Hi all,
I'm wondering if anyone created an Event Action for sessionId to pivot back to SA/NW from Splunk as this is a popular question.
It's not part of the app as it would always require customisation.
Thank you,
Rui
I have now created at few in case anyone finds this page in future.
[1SA_Session]
display_location = both
fields = sessionid
label = Show Session in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/reconstruction/$sessionid$/AUTO
type = link
[1SA_SrcIP]
display_location = both
fields = src_ip
label = Show Source $src_ip$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/ip.src=$src_ip$
type = link
[1SA_DstIP]
display_location = both
fields = dest_ip
label = Show Destination $dest_ip$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/ip.dst=$dest_ip$
type = link
[1SA_AliasHost]
display_location = both
fields = dest_host
label = Show $dest_host$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/alias.host=$dest_host$
type = link
Hope this helps.
Cheers,
Rui
I have now created at few in case anyone finds this page in future.
[1SA_Session]
display_location = both
fields = sessionid
label = Show Session in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/reconstruction/$sessionid$/AUTO
type = link
[1SA_SrcIP]
display_location = both
fields = src_ip
label = Show Source $src_ip$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/ip.src=$src_ip$
type = link
[1SA_DstIP]
display_location = both
fields = dest_ip
label = Show Destination $dest_ip$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/ip.dst=$dest_ip$
type = link
[1SA_AliasHost]
display_location = both
fields = dest_host
label = Show $dest_host$ in SA
link.method = get
link.target = blank
link.uri = https://<SAIPADDRESS>/investigation/<DEVICEID>/navigate/query/alias.host=$dest_host$
type = link
Hope this helps.
Cheers,
Rui