All Apps and Add-ons

Manual search commands

_smp_
Builder

I am using version 1.22 of the ServiceNow Security Operations app on Splunk 6.5.3. I want to use the snsecincident command in a search in order to customize some of the incident properties that can't be customized within the Create ServiceNow Security Incident Alert Action. Then I want to schedule that search as an Splunk Alert. However when I attempt to use either of the snsecevent or snsecincident manual search commands, I get the error This command must be the first command of a search.

Am I misunderstanding the documentation? Shouldn't I be able to pass the fields from a search to these commands?

0 Karma

roden
Loves-to-Learn Lots

Reference documentation available at https://docs.servicenow.com/bundle/kingston-security-management/page/product/secops-integration-splu...

The command needs to be at the beginning of your search, preceded by a pipe character. E.g.
| snsecevent node TESTnode type TESTtype resource TESTresource

You can see the workflow action in Splunk under Fields -> Workflow actions, which shows the equivalent search using placeholders.

Are you able to use the | snowevent or | snowincident commands in the ServiceNow add-on?
Reference: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

Finally, if you have access, you could try script execution of the TA_ServiceNow_SecOps/bin/sn_sec_event.py per the commands.conf mapping.
The relevant parameters are passed into a datamap[] and then to the SNOW REST API

NB: sn_sec_event_alert.py maps to the actions specified in the alert_actions.conf file, which aligns with the GUI fields in the Security Operations Integration add-on. Hope that helps.

0 Karma

SteveMacAmway
New Member

scottprigge - I hope this is not a 'DenverCoder9' type thing (https://xkcd.com/979/), but did you ever resolve this? I'm trying to do the same thing and am getting the same error you described.

0 Karma

_smp_
Builder

Sorry, I never got to the bottom of this. I am limited to customizing the fields of the the custom alert actions that are built into the app. I don't recall what specific things I wanted to customize at the time I posted it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...