Adapt and Tune: Adapt Macros

A macro is defined in a configuration file called macros.conf, usually bundled with a Splunk Application. Most macros that are bundled with the Recorded Future App for Splunk handle the JSON objects returned from the Recorded Future Connect API.

For instance, the macro called ‘rf_hits’ may need to be modified for the correlations in the Correlation Dashboards to work. (whatever is specified in the fourth line)

    [rf_hits(1)]
    args = infield
    definition = dedup $infield$ \
    | lookup rf_ip_threatfeed Name as $infield$ OUTPUT Name as RF_Hit, Risk, RiskString, EvidenceDetails \
    | search RF_Hit=* \
    | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule") \
    | eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
    iseval = 0

Further Help

“Recorded Future App for Splunk” has been developed by Recorded Future.

Further information and support can be found on our Support web site: support.recordedfuture.com