I have a drop-down menu with all of the rule names that appear in the events. Some of those have been mapped in a lookup table and tailored to the needs of the company. For the others, I would need to display different information.
The base search is as follows (search id:base_search):
Please note that the True and False were just tests to make sure that I get what I expect to receive, which I do.
What I want to do next, is for the events that return a True value, perform a certain secondary search passing the threat_name to it because it needs the threat_name to process further.
This is an example of my secondary search if the first one returns true (search id:defined_filter):
For those that return false I need another secondary search. I guess I'm stuck at how to either nest or call the secondary search based on the results of the base_search and pass it the threat_name so I can create panels based on the results of each case.