Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Recorded Future Add-on for Splunk ES
SHA256 checksum (recorded-future-add-on-for-splunk-es_400.tgz) 955223091b2ce48585bbcbc3979abde9f148931bc3225fdd9284afd24bd7a5ae SHA256 checksum (recorded-future-add-on-for-splunk-es_322.tgz) 33a819a3926caf78f6bb9313fb73da16a9dd459b74e38394131b7a7d37938b7c SHA256 checksum (recorded-future-add-on-for-splunk-es_311.tgz) db40dc5e52fe3e9c3836d233e68a64cc17a65a6a6834e61b76f18cea5a6a39cc
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Recorded Future Add-on for Splunk ES

Overview
Details
The Recorded Future Add-on for Splunk ES is designed specifically for Splunk Enterprise Security.

This Add-on integrates with the Splunk ES Threat Intelligence Framework by adding a formatted feed containing information security threat indicators. With this added feature, defenders can automate the process of finding connections between internal incidents and external sources. This can work bidirectionally: searching Recorded Future for more context around internally observed indicators, or testing trending indicators from open source reporting against internal datasets.

The Add-on also simplifies the workflow of analysts working within the ES environment by adding contextual actions to the Incident Review and event searching and reporting views. This includes information on IPs, domains, file hashes and CVEs.

Overview:

The Splunk Add-on for Recorded Future is designed specifically for Splunk Enterprise Security.

This Add-on integrates with the Splunk ES Threat Intelligence Framework by adding a feed containing information security threat indicators from Recorded Future. With this added feature, defenders can automate the process of finding connections between internal incidents and external sources. This can work bidirectionally: searching Recorded Future for more context around internally observed indicators, or testing trending indicators from open source reporting against internal data sets.

The Add-on also simplifies the workflow of analysts working within the ES environment by adding contextual actions to the Incident Review and event searching and reporting views. This includes information on IPs, domains, file hashes and CVEs.

For more information on Recorded Future, visit www.recordedfuture.com.

Documentation:

Requirements


  • Splunk ES must be installed on the Splunk system
  • A valid Recorded Future API token is required.
  • The Splunk server running the app must be able to download a CSV
    file containing Recorded Future's IP risk list from
    https://api.recordedfuture.com/.

Installation


To install this Add-on, perform the following steps:

  1. Download the latest TA release from Splunkbase (apps.splunk.com)
  2. In Splunk, select "Manage Apps" from the drop-down menu next
    to the Splunk logo on the upper left of the screen
  3. Select "Install app from file"
  4. Browse to the location of the TA-recorded_future.spl file,
    select it and upload. Restart Splunk when prompted to do so.
  5. Go back to "Manage Apps". Locate "Splunk ES Add-on for
    Recorded Future" in the list and run "Set up".
  6. Go to Settings->Data inputs->Scripts. Enable the script
    get-rf-threatlists.py that corresponds to your platform
    (Windows or *nix).
  7. In the Enterprise Security menu bar,
    click Configure -> Incident Management -> Incident Review Settings.
  8. Click the button 'Add new entry' in the "Incident Review -
    Event Attributes" section. Add the following Label and Field
    combinations:

    Label                            Field
    ---------------------            ----------------------
    RF Risk Score                    rf_a_risk_score
    RF Risk Score Threshold          rf_risk_score_threshold
    RF Triggered Rules               rf_b_risk_string
    RF Evidence Details              rf_evidence_details_0
    RF Evidence Details 2            rf_evidence_details_1
    RF Evidence Details 3            rf_evidence_details_2
    RF Evidence Details 4            rf_evidence_details_3
    RF Evidence Details 5            rf_evidence_details_4
    RF Evidence Details (remaining)  rf_evidence_details_rest
    
  9. A restart of the Splunk instance will be required once the
    installation has completed.

  10. If you haven't already done so, enable the Enterprise
    Security correlation search called "Threat Activity Detected"
    a. In the Enterprise Security menu bar,
    click Configure -> Content Management
    b. In the filter bar, type "Threat Activity Detected"
    c. Click the link 'Enable' to enable the correlation search
  11. Optionally, make the logs from the app available in the Splunk
    GUI. Ex:
    - Add an index _TA-recorded_future
    - Setup a Data input that monitors
    $SPLUNK_HOME/var/log/TA-recorded_future and insert these events
    into the new index.

Alternatively, you can download the Add-on using the Splunk Web interface's "Find more apps online" feature. Steps 5 and onwards above must still be completed.

Upgrade from 2.x versions


The lookup file's name has changed, the old file should be removed. Please delete:

$SPLUNK_HOME/etc/apps/TA-recorded_future/lookups/rf-threatlist.csv

Setup


After installation, you will need to set up the Add-on for Recorded Future to communicate with the Recorded Future API. The setup page will request your API token, and the Add-on will not import threat information without this. This is described in step 4 of the installation procedure above.

In the setup view it's also possible to add proxy information if the Splunk server lacks direct Internet
access. The format for the proxy configuration is "https://proxy.example.com:1234" (please note that Splunk
only allows https based proxies).

It is also possible to increase the verbosity of the logging in the Setup view by checking the enable
debug logging checkbutton.

Advanced setup


The script which retrieves the lists of IP number etc will select a Risk Score Threshold which will
produce a set number of entries in the list. By default this number is 25.000. This number can be
changed by editing the file recorded_future.conf in the local directory in the app directory. Ex:

[ip_risk_list]
max_entries = 25000

Be aware of that increasing this number will significantly increase the load on the server.

External data access and scripts

The app uses a script to retrieve threat information from Recorded Future. This script is run (default every 60 minutes) from a stanza in inputs.conf. This threat information contains IP numbers, Domain names and Hashes which are considered suspicious or malicious by Recorded Future. Each entity has a Risk Score and evidence of why that is assigned to it. The data contains all entities with a Risk Score of 25 or more (100 being the maximum).

During the execution one https call is made to https://api.recordedfuture.com/ to retrieve the information which is then processed and stored on the Splunk server for each type of data.

Cluster considerations

If using a large risk lists (see the Setup section above) it may be advisable to avoid transferring it across cluster nodes. This will however force the lookups to be performed locally on the search head, putting additional strain on that node.

If you want it to perform the search locally, then you can:
- add the parameter local=true to the custom search,
- you can blacklist the lookup file from the indexers:
https://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/Distsearchconf

If the Knowledge bundle is too large it may be necessary to lower the max_entries values in recorded_future.conf.

In the README folder of the app directory there is a more detailed instruction about how to deploy the app in a search head cluster environment.

More information

For more information and to set up your trial or paid subscription, please contact splunk@recordedfuture.com (US east coast business hours).

Release Notes

Version 4.0.0
Oct. 23, 2018

Support for Recorded Future Fusion.
- With Fusion it's possible to tune risklist according to requirements (ex ignore certain types of threats that aren't applicable).
- Any number of more targeted risklists can be added to the Splunk system to improve detection accuracy.
- Proprietary risk data can be applied to enhance risklists.

Support for monitoring Recorded Future alerts within the Splunk system.
- A new modular input can retrieve selected alerts and create events for the alerts.

New Adaptive response action which can be added to high fidelity correlation searches to enrich with absolutely up-to-date information regardless of risk level. This action can also be called in ad-hoc fashion for any notable event with a compatible IOC type.

Extensive app documentation is available within the app.

A number of reports have been added to facilitate monitoring and troubleshooting of the app.

Version 3.2.2
Feb. 1, 2018

The main addition with the 3.0 release is the addition of two new threat lists:
- domains: allows for correlation and enrichment on events from proxies, web application firewalls, DNS servers etc
- hashes: events from anti-virus systems, email gateways, file alteration monitors etc

In addition to the new risk lists there are many other improvements:
- significant performance enhancements
- support for clustering (in particular search head clusters)
- support for running on Windows based Splunk servers
- support for Splunk servers with a non standard management port.

Version 3.1.0 adds a Setup GUI where in addition to the Recorded Future API key it's easy to toggle debug logging or adding proxy information.

Version 3.2.0 adds a verification script that can be run to check that configuration and access needed for the app to work is present.

Version 3.1.1
Sept. 26, 2017

The main addition with the 3.0 release is the addition of two new threat lists:
- domains: allows for correlation and enrichment on events from proxies, web application firewalls, DNS servers etc
- hashes: events from anti-virus systems, email gateways, file alteration monitors etc

In addition to the new risk lists there are many other improvements:
- significant performance enhancements
- support for clustering (in particular search head clusters)
- support for running on Windows based Splunk servers
- support for Splunk servers with a non standard management port.

Version 3.1.0 adds a Setup GUI where in addition to the Recorded Future API key it's easy to toggle debug logging or adding proxy information.

111
Installs
860
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.