Hey All,
I have a workflow action that passes a search string to an external app (ServiceNow) for incident creation. When I use the $_time$ token it uses epoch not the properly formatted time. I am unable to use an eval in the search string because the first command of the search string must be the ServiceNow parameter to call the script. Anyone have any suggestions how I could pass the properly formatted time?
This is what I have currently:
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH"
If I try this before the snsecincident:
| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time
I receive an error that the snsecincident has to be the first command in the string.
Should I create a field alias for _time that is formatted properly and use that? If so how would I go about that?
Thanks!
Hey All,
We finally found a solution to this but it didn't exist within the output search command. We ended up modifying a couple of the python scripts within the ServiceNow Security Operations app to extract the _time based on a special character placed before the string then convert to ISO format then pass back to the function that sent it to the API. We were also able to insert line breaks into the data once it was placed in the Description field of ServiceNow using a similar method.
Hey All,
We finally found a solution to this but it didn't exist within the output search command. We ended up modifying a couple of the python scripts within the ServiceNow Security Operations app to extract the _time based on a special character placed before the string then convert to ISO format then pass back to the function that sent it to the API. We were also able to insert line breaks into the data once it was placed in the Description field of ServiceNow using a similar method.
Have you tried appending the results of your snsecincident
search?
If you append
the | eval _time
part of your search at the end the append will run this 'subsearch' first.
So your search could look like this:
**
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "etc, blah"
| append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]
**
And may help resolve your epoch time conversion to the format you desire.
Hope this helps!
Just tried what you suggested but still a no-go 😞
What I have currently:
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $Time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]
Doesnt appear to run the append because the time field is blank on the resulting search page the workflow opens.
If I click on an event to spawn the incident creation I have the option checked to open the search command workflow in another window to see what it is passing.
After the change you suggested this is what the output is:
| snsecincident short_description "Blah Alert on xxxxxx at " category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxxx " description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") | rename _time as Time ]
When everything sorta works this is what that result looks like:
| snsecincident short_description "Blah Alert on xxxxx at 1579880590" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxx " description "BLAH BLAH"
Maybe remove the rename _time as Time and switch the token to grab$ _time$. If you are not getting any resulting time fields with the rest of the event then there may be something wrong with the token being grabbed and then you rename it.
So maybe try
**
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $_time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") ]
**
That unfortunately didnt work either.
Output of search command:
| snsecincident short_description "Blah Alert on xxxxx at 1579880590" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxx " description "BLAH BLAH" | append [| eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N") ]
I am working on this. I just got some mock data in epoch time I can try and replicate locally.
You may not even need the append to run the search. I just added the | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
to the end of my search and it formatted _time. I am not using a token format. Do you have to use $_time$ to execute the | snsecincident
search?
So the reason I have to use $_time$ is because I am passing that as a token to a third party app. Essentially the search command I am providing is the result of a workflow action built into TA-ServiceNow-SecOps. The search command on the backend (snsecincident) runs a script that connects to the ServiceNow Instance and creates a security incident based on the tokens in that search command.
Okay. Can you just try adding the | eval _time=strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
to the end of your search?
So your search would be
| snsecincident short_description "$sn_fe_hx_shortdesc$ $sn_fe_ips_shortdesc$ $sn_pa_threat_shortdesc$ $sn_ms_def_shortdesc$ on $sn_fe_hx_srchost$ $sn_fe_ips_dst$ $sn_ms_def_compname$ $sn_pa_threat_src$ at $_time$" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "$sn_fe_hx_srchost$ $sn_ms_def_compname$ $sn_fe_ips_shost$" description "BLAH BLAH" | eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S.%3N")
It definitely doesn't like having an extra command added to the end. Same results as before where it ignores that part of the search command
Output:
| snsecincident short_description "Fireeye HX Alert on xxxxxat 1579880575" category "Splunk Generated Incident" subcategory "Security Alert" cmdb_ci "xxxxxx" description "BLAH BLAH" eval _time=strftime(_time, "%Y-%m-%d %H:%M:%S.%3N")
I wish I could help and try and replicate your environment. Keep trying, maybe see if you can | rex
out the epoch time as a new field then eval that? Not sure what else I can suggest.
Hope you can figure it out!
13tsavage
Thanks for all the time you devoted to helping!
Thanks!
Does anyone know if its possible to create a field alias for _time with it properly formatted?