Adapt and Tune: Adapt Macros

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Adapt macros

macro is defined in a configuration file called macros.conf, usually bundled with a Splunk Application. Most of the macros that come predefined by Recorded Future are made to handle the JSON objects that we get back from the Recorded Future Connect API. However there is one macro called 'rf_hits' that might need some configuration by the user for the correlation dashboards to work correctly.

    [rf_hits(1)]
    args = infield
    definition = dedup $infield$ \
    | lookup rf_ip_threatfeed Name as $infield$ OUTPUT Name as RF_Hit, Risk, RiskString, EvidenceDetails \
    | search RF_Hit=* \
    | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule") \
    | eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
    iseval = 0

It is the fourth row that might need some customisation to use the correct threat list.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice.  If you do not know who that is, you can also contact [email protected]

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.