Splunk Sighting Search

Go to solution
Apoorva12
Giga Contributor

‎05-27-2019 03:50 AM

HI,

I am running Sighting search for IP Address in Splunk,i am using OOB "Sightings Search Configurations" and i have created same config in splunk as well but i am getting Sighting Search count as 0 in SNOW while in Splunk we are getting results for that IP Address.

If any idea please share with me.

find_real_file.png

Thanks,

 

Preview file
120 KB
0 Helpfuls
  • 2,216 Views
1 ACCEPTED SOLUTION

Go to solution
andy_ojha
ServiceNow Employee
ServiceNow Employee

‎05-27-2019 07:56 AM

Hey there,

I would suggest checking out the results of a few troubleshooting steps, and then reaching out to HI Support.

1. If you are using Splunk Enterprise (on-premise), confirm that the MID Server you are using has network connectivity to the Splunk Search Head you are targeting for queries (e.g. ICMP Ping Request / Response)

2. Navigate to the following table (paste the table name and add .list to the end of it in the left hand nav): [sn_sec_cmn_integration_capability_implementation]
   - Look for a record where the "Capability" is Sightings Search, and the "Name" corresponds to the name you entered for your Splunk Incident Enrichment config.
   - Open this record
   - Check to ensure the "Integration" value is not blank

3. After you manually trigger a Sighting Search for an IP Observable -> check out the Workflow Context that is associated to that record.
   - Take note of the SIR Record Number 
   - Navigate to Workflow | All Contexts 
   - Look for a record here where the "Related Record" is the SIR Record Number and "Workflow Version" is Security Operations - Splunk Sighting Search   
   - Review the Tabs / Sections below (Workflow Activity History) and (Workflow Log)
   - Check for any MID Server errors such as: 
       - DNS Lookup Failure (of MID Server hostname or Splunk URL)
       - Authentication error for Splunk

4.  If you have multiple MID Servers configured on this ServiceNow instance, you may need to set the DNS to IP address relationship manually.
   - In this case, you can follow the recommendations from KB0678107 (https://hi.service-now.com/kb_view.do?sysparm_article=KB0678107)

5.  In your Splunk Search Head that you are targeting queries against, you can check to see if the queries are making it over to the Search Head by searching for the following (adjust as needed):
   - Look for the queries you are attempting based on the user account of even the IP Observable
   - index=_audit action=search search=* | table _time,user,search

6.  If you still do not get a win at this point -> Open a HI Support Ticket 

As a side-note, you should adjust that Splunk Sighting Search queries for increased efficiency, and at a minimum specify one or more index, source, sourcetype values in your query.

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
Matt58
ServiceNow Employee
ServiceNow Employee

‎04-06-2020 08:32 AM

Hello - I know that this post is old, but I ran into the same exact issue.   What I found out is that the Link URL field in the Splunk Incident Enrichment field has to be set.  Documentation indicates that this is an optional field, however, when I did not have this entered I got zero results returned.   When this was entered, it returned results.    Not sure if that is an app bug or if that is by design.  Regardless, at the moment the documentation is incorrect in that it says that field is optional.