I have created a workflow action to send a Notable Event to ServiceNow to create an incident. I am unable to figure out how to resolve nested tokens. For example, if the rule title for the correlation rule is "Host With A Recurring Malware Infection ($signature$ On $dest$)" and I use:
`notable`
| search event_hash=$event_hash$
| eval comments="$rule_title$"
| snowincidentalert
what ends up in ServiceNow is "Host With A Recurring Malware Infection ($signature$ On $dest$)". The signature and dest tokens do not get expanded. How can I tell it to recursively expand any tokens nested inside other tokens?
try below : you are looking for command "expandtoken" will expand tokens.
`notable`
| expandtoken
| search event_hash=$event_hash$
| eval comments="$rule_title$"
| snowincidentalert
try below : you are looking for command "expandtoken" will expand tokens.
`notable`
| expandtoken
| search event_hash=$event_hash$
| eval comments="$rule_title$"
| snowincidentalert
Thanks, that fixed it.