Create attribute in event using Adaptive Response Actions within ES notable #263
Comments
|
Hello,
Thank you for using MISP42.
I develop it on a platform without entreprise security app so it is difficult to test that part.
I configured the conf files from what i have understood on documentation
Clearly i would need to test from the UI the ARA and what differs from a classical alert action
I don't know if you can define an action on the UI that would leverage sendalert to emulate alert action
Keep me posted
best regards
Remi
|
hkelley
changed the title
|
I will poke around. I haven't done it before, either, so I'm following this guide. https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/createadaptiveresponseaction/ Most of the files mentioned there already exist in the app so it may be as simple as a few settings/conf files. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I may be missing it, but I don't see how to add an attribute to that event via the Splunk adaptive response action (as one might within an ES notable)
I see the option to create a MISP event and the option to send a sighting, but not to create the attribute via UI. Obviouly the search-driven capability is there, but I'm envisioning a UI method so that an analyst can push after notable review.
The text was updated successfully, but these errors were encountered: