Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Recorded Future Add-on for Splunk ES
MD5 checksum (recorded-future-add-on-for-splunk-es_240.tgz) 833481512459f6bf88414ff95679a38d MD5 checksum (recorded-future-add-on-for-splunk-es_239.tgz) 02cd70e2f56a3c000f4781776072aeb4 MD5 checksum (recorded-future-add-on-for-splunk-es_238.tgz) 9c8a8e016cd32c8e39d4bc8a9e1af2f9 MD5 checksum (recorded-future-add-on-for-splunk-es_236.tgz) af9f345abd8fcf2c90ffe05b55bf47a7 MD5 checksum (recorded-future-add-on-for-splunk-es_212.tgz) 1472f84cfbeb93316377dd81be984d37 MD5 checksum (recorded-future-add-on-for-splunk-es_211.tgz) 12b41da3db50ff8e2423971bff69c1e8
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Recorded Future Add-on for Splunk ES

Splunk Certified
Overview
Details
The Recorded Future Add-on for Splunk ES is designed specifically for Splunk Enterprise Security.

This Add-on integrates with the Splunk ES Threat Intelligence Framework by adding a formatted feed containing information security threat indicators. With this added feature, defenders can automate the process of finding connections between internal incidents and external sources. This can work bidirectionally: searching Recorded Future for more context around internally observed indicators, or testing trending indicators from open source reporting against internal datasets.

The Add-on also simplifies the workflow of analysts working within the ES environment by adding contextual actions to the Incident Review and event searching and reporting views. This includes information on IPs, domains, file hashes and CVEs.

Overview:

The Splunk Add-on for Recorded Future is designed specifically for Splunk Enterprise Security.

This Add-on integrates with the Splunk ES Threat Intelligence Framework by adding a feed containing information security threat indicators from Recorded Future. With this added feature, defenders can automate the process of finding connections between internal incidents and external sources. This can work bidirectionally: searching Recorded Future for more context around internally observed indicators, or testing trending indicators from open source reporting against internal data sets.

The Add-on also simplifies the workflow of analysts working within the ES environment by adding contextual actions to the Incident Review and event searching and reporting views. This includes information on IPs, domains, file hashes and CVEs.

For more information on Recorded Future, visit www.recordedfuture.com.

Documentation:

Requirements

  • Splunk ES must be installed on the Splunk system
  • A valid Recorded Future API token is required.
  • The Splunk server running the app must be able to download a CSV file containing Recorded Future's IP risk list from https://api.recordedfuture.com/.

Installation

To install this Add-on, perform the following steps:

  1. Download the latest TA release from Splunkbase (apps.splunk.com)
  2. In Splunk, select "Manage Apps" from the drop-down menu next to the Splunk logo on the upper left of the screen
  3. Select "Install app from file"
  4. Browse to the location of the TA-recorded_future.spl file, select it and upload. Restart Splunk when prompted to do so.
  5. Go back to "Manage Apps". Locate "Splunk ES Add-on for Recorded Future" in the list and run "Set up".
  6. In the Enterprise Security menu bar, click Configure -> Incident Management -> Incident Review Settings.
  7. Click the button 'Add new entry' in the "Incident Review - Event Attributes" section. Add the following Label and Field combinations:
    Label Field
    --------------------- ----------------------
    RF Risk Score rf_a_risk_score
    RF Risk Score Threshold rf_risk_score_threshold
    RF Triggered Rules rf_b_risk_string
    RF Evidence Details rf_evidence_details_0
    RF Evidence Details 2 rf_evidence_details_1
    RF Evidence Details 3 rf_evidence_details_2
    RF Evidence Details 4 rf_evidence_details_3
    RF Evidence Details 5 rf_evidence_details_4
    RF Evidence Details (remaining) rf_evidence_details_rest
  8. A restart of the Splunk instance will be required once the installation has completed.
  9. If you haven't already done so, enable the Enterprise Security correlation search called "Threat Activity Detected"
    a. In the Enterprise Security menu bar, click Configure -> Content Management
    b. In the filter bar, type "Threat Activity Detected"
    c. Click the link 'Enable' to enable the correlation search

Alternatively, you can download the Add-on using the Splunk Web interface's "Find more apps online" feature. Steps 5 and onwards above must still be completed.

Setup

After installation, you will need to set up the Add-on for Recorded Future to communicate with the Recorded Future API. The setup page will request your API token, and the Add-on will not import threat information without this.

The script which retrieves the list of IP number will select a Risk Score Threshold which will produce a set number of entries in the list. By default this number is 25.000. This number can be changed by editing the file recorded_future.conf in the local directory in the app directory. Ex:

[ip_risk_list]
max_entries = 25000

Be aware of that increasing this number will significantly increase the load on the server.

External data access and scripts

The app uses a script to retrieve threat information from Recorded Future. This script is run (default every 30 minutes) from a saved search. This data set contains IP numbers which are considered suspicious or malicious by Recorded Future. Each IP has a Risk Score and evidence of why that is assigned to it. The data contains all IPs with a Risk Score of 25 or more (100 being the maximum).

During the execution a https call is made to https://api.recordedfuture.com/ to retrieve the information which is then processed and stored on the Splunk server.

If proxy is a must, you can solve by adding a the following lines to $SPLUNK_HOME/etc/splunk-launch.conf:
http_proxy=<your proxy="">
https_proxy=<your proxy="">

Cluster considerations

If using a large IP risk list (see the Setup section above) it may be advisable to avoid transferring it across cluster nodes. This will however force the lookups to be performed locally on the search head, putting additional strain on that node.

If you want it to perform the search locally, then you can:
- add the parameter local=true to the custom search,
- you can blacklist the lookup file from the indexers:
- https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Distsearchconf

For more information and to set up your trial or paid subscription, please contact splunk@recordedfuture.com (US east coast business hours).

Alternatively, you can download the Add-on using the Splunk Web interface's "Find more apps online" feature.

Release Notes

Version: 2.4.0

This version utilizes CIM to improve performance.

Jan. 31, 2017, 3:27 p.m.

Platform Independent

6.4, 6.3

Version: 2.3.9

Reduces the size of the Recorded Future IP Risk List file used to generate the notable events to improve resource utilization. The size of the list is now configurable after install. This reduces the size of the file and allows it to be downloaded to Indexers for matching against IPs.

Jan. 11, 2017, 1:15 p.m.

Platform Independent

6.4, 6.3

Version: 2.3.8

Reduces the size of the Recorded Future IP Risk List file used to generate the notable events to improve resource untilzation. The size of the list is now configurable after install.

Dec. 22, 2016, 4:25 p.m.

Platform Independent

6.5, 6.4, 6.3

Version: 2.3.6

Updated Interval of IP Risk List download. This version downloads the full Recorded Future IP Risk List and performs the correlation on the Search Head.

Nov. 29, 2016, 3:03 p.m.

Platform Independent

6.4, 6.3

Version: 2.1.2

We updated the add-on to have Splunk run the lookup locally (on the search head), instead of sending it to the indexer(s).
If you wanted to create your own searches or reports and include this lookup (the Recorded Future IP threat list), it will be sent down to the indexer(s). If you don't want it to perform the search this way, then you can:
· add the parameter local=true to the custom search,
· you can blacklist the lookup file from the indexers:
- https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Distsearchconf
· up the default value for the 'max_content_length' setting in the server.conf file on the indexer.

Sept. 27, 2016, 7:51 p.m.

Platform Independent

6.5, 6.4, 6.3

Version: 2.1.1

Sept. 22, 2016, 10:21 a.m.

Platform Independent

6.5, 6.4, 6.3

52
Installs
343
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
2.4.0
Category
Security, Fraud & Compliance
Product Support
Splunk Enterprise
Splunk Cloud
Content Type
Add-on
Splunk Versions
6.4
6.3
CIM Versions
CIM 4.6, 4.5
Licensing
End User License Agreement for Third-Party Content
Platforms
Platform Independent
Built by
Recorded Future
Contact Developer
Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.