Hi all. I am generating a dashboard table containing possible indicators of compromise observed on a network. Included in the search that generates the table is... | eval ActionText=if('model'="Watchlisted domain","Check on Virus Total",(mvappend("Check on Virus Total","Add to Watchlist"))) Along with the rest of the search I end up with a table like this... ... | IoC | ... | model | ActionText | ... | ... ------------------------------------------------------------------------------------- ... | <domain> | ... | Watchlisted domain | Check on Virus Total | ... | ... ... | <domain> | ... | Suspicious domain | Check on Virus Total | ... | ... Add to Watchlist ... | <domain> | ... | Watchlisted domain | Check on Virus Total | ... | ... I would like to configure a drilldown so that clicking on "Check on Virus Total" in the table will perform a GET request using the IoC field as a token, and a POST action to an internal API when I click on "Add to Watchlist", again using the IoC from the corresponding row/event. Any ideas for a starting point?
... View more