I've done quite a bit of research on this top and I've found this post from a few years ago which references George Starcher's blog post about it. I've gotten quite a ways into it but I've ran into an issue using my new search macro in the "Incident Review - Main" search.
Below are the steps I've completed so far.
vtpositives(1)
right before the risk_correlation
field that is currently last. I have tried both with the (1) and without it. I know that the "query" field populates correctly within the notable event and the VirusTotal results.Once I go to click on the notable events, the page is 100% blank. It does not like my macro at all and prevents any search results from coming up. So my real question is how do I get the positives field out of my search macro and into the notable event?
For some reason my URLs are not working above so here they are.
- https://answers.splunk.com/answers/481995/splunk-enterprise-security-how-to-add-fields-to-no.html?ut...
- http://www.georgestarcher.com/splunk-enterprise-security-enhancing-incident-review/