IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Service Now (SNOW) Comment update issue

    Posted Sat May 09, 2020 11:37 AM
    Recently we updated to v35, after update we are facing strange issue in Service Now Integration.
    We can create SNOW ticket from Resilient but same we are not able to update comments or attachment, while doing it gives below exception

    2020-05-09 17:09:12,933 INFO [snow_note_actions] Nothing to do.  This incident/task is not linked to ServiceNow.

    While debugging I found that all inputs like Incident Id and task ID are properly collecting but 
    dt_rows = self.datatable.find_rows_for_incident(inc_id)
    Does not returning any rows,
    This is a resilient problem or SNOW? why dt_rows return empty values

    Here is the complete script:

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-

    """Circuits component for Resilient Action Module message handling"""

    import json
    import logging
    from circuits.core.handlers import handler
    from resilient_circuits.actions_component import ResilientComponent, ActionMessage
    from snow_actions import CreateServiceNowNote
    from rc_servicenow.lib.datatable import IntegrationDataTable
    import rc_servicenow.lib.snow_config as cfg

    LOG = logging.getLogger(__name__)

    # Custom actions for ServiceNow integration


    class ServiceNowNoteActions(ResilientComponent):
        """Custom Action handling for Notes to ServiceNow"""

        def __init__(self, opts):
            super(ServiceNowNoteActions, self).__init__(opts)
            self.options = opts.get(cfg.CONFIG_SECTION, {})
            self.channel = "actions." + self.options.get(cfg.CONFIG_QUEUE.key, cfg.CONFIG_QUEUE.default)

            self.template_dir = self.options.get(cfg.CONFIG_TEMPLATE_DIR.key, cfg.CONFIG_TEMPLATE_DIR.default)
            self.datatable_name = self.options.get(cfg.CONFIG_DATATABLE.key, cfg.CONFIG_DATATABLE.default)
            self.datatable = IntegrationDataTable(self, table_name=self.datatable_name, system_name="ServiceNow")

        @handler("note_to_servicenow", "work_note_to_servicenow", "comment_to_servicenow")
        def _note_function(self, event, source=None, headers=None, message=None):
            """
            Action: Note to ServiceNow
                Automatic
                Note action
                Condition: (none)

            There are two use cases:
            - Notes added to an incident that has a linked ServiceNow ticket.
            - Notes added to a task that has a linked ServiceNow ticket.

            Send to the linked ticket as a work-log entry.
            (We don't make a record of sync in the incident).
            Any failure is just recorded in the action log (visible under Action Status).
            """
            assert isinstance(event, ActionMessage)
            client = self.rest_client()
            if message["user"]["id"] == client.user_id:
                msg = "To prevent loops, action from self is ignored."
                LOG.warn(msg)
                return msg

            if event.defer(self, delay=3):
                # OK, let's handle it later
                return

            incident = message["incident"]
            inc_id = incident["id"]
            note = message.get("note", None)
            if note is None:
                msg = u"Action '{}' expects to be triggered from a Note".format(event.name)
                raise Exception(msg)

            # Is this a task-note?  If so, the note contains the task id
            note_id = note.get("id")
            task_id = note.get("task_id", None)

            if task_id is None:
                dt_rows = self.datatable.find_rows_for_incident(inc_id)
                note_url = "/incidents/{0}/comments/{1}?text_content_output_format=always_text&handle_format=names".format(inc_id, note_id)
            else:
                dt_rows = self.datatable.find_rows_for_task(inc_id, task_id)
                note_url = "/tasks/{0}/comments/{1}?text_content_output_format=always_text&handle_format=names".format(task_id, note_id)

            # Verify that the task or incident is linked to ServiceNow (in the datatable)
            if len(dt_rows) == 0:
                LOG.info("Nothing to do.  This incident/task is not linked to ServiceNow.")
                return

            ref_id = self.datatable.cell(dt_rows[0], self.datatable.DATATABLE_REF_ID_FIELD)

            # The action message has richtext, but we want plaintext
            # Fetch note from the Resilient server (better than trying strip tags here)
            plain_note = client.get(note_url, co3_context_token=event.context)
            LOG.debug(json.dumps(plain_note))

            # Construct mapdata dictionary that will be mapped to the new ServiceNow note
            mapdata = event.message
            mapdata["action"] = event.name
            mapdata["note"] = plain_note

            # Send the note to ServiceNow
            self.fire(CreateServiceNowNote(incident_id=inc_id, ticket_number=ref_id, mapdata=mapdata))


    ------------------------------
    Dastagirsab Mulla
    ------------------------------

    ------------------------------
    Dastagirsab Mulla
    ------------------------------


  • 2.  RE: Service Now (SNOW) Comment update issue

    Posted Wed May 13, 2020 05:30 AM
    You should open a support ticket if this occurs on multiple incidents

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


Related Content