Solved: Using tokens within tokens in Notable Events

hunterar · ‎11-25-2020

I have created a workflow action to send a Notable Event to ServiceNow to create an incident. I am unable to figure out how to resolve nested tokens. For example, if the rule title for the correlation rule is "Host With A Recurring Malware Infection ($signature$ On $dest$)" and I use:

`notable` 
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

what ends up in ServiceNow is "Host With A Recurring Malware Infection ($signature$ On $dest$)". The signature and dest tokens do not get expanded. How can I tell it to recursively expand any tokens nested inside other tokens?

thambisetty · ‎11-26-2020

@hunterar

try below : you are looking for command "expandtoken" will expand tokens.

`notable` 
| expandtoken
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎11-26-2020

@hunterar

try below : you are looking for command "expandtoken" will expand tokens.

`notable` 
| expandtoken
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

————————————
If this helps, give a like below.

hunterar · ‎11-26-2020

Thanks, that fixed it.

Using tokens within tokens in Notable Events

notable event

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?