All Apps and Add-ons

_time passed to Workflow Search string not formatted

adalbor
Builder

Hey All,

I have a workflow action that passes a search string to an external app (ServiceNow) for incident creation. When I use the $_time$ token it uses epoch not the properly formatted time. I am unable to use an eval in the search string because the first command of the search string must be the ServiceNow parameter to call the script. Anyone have any suggestions how I could pass the properly formatted time?

This is what I have currently:

| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH"

If I try this before the snsecincident:
| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time
I receive an error that the snsecincident has to be the first command in the string.

Should I create a field alias for _time that is formatted properly and use that? If so how would I go about that?

Thanks!

0 Karma
1 Solution

adalbor
Builder

Hey All,

We finally found a solution to this but it didn't exist within the output search command. We ended up modifying a couple of the python scripts within the ServiceNow Security Operations app to extract the _time based on a special character placed before the string then convert to ISO format then pass back to the function that sent it to the API. We were also able to insert line breaks into the data once it was placed in the Description field of ServiceNow using a similar method.

View solution in original post

0 Karma

adalbor
Builder

Hey All,

We finally found a solution to this but it didn't exist within the output search command. We ended up modifying a couple of the python scripts within the ServiceNow Security Operations app to extract the _time based on a special character placed before the string then convert to ISO format then pass back to the function that sent it to the API. We were also able to insert line breaks into the data once it was placed in the Description field of ServiceNow using a similar method.

View solution in original post

0 Karma

13tsavage
Communicator

Have you tried appending the results of your snsecincident search?

If you append the | eval _time part of your search at the end the append will run this 'subsearch' first.

So your search could look like this:

**
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "etc, blah"
| append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]
**
And may help resolve your epoch time conversion to the format you desire.

Hope this helps!

0 Karma

adalbor
Builder

Just tried what you suggested but still a no-go 😞

What I have currently:
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]

Doesnt appear to run the append because the time field is blank on the resulting search page the workflow opens.

If I click on an event to spawn the incident creation I have the option checked to open the search command workflow in another window to see what it is passing.

After the change you suggested this is what the output is:
| snsecincident short_description "Blah Alert on xxxxxx at " category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxxx " description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]

When everything sorta works this is what that result looks like:
| snsecincident short_description "Blah Alert on xxxxx at 1579880590" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxx " description "BLAH BLAH"

0 Karma

13tsavage
Communicator

Maybe remove the rename _time as Time and switch the token to grab$ _time$. If you are not getting any resulting time fields with the rest of the event then there may be something wrong with the token being grabbed and then you rename it.

So maybe try

**
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $_time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") ]
**

0 Karma

adalbor
Builder

That unfortunately didnt work either.

Output of search command:
| snsecincident short_description "Blah Alert on xxxxx at 1579880590" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxx " description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") ]

0 Karma

13tsavage
Communicator

I am working on this. I just got some mock data in epoch time I can try and replicate locally.

13tsavage
Communicator

You may not even need the append to run the search. I just added the | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") to the end of my search and it formatted _time. I am not using a token format. Do you have to use $_time$ to execute the | snsecincident search?

0 Karma

adalbor
Builder

So the reason I have to use $_time$ is because I am passing that as a token to a third party app. Essentially the search command I am providing is the result of a workflow action built into TA-ServiceNow-SecOps. The search command on the backend (snsecincident) runs a script that connects to the ServiceNow Instance and creates a security incident based on the tokens in that search command.

0 Karma

13tsavage
Communicator

Okay. Can you just try adding the | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") to the end of your search?

So your search would be

| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $_time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S.%3N")

0 Karma

adalbor
Builder

It definitely doesn't like having an extra command added to the end. Same results as before where it ignores that part of the search command

Output:
| snsecincident short_description "Fireeye HX Alert on xxxxxat 1579880575" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxxx" description "BLAH BLAH" eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S.%3N")

0 Karma

13tsavage
Communicator

I wish I could help and try and replicate your environment. Keep trying, maybe see if you can | rex out the epoch time as a new field then eval that? Not sure what else I can suggest.

Hope you can figure it out!

13tsavage

0 Karma

adalbor
Builder

Thanks for all the time you devoted to helping!

Thanks!

0 Karma

adalbor
Builder

Does anyone know if its possible to create a field alias for _time with it properly formatted?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!