Sightings Search Affected users inverted

MattSN
Mega Sage
Mega Sage

I am using the Security Incident Splunk Integration to do an Email sighting search and while it does find the result, it is not updating the Affected Users list. In fact it is doing the opposite. It is adding nonexistent users/email addresses to the Affected users list and leaving out the registered email addresses that do exist in the sys_user table.

 

I keep getting "X users in the search results could not be matched to user names registered in the instance. These users have not been added to the Affected Users list. The user names are : adela.cervantsz@example.com...."

 

Does anyone know where the logic is that adds Affected Users to a Security Incident?

 

Example:

MattSN_0-1695944779693.png

 

1 REPLY 1

MattSN
Mega Sage
Mega Sage

I think I found the issue. It looks like there is bug on line 289 of the SecurityAffectedUserUtils script include. After removing the exclamation mark, it works as expected.

MattSN_0-1696166016314.png

 

Mentioning ServiceNow employee @andy_ojha for visibility.