On trying this, one challenge in passing fields such as [$Last Time], it puts values in the URL that are not url-encoded. Is there any macro supported to url encode the expanded field-value? (For example, [$Last Time] should be url-encoded from "08/21/2016%2015:30:14" to "08%2F21%2F2016%2015%3A30%3A14".)
I understand what you are trying to do but I don't understand why you are trying to add the Last Time field to URL Actions. Can you please share your use case idea with us?
I am building an integration use-cases that takes IP and time from the selected alert, and provides additional activity / context on that IP from my product that happened around the time-range of the selected alert.
Alternately, is it possible to pass the epoch value instead of human-readable time value?
I wonder if you can use a correlation rule for that.
The alert that you have can append the IP address to a watchlist, and you then use that watchlist in a correlation rule with a time window parameter defined. So, if the SIEM receives an event with an IP in the watchlist from your host within the next hour or so (time window parameter) the correlation will generate an event.
For the epoch part, I’m not sure about that as it’s already parsed to human-readable date/time by receiver. I wonder if you can create a “Time” custom type field in addition to built-in "first/last time" fields, and use that custom field to parse the epoch value. This is just a theory and I can’t tell whether it works or not w/ testing it.
This is for manual user-driven action on the GUI on the selected alert, to pull in additional context on demand in a separate browser tab. So I think the right solution would be that I add a Custom Type with time datatype, and set its format to be epoch millis as in this screenshot
But to be able to go with this solution, I need steps on how to copy First Time's value into this new field for every single event across all receivers. The field doesn't need to be indexed but needs to be accessible for launching action commands. Can anyone point to steps on how to achieve this? This is probably a newbie question!
What you did actually looks good, but I'm not sure if that's really going to parse the time stamp in epoch format the way you wanted, you can test it and see how it goes.
And if it works, do you really want to enable this for every single event across all receivers?
You will then need to make the same change in all enabled ASP parser rules for all device types, save them and roll out the policies.