It does rely on traffic data as the results look for the Bytes field, which is not present in the threat logs. What I did is referenced in the other question I posed: http://answers.splunk.com/answers/107426/unable-to-see-threat-details-can-still-see-traffic-logs
Note that you must place '| dedup Session' at the end of the macro so that it doesn't return extra results. Forgot to mention that there.
It's a sloppy way to go about doing it but it's effective and sufficient for what we need for now, but I'm sure that there is a better way to go about it.
... View more