Recorded Future for Splunk Change Log

[Version 2.6.0] 10/07/2024
Note: Python 2.7 is no longer supported.

Improvements

• Risklist are now stored in KV store rather than .csv
• Optional KV store ingestion of Alerts.
• Threat Hunt Scheduling capability.
• Ability to disable continuous cached correlation searches in UI.
• Correlation dashboard "live mode" that runs correlation on dashboard visits when caching of correlation searches is disabled.
• Display v3 alerts on Recorded Future Alerts page.
• Collective insights storing event time rather than detection time.
• Collective insight will start recording "actions" seen in relation
  to a detection, i.e. firewall allowed/blocked for a firewall based
  correlation.
• Consolidation of adaptive response and app logfile. Errors and
• Warnings are still listed on the troubleshooting view.

UI improvements

• Configure threat hunt directly from Threat Map.
• New UI for settings page.

[Version 2.1.4] - 6/12/2023

Improvements

• Added multiorg support for recorded future alerts. Alerting rules and alerts will now display which organization owns the alert. Added filtering option on "owner".
• Added more in-app documentation

Bug Fixes

• Bug with regexp in distsearch.conf that caused risklists to be replicated to indexers in cluster environments.
• Python2.7 compatibility issue with Adaptive Response Enrichment.
• Bug involving the conversion of Splunk event to JSON 
• Increased timeout of a number of calls causing premature timeouts.

[Version 2.1.3] - 03/22/23

Improvements

• Improved performance of Correlation Setup for massive log environments.
• Improved performance of Sigma Setup for massive log environments.
• Added documentation for new "Infrastructure Detections" enrichment panel.
• Improved in-app documentation for Correlation "Search String" option

Bug Fixes

• Notifications text sometimes clipped outside its border.
• Subset of in-app correlation risked being missed.
• Risklist sync failure caused correlation setup to fail with an incorrect error message.

[Version 2.1.2] - 02/13/2023

Improvements

• Ad-hoc invocations of Adaptive Response will now create Notable events.
• Title Prefix option which allows for customization of Notable event title.
• UI improvements for notifications.
• Added a quickstart guide for setting up the app.
• Removed save button in the configuration page

Bug Fixes

• Bug where events containing multi-value fields were incorrectly filtered out from results when the make_json macro was used.
• Fixed bug where previous correlation view ID were shown in dropdown.
• HTTPS-proxy support disabled for splunk 8 as it lacks support. Please upgrade to Splunk 9 to get the full HTTPS proxy support.

[Version 2.1.1] - 12/15/2022

Improvements

• Setup Sigma Detection rules from Recorded Future's Threat hunting team on the Splunk system.
• Cached Correlation searches which shorten the load time of Correlation views by a couple of magnitudes.
• Leverage Risk Based Alerting in Splunk ES with the new functionality in this app

Bug Fixes

• • Fixes an issue in app.manifest

[Version 2.0.8] - 02/02/2023

Bug Fixes

• HTTPS-proxy settings issue occurring for users of Splunk 8. Splunk 8 uses a version of urllib3 that does not support HTTPS proxies and will use HTTP regardless of configuration. Please upgrade to Splunk 9 to get full HTTPS proxy support.

• Fixed edge-case on migration from 1.1, where a setup without any use cases loaded caused the migration to fail.

[Version 2.0.7] - 01/17/2023

Improvements

• Ad-hoc invocations of Adaptive Response will now create Notable events.
• Title Prefix option which allows for customization of Notable event title.
• Updated UI for Recorded Future Alerting rule page.

[Version 2.0.5] - 10/12/2022

Bug Fixes

[Version 2.0.4] - 09/12/2022

Improvements

• Create custom correlation views using a configuration wizard where a number of Correlation use cases are offered.
• Improvements to correlation dashboards (MITRE ATT&CK Codes) to provide extensive intelligence for five types of IOCs
• Improvements to enrichment dashboards (Recorded Future Links Data, MITRE ATT&CK Codes) to provide extensive intelligence for six types of IOCs
• Easy set up for the Recorded Future alerts dashboard
• Pivot search can be used to make a free text search against Recorded Future's API and then explore the results in the corresponding Enrichment dashboard.

Note: When running on a Splunk ES system The App will detect if Splunk ES is installed on the system. If this is the case an additional configuration setting will be shown which allows to enable or disable support for ES.

If you are upgrading from Recorded Future for Splunk v1.x to v2.0+ you will need a new API token from Recorded Future. Please contact Recorded Future support to receive a new token.

[Version 1.1.9] - 05/23/2022

Bug Fixes