I am using version 1.22 of the ServiceNow Security Operations app on Splunk 6.5.3. I want to use the snsecincident command in a search in order to customize some of the incident properties that can't be customized within the Create ServiceNow Security Incident Alert Action. Then I want to schedule that search as an Splunk Alert. However when I attempt to use either of the snsecevent or snsecincident manual search commands, I get the error This command must be the first command of a search.
Am I misunderstanding the documentation? Shouldn't I be able to pass the fields from a search to these commands?
Reference documentation available at https://docs.servicenow.com/bundle/kingston-security-management/page/product/secops-integration-splu...
The command needs to be at the beginning of your search, preceded by a pipe character. E.g.
| snsecevent node TESTnode type TESTtype resource TESTresource
You can see the workflow action in Splunk under Fields -> Workflow actions, which shows the equivalent search using placeholders.
Are you able to use the | snowevent or | snowincident commands in the ServiceNow add-on?
Finally, if you have access, you could try script execution of the TA_ServiceNow_SecOps/bin/sn_sec_event.py per the commands.conf mapping.
The relevant parameters are passed into a datamap and then to the SNOW REST API
NB: sn_sec_event_alert.py maps to the actions specified in the alert_actions.conf file, which aligns with the GUI fields in the Security Operations Integration add-on. Hope that helps.
scottprigge - I hope this is not a 'DenverCoder9' type thing (https://xkcd.com/979/), but did you ever resolve this? I'm trying to do the same thing and am getting the same error you described.
Sorry, I never got to the bottom of this. I am limited to customizing the fields of the the custom alert actions that are built into the app. I don't recall what specific things I wanted to customize at the time I posted it.