Integrating Splunk SOAR with Manage Engine Service...

SplunkExplorer1

I have integrated Splunk SOAR 7.1.0 with ManageEngine ServiceDesk Plus. When using the 'create ticket' action, I am unable to use a custom template it keeps defaulting to the old template instead.

Could anyone please share a sample JSON payload for creating a ticket with a specific template name? Here is sample json I was passing to create ticket action in input fields
{
"subject": "Incident Subject",
"description": "Incident Description",
"template": {
"name": "SOAR Test Template"
}
}

diogofgm

I do not have a sample for Service Desk Plus but, based on the docs, your json doesn't seem to have any problem. Usually when I need to troubleshoot this kind of integrations I use postman to do the requests since you can get more details from the API response, than you get from the SOAR connector results since there might be some code logic to handle the response. If you test with postman and you get the same kind of problem, that rules out SOAR.

From what I saw in the servidesk plus connector, I don't think the problem in it since there is no default. It just uses whatever you put in the fields parameter. I would check if you need to include in your json the "id" field alongside with the "name" nested in the "template".

------------
Hope I was able to help you. If so, some karma would be appreciated.

SplunkExplorer1

Hi @diogofgm ,

Thanks for the reply.

I have verified the JSON via Postman and the SDP REST API, and it works as expected.

One issue: even though my custom template only requires the "subject" field, the "create ticket" action in SOAR keeps demanding all required fields from the default template. It seems to be ignoring the custom template requirements.

I suspect that somewhere in the connector code, the template is being overridden back to the default template, regardless of the inputs provided.

diogofgm

I had a look into the code again and I believe there is a bug there. The create ticket function uses another function to handle the query parameters. That function uses a "request_fields" list in the consts.py and iterate over it and "template" its not one of the fields.
These are the fields listed there:

REQUEST_FIELDS = [
    "subject",
    "description",
    "request_type",
    "impact",
    "status",
    "mode",
    "level",
    "urgency",
    "priority",
    "service_category",
    "requester",
    "assets",
    "site",
    "group",
    "technician",
    "category",
    "subcategory",
    "item",
    "email_ids_to_notify",
    "is_fcr",
    "resources",
    "udf_fields",
    "update_reason",
]

The function:

    def get_query_params(self, param):
        request_fields = {}
        for field in consts.REQUEST_FIELDS:
            value = param.get(field, None)
            if value:
                if field in ["udf_fields", "template"]:
                    request_fields[field] = f"{self.format_params(field, value)}"
                elif field not in consts.FIELDS_WITH_NAME or (value[0] == "{" and value[-1] == "}"):
                    request_fields[field] = value
                else:
                    request_fields[field] = {"name": value}
        return {"request": request_fields}

The function itself has a clause to handle the "template" field but since it's not on the request_fields list it does not even get to that point in the code.
This can probably be fixed just by adding "template" in the list.

------------
Hope I was able to help you. If so, some karma would be appreciated.

Integrating Splunk SOAR with Manage Engine Service Desk Plus

troubleshooting

using SOAR ⁄ Phantom

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation