Activity Feed
- Posted Re: splunk validate cluster-bundle throws error "invalid key in stanza [SSL]" when i set useClientSSLCompressi on Splunk Dev. 09-06-2020 05:31 PM
- Posted Re: Can we update splunk drill now URL in alert actions on All Apps and Add-ons. 09-01-2020 08:19 PM
- Posted Re: Manual search commands on All Apps and Add-ons. 09-01-2020 05:19 PM
Topics I've Started
No posts to display.
09-06-2020
05:31 PM
Per the link you provided, useClientSSLCompression is part of the [tcpout] stanza, not the [SSL] stanza: https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/ConfigureSplunkforwardingtousesignedcertificates#Configure_your_indexer_to_use_a_signed_certificates
... View more
09-01-2020
08:19 PM
TA-ServiceNow-SecOps/bin/sn_sec_util.py contains the Python code that sets dataMap['external_url'] to "https://<host>:8000/app/search/search" if the external_url value is not set in the dataMap. You could back up this file and hard-code the IP in place of the host, and update the port as required. You could also add this field (or others) via the GUI by modifying TA-ServiceNow-SecOps/default/data/ui/alerts/sn_sec_event_alert.html (and others), specifying a control-group div, and adding the relevant label, controls div, input field and optional help-block span element. Some additional modification may be required to have the external_url field value processed correctly by the associated script(s).
... View more
09-01-2020
05:19 PM
Reference documentation available at https://docs.servicenow.com/bundle/kingston-security-management/page/product/secops-integration-splunk-addon/concept/manual-search-commands.html#security-incident The command needs to be at the beginning of your search, preceded by a pipe character. E.g. | snsecevent node TESTnode type TESTtype resource TESTresource You can see the workflow action in Splunk under Fields -> Workflow actions, which shows the equivalent search using placeholders. Are you able to use the | snowevent or | snowincident commands in the ServiceNow add-on? Reference: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Commandsandscripts Finally, if you have access, you could try script execution of the TA_ServiceNow_SecOps/bin/sn_sec_event.py per the commands.conf mapping. The relevant parameters are passed into a datamap[] and then to the SNOW REST API NB: sn_sec_event_alert.py maps to the actions specified in the alert_actions.conf file, which aligns with the GUI fields in the Security Operations Integration add-on. Hope that helps.
... View more