I opened a support case, but they considered this 'best practice' not 'break/fix' and referred me here, but here goes nothing.
1) we are mapping events from a security product to splunk, when conditions are met, we use the QRadar SOAR app for Splunk to send events to SOAR and map certain fields.
2) I send an Active Directory username to SOAR in a certain field, then I run a script to populate it into a new row in the Contacts table.
3) I have a workflow already in place that queries our Service Now to populate more information about the user - their email, manager, etc.
4) This workflow kicks off automatically if we add username to the contacts table manually, BUT is not kicking off when the incident is created by splunk and the script runs to populate the username into the contacts table.
Does anyone have any thoughts on why this may not be happening as I am expecting?
Thanks, Chris
------------------------------
Christopher Shearer
------------------------------