I've done quite a bit of research on this top and I've found this post from a few years ago which references George Starcher's blog post about it. I've gotten quite a ways into it but I've ran into an issue using my new search macro in the "Incident Review - Main" search.
Below are the steps I've completed so far.
- Created a VirusTotal Adaptive Response Action that auto queries the domain of the notable event. This is working very well and I can get the results if I click on my VT notable event.
- I created a vtpositives(1) macro that looks like this (I know it's not best practices for some of my search items, this is just a dev system) search index=_* OR index=* VirusTotal "queried url" $query$ source!=audittrail | table positives
- When I run the macro from a search and input the URL, it shows the number of positive hits that VirusTotal shows up, which is the field I want to show up in additional fields under the notable event.
- I modified the "Incident Review - Main" search to add
vtpositives(1) right before the risk_correlation field that is currently last. I have tried both with the (1) and without it. I know that the "query" field populates correctly within the notable event and the VirusTotal results.
Once I go to click on the notable events, the page is 100% blank. It does not like my macro at all and prevents any search results from coming up. So my real question is how do I get the positives field out of my search macro and into the notable event?
For some reason my URLs are not working above so here they are.
- https://answers.splunk.com/answers/481995/splunk-enterprise-security-how-to-add-fields-to-no.html?ut...
- http://www.georgestarcher.com/splunk-enterprise-security-enhancing-incident-review/
