Splunk Enterprise Security

Resilient-Add on - pre populate fields


How would I go about pre-populating the fields from splunk (ex. $name$) to the resilient action/app and have this set as default when an action is invoked manually? In this case I would like for specific fields to be pre-populated with Splunk data when a user click on this action. I've seen this setup prior, but I am not familiar with the process on how to setup (I know you can do this through the correlation search, but the action is being performed manually from Incident Review on a notable event). Would this be something that needs to be adjusted in one of the .conf files or can it be done through the UI?

0 Karma