Adapt and Tune: Adapt Macros

Updated

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Adapt macros

macro is defined in a configuration file called macros.conf, usually bundled with a Splunk Application. Most of the macros that come predefined by Recorded Future are made to handle the JSON objects that we get back from the Recorded Future Connect API. However there is one macro called 'rf_hits' that might need some configuration by the user for the correlation dashboards to work correctly.

    [rf_hits(1)]
    args = infield
    definition = dedup $infield$ \
    | lookup rf_ip_threatfeed Name as $infield$ OUTPUT Name as RF_Hit, Risk, RiskString, EvidenceDetails \
    | search RF_Hit=* \
    | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule") \
    | eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
    iseval = 0

It is the fourth row that might need some customisation to use the correct threat list.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice.  If you do not know who that is, you can also contact support@recordedfuture.com.

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more