Solved: Using tokens within tokens in Notable Events

hunterar · ‎11-25-2020

I have created a workflow action to send a Notable Event to ServiceNow to create an incident. I am unable to figure out how to resolve nested tokens. For example, if the rule title for the correlation rule is "Host With A Recurring Malware Infection ($signature$ On $dest$)" and I use:

`notable` 
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

what ends up in ServiceNow is "Host With A Recurring Malware Infection ($signature$ On $dest$)". The signature and dest tokens do not get expanded. How can I tell it to recursively expand any tokens nested inside other tokens?

thambisetty · ‎11-26-2020

@hunterar

try below : you are looking for command "expandtoken" will expand tokens.

`notable` 
| expandtoken
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎11-26-2020

@hunterar

try below : you are looking for command "expandtoken" will expand tokens.

`notable` 
| expandtoken
| search event_hash=$event_hash$ 
| eval comments="$rule_title$"
| snowincidentalert

————————————
If this helps, give a like below.

hunterar · ‎11-26-2020

Thanks, that fixed it.

Using tokens within tokens in Notable Events

notable event

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases

Are you a member of the Splunk Community?

Using tokens within tokens in Notable Events

notable event

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

Your summer travels continue with new course releases