Macros
Macro-capable pivot parameters such as Splunk and Neo4j query strings will expand macro variables. This enables tasks such as embedding hidden passwords and combines powerfully with the ability to create new UI-driven parameter.
Macro variables are of two types:
- parameter:
Syntax: `{ *myParamName }`
Expands to the current value of the corresponding named pivot parameter, or throws an error if no such parameter
Example:
{ "id": "expand-splunk-ip", "name": "Splunk: Expand by IP", "template": "expand-splunk-plain", "parameters": [ { "name": "filterPost", "defaultValue": "head { *max }" }, ... - config
Syntax: `{ .my.conf.parm }`
Expands to the current value of the corresponding named configuration parameter, or throws an error if no such parameter or it is marked as sensitive
{ "id": "expand-splunk-searchhead", "name": "Splunk: Expand on searchhead", "template": "expand-splunk-plain", "parameters": [ { "name": "filter", "defaultValue": "search host={ .splunk.host }" }, ...
New parameters
You can add new UI parameters as well. For example, you can create a new pivot that is like `expand-splunk-plain` except also has new text parameter `myNewParam`:
{
"id": "expand-splunk-custom-param",
"name": "Splunk: Expand on searchhead",
"template": "expand-splunk-plain",
"parameters": [
{
"name": "myNewParam",
"inputType": "text",
"label": "Put any string here:",
"isVisible": true,
"defaultValue": "hello",
},
...Example: Splunk - Combining new parameters with macros
The power of new parameters comes through macros. For example, an IP search pivot can be reduced to a single user-visible parameter:
File `config/pivot-db/config/config.json`:
{
"systemTemplates": {
"pivots": [
{
"id": "search-splunk-IP",
"name": "Splunk: Lookup IP",
"template": "search-splunk-plain",
"parameters": [
{
"name": "ip",
"inputType": "text",
"label": "IP:",
"isVisible": true,
"defaultValue": "10.0.0.1",
},
{
"name": "filter",
"isVisible": false,
"defaultValue": "src_ip={ *ip }"
},
{
"name": filterPost",
"isVisible": false
},
...This pivot removes the need for users to know Splunk queries when doing IP searches!
Example - Neo4j - Combining new parameters with macros
The following example reuses the Neo4j `search-neo4j` (Cypher query) pivot, where instead of forcing users to write raw Cypher queries for a common domain name lookup, they can just use a new `Domain` text entry button. Note the creation of a new input (`domain`) and the underlying `query` is set to `"isVisible": "false"` and uses the macro `{ *domain }`.
{
"systemTemplates": {
"pivots": [
{
"id": "amass-domain-to-asn",
"name": "Amass: Domain->ASNs",
"template": "search-neo4j-neo4j-connector",
"parameters": [
{
"name": "domain",
"inputType": "text",
"label": "Domain:",
"isVisible": true,
"defaultValue": "site.com"
},
{
"name": "query",
"isVisible": false,
"defaultValue": "MATCH (a)-[r:DOMAIN { domain: \"{ *domain }\" }]-(b) RETURN a, r, b"
},
{
"name": "max",
"defaultValue": 2000
}
]
},
...