The Splunk Add-on for Recorded Future is designed specifically for Splunk Enterprise Security.
This Add-on integrates with the Splunk ES Threat Intelligence Framework by adding a feed containing information security threat indicators from Recorded Future. With this added feature, defenders can automate the process of finding connections between internal incidents and external sources. This can work bidirectionally: searching Recorded Future for more context around internally observed indicators, or testing trending indicators from open source reporting against internal data sets.
The Add-on also simplifies the workflow of analysts working within the ES environment by adding contextual actions to the Incident Review and event searching and reporting views. This includes information on IPs, domains, file hashes and CVEs.
For more information on Recorded Future, visit www.recordedfuture.com.
To install this Add-on, perform the following steps:
Click the button 'Add new entry' in the "Incident Review -
Event Attributes" section. Add the following Label and Field
| Label | Field | ------------------------------- | ----------------------- | | RF Risk Score | rf_a_risk | | RF Triggered Rules | rf_b_rules | | RF Very Malicious Evidence | rf_evidence_critical | | RF Malicious Evidence | rf_evidence_malicious | | RF Suspicious Evidence | rf_evidence_suspicious | | RF Unusual Evidence | rf_evidence_unusual |
A restart of the Splunk instance will be required once the
installation has completed.
Alternatively, you can download the Add-on using the Splunk Web
interface's "Find more apps online" feature. Steps 5 and onwards above
must still be completed.
After installation, you will need to set up the Add-on for Recorded
Future to communicate with the Recorded Future API.
The setup needs to be run after the upgrade. The API key (previously
called token in our documentation) will not carry over from the old
configuration. The same goes for proxy and loglevel configurations.
Due to the extent of the changes between version 2 and 3 of the app
we recommend that you remove the app directory
($SPLUNK_HOME/etc/apps/TA-recorded_future) and make a fresh install
of the app.
If that is not possible proceed with the instructions below.
The following files and directories can be removed
since they are not used anymore:
From the bin folder:
future libfuturize past requests rf_integrations rf_splunk rfapi splunklib get-rf-threatlists.py rf_es_setup.py verify_rf_app.py
From the local folder (if present):
From the local/data/ui/nav folder (if present):
Any file in the local folder is the result of a
local configuration. These have precedence over the
new settings shipped with the app. Review differences
in each file in the local folder compared to the
new default in the default folder and adjust if
In particular correlation searches in
savedsearches.conf are likely to cause issues if
Recorded Future has a support web site:
Installing and configuring where
up-to-date ways of contacting support is also available.
Do not contact Splunk support about "Recorded Future for Splunk ES".
The main addition with the 3.0 release is the addition of two new threat lists:
- domains: allows for correlation and enrichment on events from proxies, web application firewalls, DNS servers etc
- hashes: events from anti-virus systems, email gateways, file alteration monitors etc
In addition to the new risk lists there are many other improvements:
- significant performance enhancements
- support for clustering (in particular search head clusters)
- support for running on Windows based Splunk servers
- support for Splunk servers with a non standard management port.
Version 3.1.0 adds a Setup GUI where in addition to the Recorded Future API key it's easy to toggle debug logging or adding proxy information.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.