Hi,
I am using a 3rd party tool to get information about different indicators of compromise (eg: domains).
I am getting data from that tool through a rest API.
What I'm trying to do is to enrich the events from our proxy server, with the information provided by this API.
index=proxy category="Malware"
| join domain type=left [| rest splunk_server=local /services/3rdpartytool/lookup_domain/$domain$ fields="entity,risk" | rename entity.name as domain]
| table domain, src_ip, risk.score
Where it fails is when passing the $domain$ variable to the rest subsearch:
Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/3rdpartytool/lookup_domain/$domain$
I tried the other way around, with the same result:
| rest splunk_server=local /services/3rdpartytool/lookup_domain/$domain$ fields="entity,risk"
| rename entity.name as domain
| join domain [search index=proxy category="Malware"]
| table table domain, src_ip, risk.score
domain and src_ip are returned by the index=proxy... search while risk.score is returned by the rest search.
So, the way I want this to work is:
if a user accessed a domain categorized as Malware by the proxy server
then attach the risk.score for the respective domain provided by the 3rd party tool
Any idea on how to achieve this?
Thank you.
... View more