Create attribute in event using Adaptive Response Actions within ES notable

[hkelley]

I may be missing it, but I don't see how to add an attribute to that event via the Splunk adaptive response action (as one might within an ES notable)

I see the option to create a MISP event and the option to send a sighting, but not to create the attribute via UI. Obviouly the search-driven capability is there, but I'm envisioning a UI method so that an analyst can push after notable review.

[remg427]

Hello,

Thank you for using MISP42. I develop it on a platform without entreprise security app so it is difficult to test that part. I configured the conf files from what i have understood on documentation Clearly i would need to test from the UI the ARA and what differs from a classical alert action I don't know if you can define an action on the UI that would leverage sendalert to emulate alert action Keep me posted best regards Remi

[hkelley]

I will poke around. I haven't done it before, either, so I'm following this guide. https://dev.splunk.com/enterprise/docs/devtools/enterprisesecurity/adaptiveresponseframework/createadaptiveresponseaction/

Most of the files mentioned there already exist in the app so it may be as simple as a few settings/conf files.