All Apps and Add-ons

Manual search commands

_smp_
Builder

I am using version 1.22 of the ServiceNow Security Operations app on Splunk 6.5.3. I want to use the snsecincident command in a search in order to customize some of the incident properties that can't be customized within the Create ServiceNow Security Incident Alert Action. Then I want to schedule that search as an Splunk Alert. However when I attempt to use either of the snsecevent or snsecincident manual search commands, I get the error This command must be the first command of a search.

Am I misunderstanding the documentation? Shouldn't I be able to pass the fields from a search to these commands?

0 Karma

roden
Loves-to-Learn Lots

Reference documentation available at https://docs.servicenow.com/bundle/kingston-security-management/page/product/secops-integration-splu...

The command needs to be at the beginning of your search, preceded by a pipe character. E.g.
| snsecevent node TESTnode type TESTtype resource TESTresource

You can see the workflow action in Splunk under Fields -> Workflow actions, which shows the equivalent search using placeholders.

Are you able to use the | snowevent or | snowincident commands in the ServiceNow add-on?
Reference: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts

Finally, if you have access, you could try script execution of the TA_ServiceNow_SecOps/bin/sn_sec_event.py per the commands.conf mapping.
The relevant parameters are passed into a datamap[] and then to the SNOW REST API

NB: sn_sec_event_alert.py maps to the actions specified in the alert_actions.conf file, which aligns with the GUI fields in the Security Operations Integration add-on. Hope that helps.

0 Karma

SteveMacAmway
New Member

scottprigge - I hope this is not a 'DenverCoder9' type thing (https://xkcd.com/979/), but did you ever resolve this? I'm trying to do the same thing and am getting the same error you described.

0 Karma

_smp_
Builder

Sorry, I never got to the bottom of this. I am limited to customizing the fields of the the custom alert actions that are built into the app. I don't recall what specific things I wanted to customize at the time I posted it.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...