Hi Splunkers, I'm trying to send one Splunk Cloud instance alerts to a Cortex XSOAR one. The guide I'm following is the following one: Splunk py for NON ES users. Due we have not Enterprise Security...
See more...
Hi Splunkers, I'm trying to send one Splunk Cloud instance alerts to a Cortex XSOAR one. The guide I'm following is the following one: Splunk py for NON ES users. Due we have not Enterprise Security, I must follow steps described in section Splunk non-Enterprise Security Users.
Following this guide, what makes me a bit confused is step 4; they states only to create a macro to capture fields saved on a local file, but no indication on how to achieve this. I mean: I know I can put in macro code I want to reuse in more alerts, for example reuse the same where conditions in multiple different rules, but how should be the syntax to achieve what the guide states?
For example, if following step 2 and 3 I got the following field list:
list(field) Blade, ReachedPorts, count, dst_ip, earliest_timestamp, latest_timestamp, src_ip, src_user, total_dst_port,
what code should I put on macro to "capture" them? Should I simply put fields list in macro code?