- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2019 03:50 AM
HI,
I am running Sighting search for IP Address in Splunk,i am using OOB "Sightings Search Configurations" and i have created same config in splunk as well but i am getting Sighting Search count as 0 in SNOW while in Splunk we are getting results for that IP Address.
If any idea please share with me.
Thanks,
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2019 07:56 AM
Hey there,
I would suggest checking out the results of a few troubleshooting steps, and then reaching out to HI Support.
1. If you are using Splunk Enterprise (on-premise), confirm that the MID Server you are using has network connectivity to the Splunk Search Head you are targeting for queries (e.g. ICMP Ping Request / Response)
2. Navigate to the following table (paste the table name and add .list to the end of it in the left hand nav): [sn_sec_cmn_integration_capability_implementation]
- Look for a record where the "Capability" is Sightings Search, and the "Name" corresponds to the name you entered for your Splunk Incident Enrichment config.
- Open this record
- Check to ensure the "Integration" value is not blank
3. After you manually trigger a Sighting Search for an IP Observable -> check out the Workflow Context that is associated to that record.
- Take note of the SIR Record Number
- Navigate to Workflow | All Contexts
- Look for a record here where the "Related Record" is the SIR Record Number and "Workflow Version" is Security Operations - Splunk Sighting Search
- Review the Tabs / Sections below (Workflow Activity History) and (Workflow Log)
- Check for any MID Server errors such as:
- DNS Lookup Failure (of MID Server hostname or Splunk URL)
- Authentication error for Splunk
4. If you have multiple MID Servers configured on this ServiceNow instance, you may need to set the DNS to IP address relationship manually.
- In this case, you can follow the recommendations from KB0678107 (https://hi.service-now.com/kb_view.do?sysparm_article=KB0678107)
5. In your Splunk Search Head that you are targeting queries against, you can check to see if the queries are making it over to the Search Head by searching for the following (adjust as needed):
- Look for the queries you are attempting based on the user account of even the IP Observable
- index=_audit action=search search=* | table _time,user,search
6. If you still do not get a win at this point -> Open a HI Support Ticket
As a side-note, you should adjust that Splunk Sighting Search queries for increased efficiency, and at a minimum specify one or more index, source, sourcetype values in your query.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2019 07:56 AM
Hey there,
I would suggest checking out the results of a few troubleshooting steps, and then reaching out to HI Support.
1. If you are using Splunk Enterprise (on-premise), confirm that the MID Server you are using has network connectivity to the Splunk Search Head you are targeting for queries (e.g. ICMP Ping Request / Response)
2. Navigate to the following table (paste the table name and add .list to the end of it in the left hand nav): [sn_sec_cmn_integration_capability_implementation]
- Look for a record where the "Capability" is Sightings Search, and the "Name" corresponds to the name you entered for your Splunk Incident Enrichment config.
- Open this record
- Check to ensure the "Integration" value is not blank
3. After you manually trigger a Sighting Search for an IP Observable -> check out the Workflow Context that is associated to that record.
- Take note of the SIR Record Number
- Navigate to Workflow | All Contexts
- Look for a record here where the "Related Record" is the SIR Record Number and "Workflow Version" is Security Operations - Splunk Sighting Search
- Review the Tabs / Sections below (Workflow Activity History) and (Workflow Log)
- Check for any MID Server errors such as:
- DNS Lookup Failure (of MID Server hostname or Splunk URL)
- Authentication error for Splunk
4. If you have multiple MID Servers configured on this ServiceNow instance, you may need to set the DNS to IP address relationship manually.
- In this case, you can follow the recommendations from KB0678107 (https://hi.service-now.com/kb_view.do?sysparm_article=KB0678107)
5. In your Splunk Search Head that you are targeting queries against, you can check to see if the queries are making it over to the Search Head by searching for the following (adjust as needed):
- Look for the queries you are attempting based on the user account of even the IP Observable
- index=_audit action=search search=* | table _time,user,search
6. If you still do not get a win at this point -> Open a HI Support Ticket
As a side-note, you should adjust that Splunk Sighting Search queries for increased efficiency, and at a minimum specify one or more index, source, sourcetype values in your query.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2019 12:27 PM
I'm getting the following error on the workflow
"Probe parameter value cannot be NULL for link_base_url"
It's not a required field and I assumed the script would take care of not sending empty strings over to the probe?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2021 04:03 AM
Hi Andy,
I know this is old post. But I am having some issues in making this sighting search integration work.
I have enabled Splunk search integration for security operations plugin first and then I got Splunk incident enrichment card in integration configurations module after this plugin activation.
Entered all the Splunk api URL, link URL, username password along with the right midserver which was given by Splunk team.
I have configured sighting search queries with the custom search query given by Splunk team.
since our instance is domain separated we have configured this integration and sighting search queries in particular domain.
when i open any existing security incident and select observables in related list and by clicking on running sighting search i am getting an error in activity stream that is "no search queries found"
But the search queries is also configured from Splunk side with the same name which I have configured in ServiceNow.
When i check workflow>all contexts i see only one workflow is getting triggered against target record that is "Security Operations Integration - Sightings Search" but not "Security Operations Integration - Sightings Search"
Could you please help me with the error and y this secodn workflow is not triggering.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-28-2019 06:28 AM
I'm not a splunk expert but we have some on staff. I know that you need to either change the default indices the account in splunk is searching or you need to alter the "Search" field in your screenshot to be more targeted.
Here is an example of our IP query:
(index=exfw TERM(src=${observable}) OR TERM(dst=${observable})) OR
(index=dns TERM(${observable})) OR
(index=clientfw TERM(csip=${observable}) OR TERM(cdip=${observable})) OR
(index=ddos TERM(${observable})) OR
(index=web TERM(${observable})) OR
(index=loadb TERM(*${observable}*)) OR
(index=emailgateway TERM(ip=${observable}) OR TERM(lip=${observable}) OR TERM(hops-ip=${observable}) OR TERM(ip4:${observable}*)) OR
(index=proxy TERM(serverip=${observable}))
You'll need to alter the query to fit your organization and indices.
vv I hope you found this helpful vv
