icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

End User License Agreement for Third-Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Recorded Future Add-on for Splunk ES
SHA256 checksum (recorded-future-add-on-for-splunk-es_404.tgz) c88229e687862e2873f6693edeb0377f0a031add9e012b29def79c4f91664ee9 SHA256 checksum (recorded-future-add-on-for-splunk-es_322.tgz) 33a819a3926caf78f6bb9313fb73da16a9dd459b74e38394131b7a7d37938b7c SHA256 checksum (recorded-future-add-on-for-splunk-es_311.tgz) db40dc5e52fe3e9c3836d233e68a64cc17a65a6a6834e61b76f18cea5a6a39cc
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Recorded Future Add-on for Splunk ES
This app has been archived. Learn more about app archiving.
Overview
Details
THIS ADD-ON IS NO LONGER SUPPORTED. SEE https://splunkbase.splunk.com/app/4920/ FOR THE CURRENT RECORDED FUTURE INTEGRATION WITH SPLUNK

The Recorded Future Add-on for Splunk ES is designed specifically for Splunk Enterprise Security.

This Add-on integrates with the Splunk ES Threat Intelligence Framework by adding a formatted feed containing information security threat indicators. With this added feature, defenders can automate the process of finding connections between internal incidents and external sources. This can work bidirectionally: searching Recorded Future for more context around internally observed indicators, or testing trending indicators from open source reporting against internal datasets.

The Add-on also simplifies the workflow of analysts working within the ES environment by adding contextual actions to the Incident Review and event searching and reporting views. This includes information on IPs, domains, file hashes and CVEs.

Overview:

The Splunk Add-on for Recorded Future is designed specifically for Splunk Enterprise Security.

This Add-on integrates with the Splunk ES Threat Intelligence Framework by adding a feed containing information security threat indicators from Recorded Future. With this added feature, defenders can automate the process of finding connections between internal incidents and external sources. This can work bidirectionally: searching Recorded Future for more context around internally observed indicators, or testing trending indicators from open source reporting against internal data sets.

The Add-on also simplifies the workflow of analysts working within the ES environment by adding contextual actions to the Incident Review and event searching and reporting views. This includes information on IPs, domains, file hashes and CVEs.

For more information on Recorded Future, visit www.recordedfuture.com.

Requirements

  • Splunk ES must be installed on the Splunk system
  • A valid Recorded Future API token is required.
  • The Splunk server running the app must be able to download a CSV
    file containing Recorded Future's IP risk list from
    https://api.recordedfuture.com/.

Installing and configuring

Installation

To install this Add-on, perform the following steps:

  1. Download the latest TA release from Splunkbase (apps.splunk.com)
  2. In Splunk, select "Manage Apps" from the drop-down menu next
    to the Splunk logo on the upper left of the screen
  3. Select "Install app from file"
  4. Browse to the location of the TA-recorded_future.spl file,
    select it and upload. Restart Splunk when prompted to do so.
  5. In the Enterprise Security menu bar,
    click Configure → Incident Management → Incident Review Settings.

  6. Click the button 'Add new entry' in the "Incident Review -
    Event Attributes" section. Add the following Label and Field
    combinations:

    | Label                           | Field
| ------------------------------- | ----------------------- |
| RF Risk Score                   | rf_a_risk               |
| RF Triggered Rules              | rf_b_rules              |
| RF Very Malicious Evidence      | rf_evidence_critical    |
| RF Malicious Evidence           | rf_evidence_malicious   |
| RF Suspicious Evidence          | rf_evidence_suspicious  |
| RF Unusual Evidence             | rf_evidence_unusual     |

  7. A restart of the Splunk instance will be required once the
    installation has completed.

  8. If you haven't already done so, enable the Enterprise
    Security correlation search called "Threat Activity Detected"
    1. In the Enterprise Security menu bar, click Configure → Content Management
    2. In the filter bar, type "Threat Activity Detected"
    3. Click the link 'Enable' to enable the correlation search
  9. Optionally, create a post install verification report. Run the
    "Validate app deployment" report. It will perform a number of
    tests, none of which should yield an error.
    1. Go to Dashboards, Reports... → Reports.
    2. Run Validate app deployment.

Alternatively, you can download the Add-on using the Splunk Web
interface's "Find more apps online" feature. Steps 5 and onwards above
must still be completed.

Configuration

After installation, you will need to set up the Add-on for Recorded
Future to communicate with the Recorded Future API.

  1. Go to Configuration → Configuration.
  2. Select the Add-on Settings tab.
  3. Enter the API Key.
  4. Review the other tabs if additional configuration is required.

Upgrading from previous versions

The setup needs to be run after the upgrade. The API key (previously
called token in our documentation) will not carry over from the old
configuration. The same goes for proxy and loglevel configurations.

Upgrade from 3.x versions

Due to the extent of the changes between version 2 and 3 of the app
we recommend that you remove the app directory
($SPLUNK_HOME/etc/apps/TA-recorded_future) and make a fresh install
of the app.

If that is not possible proceed with the instructions below.

Files and directories that can be removed

The following files and directories can be removed
since they are not used anymore:

From the bin folder:

future
libfuturize
past
requests
rf_integrations
rf_splunk
rfapi
splunklib
get-rf-threatlists.py
rf_es_setup.py
verify_rf_app.py

From the local folder (if present):

commands.conf

From the local/data/ui/nav folder (if present):

default.xml

Files that must be reviewed

Any file in the local folder is the result of a
local configuration. These have precedence over the
new settings shipped with the app. Review differences
in each file in the local folder compared to the
new default in the default folder and adjust if
required.

In particular correlation searches in
savedsearches.conf are likely to cause issues if
in place.

Further help

Recorded Future has a support web site:
Installing and configuring where
up-to-date ways of contacting support is also available.

Do not contact Splunk support about "Recorded Future for Splunk ES".

Release Notes

Version 4.0.4
Feb. 18, 2019

New in version 4.0:
- Adaptive responses have been added. These can be used to enrich any supported IOC while performing correlations or in ad-hoc mode.
- Added URL risk lists.
- Improved display of risk information in the Incidents review dashboard.
- Support for custom risk lists from Recorded Future Fusion was added.
- Support for retrieving alerts from Recorded Future was added. A dashboard to view alerts is available.
- Built-in help pages.
- New reports added to view "Latest updates of all risk lists", "All log events from the add-on" and a validation status.
- New options to customize access to Recorded Future's API (custom URL and optional SSL verification).
- Search head cluster synchronization.

Specific for version 4.0.4:
- Issue in Search Head clusters which prevented risk list updates with some configuration settings.
- Issue with retrieving the API key from the storage passwords.
- Increased timeout before entries are purged from the Threat Intelligence framework.
- Added server.conf
Version 3.2.2
Feb. 1, 2018

The main addition with the 3.0 release is the addition of two new threat lists:
- domains: allows for correlation and enrichment on events from proxies, web application firewalls, DNS servers etc
- hashes: events from anti-virus systems, email gateways, file alteration monitors etc

In addition to the new risk lists there are many other improvements:
- significant performance enhancements
- support for clustering (in particular search head clusters)
- support for running on Windows based Splunk servers
- support for Splunk servers with a non standard management port.

Version 3.1.0 adds a Setup GUI where in addition to the Recorded Future API key it's easy to toggle debug logging or adding proxy information.

Version 3.2.0 adds a verification script that can be run to check that configuration and access needed for the app to work is present.
Version 3.1.1
Sept. 26, 2017

The main addition with the 3.0 release is the addition of two new threat lists:
- domains: allows for correlation and enrichment on events from proxies, web application firewalls, DNS servers etc
- hashes: events from anti-virus systems, email gateways, file alteration monitors etc

In addition to the new risk lists there are many other improvements:
- significant performance enhancements
- support for clustering (in particular search head clusters)
- support for running on Windows based Splunk servers
- support for Splunk servers with a non standard management port.

Version 3.1.0 adds a Setup GUI where in addition to the Recorded Future API key it's easy to toggle debug logging or adding proxy information.
558
Installs
2,054
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Recorded Future
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate App Contents: Alert Actions, Inputs
Compatibility
Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise
Splunk Versions: 7.2, 7.3, 8.0, 8.1, 8.2 Platform: Platform Independent CIM Versions: 4.x Platform: Platform Independent CIM Versions: 4.x Platform: Platform Independent CIM Versions: 4.x
Licensing
End User License Agreement for Third-Party Content
Category & Contents
Categories: Security, Fraud & Compliance
App Type: Add-on
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2021 Splunk Inc. All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.