All Apps and Add-ons

ServiceNow Security Incident Creation with Splunk: Field mapping question

adalbor
Builder

Hey All,

I recently setup the ServiceNow Security Operations TA with our ServiceNow instance. I can successfully create incidents from workflow actions in testing. My question revolves around the data that I can send/map in the incident.

I have found the command that maps to the ServiceNow fields (default setup):
| snsecincident short_description "$sourcetype$ on $host$, $source$" category "Splunk" subcategory "$sourcetype$" cmdb_ci "$host$"

I would like to pull specific fields to insert into each incident when triggered manually by a workflow action. As each sourcetype doesn't always contain common fields is there a good way to achieve this?

Would a field alias allow me to create a single alias that might pull different fields from different sourcetypes?

Not sure the best way to go about this.

Thanks!
Andrew

0 Karma
1 Solution

adalbor
Builder

I ended up taking a somewhat more convoluted route but I was able to achieve what we needed.

I created a separate workflow action for each eventtype and set the "Apply only to the following event types" for each specific eventtype. This allowed me to get the fields I needed from each eventtype without any weird overlap.

We then modified some of the underlying python scripts in the ServiceNow Sec Ops app to extract our _time and parse it into ISO and pass back to the function. We also were able to insert some line breaks into the data as to properly format in the ServiceNow Description field using a similar method.

View solution in original post

0 Karma

adalbor
Builder

I ended up taking a somewhat more convoluted route but I was able to achieve what we needed.

I created a separate workflow action for each eventtype and set the "Apply only to the following event types" for each specific eventtype. This allowed me to get the fields I needed from each eventtype without any weird overlap.

We then modified some of the underlying python scripts in the ServiceNow Sec Ops app to extract our _time and parse it into ISO and pass back to the function. We also were able to insert some line breaks into the data as to properly format in the ServiceNow Description field using a similar method.

0 Karma

to4kawa
Ultra Champion

e.g.

| makeresults
| eval method="GET "
| eval url="https://www.virustotal.com/"
| eval type="/file/"
| eval hash_value=md5("hoobar")
| eval command=method.url."gui".type.hash_value."/detection"

This is just an example, but I combine fields for a workflow and end up with a single field.
If you can use coalesce , use it. If there is no field, why not output a general field value like the comment above?

It is like this because I do not know the detailed settings of the workflow.

adalbor
Builder

I am making some progress on it and I like your idea of condensing things. Just trying to figure out the best way to achieve it though.

I ended up creating field aliases for each piece of data that I need from the differing sourcetypes and put them in the order I need in the workflow command. Its messy but working fairly well so far. The two last things I have to do are figure a way to output _time in a formatted token and fit quite a few tokens in the ServiceNow Description field. Would I create another alias with all the fields I need combined?

What I have so far:
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH"

0 Karma

to4kawa
Ultra Champion

cf. _time
Commontimeformatvariables
|eval time = strftime(_time, "%F %T")

If there is Null field, create calculated field or another alias with all the fields I need combined, I think.
coalesce(sn_ms_def_compname,"NA")
then, I can use like above.

0 Karma

iamlordvoldemor
New Member

The field names that exist in ServiceNow SecOPS are somewhat proprietary to you, and I assume you have a list of the fields viewed > fields named on the back end.

For Splunk,depending on where you have the Splunk Action for generating a SN Security Incident at would determine the mapping.

Example, Splunk ES Incident review dashboard had different field names for some fields than what is present in regular searches.

try this out and see if it helps:

| rest splunk_server=local /servicesNS/-/-/configs/conf-log_review/incident_review | fields event_attributes | eval d=split(event_attributes, ",") | rex field=d max_match=0 "field\"\s*:\s*\"(?[^\"]+)" | rex field=d max_match=0 "label\"\s*:\s*\"(?[^\"]+)" | eval mv=mvzip(field,label) | fields mv | mvexpand mv | eval field=mvindex(split(mv,","), 0), label=mvindex(split(mv,","), 1) | table field, label

0 Karma

adalbor
Builder

Its not that I don't know what the field names are its that I am trying to figure out how to map different fields from different sourceypes in that one generate workflow command.

So if I use the workflow action on one sourcetype and it contains different field names than if I were to launch the workflow on another sourceype with different field names how do I use the fewest tokens in that command.

So if the firewall places its event description in a field named field 1 but the proxy places its event description in field 10 how do I ensure the command can get that data from either sourcetype depending on which event is selected. Not combine the data but use the same tokens in the workflow command.

I could place field1 and field10 in the workflow command together and if data didnt exist in one field it would be ok. If data though resides in both fields there will be overlap. See what I am saying?

0 Karma

to4kawa
Ultra Champion

e.g.
Create ticket(CSV):

sourcetype,host,source,tikect
sourcetypeA,hostA,sourceA,tikectA
sourcetypeA,hostB,sourceA,tikectB
....

Why not create a lookup table and output the ticket?
I haven't tried it, just an idea.


Previous answer

Workflow action Setting:

Fields » Workflow actions » 
Show action in     Both

And why not run the workflow from the Fields menus?

0 Karma

adalbor
Builder

Ive already located the workflow action and accompanying command/search it runs. My question revolves around the field variables it uses and how would I send data from differing sourcetypes and fields using the same variables to populate the ticket

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...