Adapt and Tune: Adapt Macros

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Adapt macros

macro is defined in a configuration file called macros.conf, usually bundled with a Splunk Application. Most of the macros that come predefined by Recorded Future are made to handle the JSON objects that we get back from the Recorded Future Connect API. However there is one macro called 'rf_hits' that might need some configuration by the user for the correlation dashboards to work correctly.

    args = infield
    definition = dedup $infield$ \
    | lookup rf_ip_threatfeed Name as $infield$ OUTPUT Name as RF_Hit, Risk, RiskString, EvidenceDetails \
    | search RF_Hit=* \
    | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule") \
    | eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
    iseval = 0

It is the fourth row that might need some customisation to use the correct threat list.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice.  If you do not know who that is, you can also contact

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

Was this article helpful?
0 out of 0 found this helpful

This content is confidential. Downloading or distributing this content is in violation of your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Have more questions? Submit a request



Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.