py", line 98, in fieldnames
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - self._fieldnames = next(self.reader)
08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - _csv.Error: iterator should return strings, not bytes (did you open the file in text mode?)

Not sure what the problem is here, we upgraded from Splunk 7.3.3 to Splunk 8.1.5 and upgraded the ServiceNow Security Operations Add-on from 1.23.3 to 1.23.4

amtoyo · ‎10-05-2021

To anyone who is stumbling on this same error, I was able to resolve the issue:

Cause: ServiceNow Security Operations Addon Version 1.23.4 is stated to work with Python3 but this is not the case. There needs to be an edit that will allow it to work for Python3. Because new versions of Splunk(8.1 and newer) does not come with Python2.7 interpreter, this script will not work. My assumption is that this app was tested with a 8.0.x Splunk instance that has both python 2.7 and 3 Interpreters.

Issue: When the alert tried to invoke the alert sn_sec_multi_incident_alert.py, there wan an error. The main clue is the following event:

08-18-2021 18:42:04.947 -0400 ERROR sendmodalert - action=sn_sec_multi_incident_alert STDERR - _csv.Error: iterator should return strings, not bytes (did you open the file in text mode?)

The issue is that the CSV in the script is improperly opened in Python3. By default, gzip will open it as bytes not a string. Once the mode is put to read as string the script will be able to run without error.

Solution: Change the csvReader to open the gzip file in "rt" mode

Old :

New:

DISCLAIMER:

This was only done for SN Multi Incident Alert Action. To use any of the other SN alerts, their corresponding scripts might have to be edited as well.

kevyip1 · ‎12-03-2021

Thanks this worked. After calling in support from Splunk side (wasnt able to help due to vendor app), totally understand, also called in support to Service now, which had no idea about the add-on (https://splunkbase.splunk.com/app/4770/)

this fixed our issue with getting notable events into service now for alerting by tweaking that (mode="rt")

Thanks

amtoyo · ‎10-04-2021

Hi,

Did you ever find the solution to this? I am also facing the same issue.

ServiceNow Security Operations Add-on - Error Creating Security Incidents

alert action

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes