I have created a workflow action to send a Notable Event to ServiceNow to create an incident. I am unable to figure out how to resolve nested tokens. For example, if the rule title for the correlation rule is "Host With A Recurring Malware Infection ($signature$ On $dest$)" and I use: `notable`
| search event_hash=$event_hash$
| eval comments="$rule_title$"
| snowincidentalert what ends up in ServiceNow is "Host With A Recurring Malware Infection ($signature$ On $dest$)". The signature and dest tokens do not get expanded. How can I tell it to recursively expand any tokens nested inside other tokens?
... View more