Perform GET or POST action depending on table valu...

Dworsnop · ‎10-14-2020

Hi all. I am generating a dashboard table containing possible indicators of compromise observed on a network. Included in the search that generates the table is...

| eval ActionText=if('model'="Watchlisted domain","Check on Virus Total",(mvappend("Check on Virus Total","Add to Watchlist")))

Along with the rest of the search I end up with a table like this...

... | IoC | ... | model | ActionText | ... | ...

-------------------------------------------------------------------------------------

... | <domain> | ... | Watchlisted domain | Check on Virus Total | ... | ...

... | <domain> | ... | Suspicious domain | Check on Virus Total | ... | ...

Add to Watchlist

... | <domain> | ... | Watchlisted domain | Check on Virus Total | ... | ...

I would like to configure a drilldown so that clicking on "Check on Virus Total" in the table will perform a GET request using the IoC field as a token, and a POST action to an internal API when I click on "Add to Watchlist", again using the IoC from the corresponding row/event.

Any ideas for a starting point?

Perform GET or POST action depending on table value

drilldown

simple XML

table

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!