I recently setup the ServiceNow Security Operations TA with our ServiceNow instance. I can successfully create incidents from workflow actions in testing. My question revolves around the data that I can send/map in the incident.
I have found the command that maps to the ServiceNow fields (default setup):
| snsecincident shortdescription "$sourcetype$ on $host$, $source$" category "Splunk" subcategory "$sourcetype$" cmdbci "$host$"
I would like to pull specific fields to insert into each incident when triggered manually by a workflow action. As each sourcetype doesn't always contain common fields is there a good way to achieve this?
Would a field alias allow me to create a single alias that might pull different fields from different sourcetypes?
Not sure the best way to go about this.
sourcetype,host,source,tikect sourcetypeA,hostA,sourceA,tikectA sourcetypeA,hostB,sourceA,tikectB ....
Why not create a lookup table and output the ticket?
I haven't tried it, just an idea.
Workflow action Setting:
Fields » Workflow actions » Show action in Both
And why not run the workflow from the Fields menus?
Ive already located the workflow action and accompanying command/search it runs. My question revolves around the field variables it uses and how would I send data from differing sourcetypes and fields using the same variables to populate the ticket
The field names that exist in ServiceNow SecOPS are somewhat proprietary to you, and I assume you have a list of the fields viewed > fields named on the back end.
For Splunk,depending on where you have the Splunk Action for generating a SN Security Incident at would determine the mapping.
Example, Splunk ES Incident review dashboard had different field names for some fields than what is present in regular searches.
try this out and see if it helps:
| rest splunkserver=local /servicesNS/-/-/configs/conf-logreview/incidentreview | fields eventattributes | eval d=split(eventattributes, ",") | rex field=d maxmatch=0 "field\"\s:\s\"(?[^\"]+)" | rex field=d max_match=0 "label\"\s:\s\"(?[^\"]+)" | eval mv=mvzip(field,label) | fields mv | mvexpand mv | eval field=mvindex(split(mv,","), 0), label=mvindex(split(mv,","), 1) | table field, label
Its not that I don't know what the field names are its that I am trying to figure out how to map different fields from different sourceypes in that one generate workflow command.
So if I use the workflow action on one sourcetype and it contains different field names than if I were to launch the workflow on another sourceype with different field names how do I use the fewest tokens in that command.
So if the firewall places its event description in a field named field 1 but the proxy places its event description in field 10 how do I ensure the command can get that data from either sourcetype depending on which event is selected. Not combine the data but use the same tokens in the workflow command.
I could place field1 and field10 in the workflow command together and if data didnt exist in one field it would be ok. If data though resides in both fields there will be overlap. See what I am saying?
| makeresults | eval method="GET " | eval url="https://www.virustotal.com/" | eval type="/file/" | eval hash_value=md5("hoobar") | eval command=method.url."gui".type.hash_value."/detection"
This is just an example, but I combine fields for a workflow and end up with a single field.
If you can use
coalesce , use it. If there is no field, why not output a general field value like the comment above?
It is like this because I do not know the detailed settings of the workflow.
I am making some progress on it and I like your idea of condensing things. Just trying to figure out the best way to achieve it though.
I ended up creating field aliases for each piece of data that I need from the differing sourcetypes and put them in the order I need in the workflow command. Its messy but working fairly well so far. The two last things I have to do are figure a way to output _time in a formatted token and fit quite a few tokens in the ServiceNow Description field. Would I create another alias with all the fields I need combined?
What I have so far:
| snsecincident shortdescription "$snfehxshortdesc$ $snfeipsshortdesc$ $snpathreatshortdesc$ $snmsdefshortdesc$ on $snfehxsrchost$ $snfeipsdst$ $snmsdefcompname$ $snpathreatsrc$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdbci "$snfehxsrchost$ $snmsdefcompname$ $snfeips_shost$" description "BLAH BLAH"
`|eval time = strftime(time, "%F %T")`
If there is Null field, create calculated field or
another alias with all the fields I need combined, I think.
then, I can use like above.
I ended up taking a somewhat more convoluted route but I was able to achieve what we needed.
I created a separate workflow action for each eventtype and set the "Apply only to the following event types" for each specific eventtype. This allowed me to get the fields I needed from each eventtype without any weird overlap.
We then modified some of the underlying python scripts in the ServiceNow Sec Ops app to extract our _time and parse it into ISO and pass back to the function. We also were able to insert some line breaks into the data as to properly format in the ServiceNow Description field using a similar method.