Splunk Enterprise Security

Using tokens within tokens in Notable Events

hunterar
Engager

I have created a workflow action to send a Notable Event to ServiceNow to create an incident. I am unable to figure out how to resolve nested tokens. For example, if the rule title for the correlation rule is "Host With A Recurring Malware Infection ($signature$ On $dest$)"  and I use:

`notable` 
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

what ends up in ServiceNow is "Host With A Recurring Malware Infection ($signature$ On $dest$)". The signature and dest tokens do not get expanded.  How can I tell it to recursively expand any tokens nested inside other tokens?

 

Labels (1)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

@hunterar 

try below : you are looking for command "expandtoken" will expand tokens.

`notable` 
| expandtoken
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

  

————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

@hunterar 

try below : you are looking for command "expandtoken" will expand tokens.

`notable` 
| expandtoken
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

  

————————————
If this helps, give a like below.

hunterar
Engager

Thanks, that fixed it.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...