Recorded Future Intelligence Cloud features are only available to clients running Recorded Future for Splunk v2.1+
Recorded Future for Splunk enrichment dashboards are enabled to display historical correlation events. Pivoting to the enrichment dashboard or does an ad hoc look up an IOC in the enrichment dashboards a new panel will be available. This panel will display all historical correlations for that IOC with the timestamp and associated 'use case' (Recorded Future risk list name). This gives analysts historical context of an IOC related to their environment instead of starting from scratch when going through an investigation, giving another data point to help prioritize SIEM alerts. The use case that the IOC was correlated against helps answer the ‘why?’ something historically triggered.
Setup Collective Insights in Recorded Future for Splunk
Collective Insights functionality has been built natively into the Recorded Future for Splunk App. Clients must be running Recorded Future for Splunk v2.1.1+ or higher to use Collective Insight functionality. Collective Insight settings can be found in the 'configuration' menu inside of the Recorded Future for Splunk app, navigating to the 'Collective Insights' menu option.
Collective Insights is set to 'on' by default when installing Recorded Future for Splunk v2.1+.
- In Recorded Future for Splunk v2.1.1. there is a single setting for collective insights. 'Recorded Future for Splunk' setting, when turned on, will include any detection made from the Recorded Future for Splunk app from Recorded Future risk lists. (Enterprise and ES)
- In Recorded Future for Splunk v2.2+, there is a second setting for collective insights. 'Recorded Future for Splunk', setting when turned on, will include any detection made inside of Splunk Enterprise and Splunk ES using Recorded Future threat lists. 'Splunk Enterprise Security' setting will include any matches made in the Splunk Threat Intelligence Framework (TIM) in Collective Insights. This will include matches made from third party source into Collective Insights. Note: The 'Recorded Future for Splunk' must be set to 'on' in order to use the 'Splunk Enterprise Security' setting. there are two options for collective insights (see below). Both are turned on by default. The first option will writeback all security events detected by Recorded Future risk lists to collective insights (Splunk Enterprise and Splunk ES). The second option will writeback all security events regardless of what threat intelligence feed made the detection. Specifically, a notable event in Splunk ES must be created to have it written back to collective insights (Splunk ES only)
Recorded Future for Splunk Data Mappings for Collective Insights
Collective Insights is powered by detections made in Splunk and Splunk ES. Part of the Recorded Future for Splunk app maps specific data points from detections to the Collective Insights data model to populate specific features inside of Recorded Future and Splunk (see above). The following data points are mapped from Splunk detection to the collective insights data model:
-
- Entity - IOC that matched a threat list
- Description - Name of the correlation search (use case)
- Malware - If there is a malware family
- MITRE Code - Recorded Future maps MITRE codes to risk rules. MITRE codes will be applied to the active risk rules for an IOC
- Event Source - Log source where the detection was made
- Note: If you are using Data Model (DM) correlations as your event source, this column cannot be populated at this time.
See 'Getting Started with Collective Insights' to learn more about the benefits of Collective Insights
FAQ
1. How can I check to make sure that Collective Insights is turned on?
In the Recorded Future for Splunk App under the 'Configuration' menu, there is a setting for 'Collective Insights'. Make sure the setting is turned 'on'.
- In Recorded Future for Splunk v2.1.1. there is a single setting for collective insights. 'Recorded Future for Splunk' setting, when turned on, will include any detection made from the Recorded Future for Splunk app from Recorded Future risk lists. (Enterprise and ES)
- In Recorded Future for Splunk v2.2+, there is a second setting for collective insights. 'Recorded Future for Splunk', setting when turned on, will include any detection made inside of Splunk Enterprise and Splunk ES using Recorded Future threat lists. 'Splunk Enterprise Security' setting will include any matches made in the Splunk Threat Intelligence Framework (TIM) in Collective Insights. This will include matches made from third party source into Collective Insights. Note: The 'Recorded Future for Splunk' must be set to 'on' in order to use the 'Splunk Enterprise Security' setting. there are two options for collective insights (see below). Both are turned on by default. The first option will write back all security events detected by Recorded Future risk lists to collective insights (Splunk Enterprise and Splunk ES). The second option will writeback all security events regardless of what threat intelligence feed made the detection. Specifically, a notable event in Splunk ES must be created to have it written back to collective insights (Splunk ES only)
2. I still don't see my SecOps dashboard populating with Security Events from Splunk.
For clients running Recorded Future for Splunk Enterprise, you must have at least one correlation search set up inside of our Splunk Enterprise App. For clients using Recorded Future for Splunk ES, you must have at least one correlation search set up using any threat intelligence provider. Splunk ES customers can bring in security events into Collective Insights regardless if it's a Recorded Future risk list or another vendors. Any notable event that is created in Splunk ES will be written back to Recorded Future Collective Insights.
3. Notable events are being created inside of my Recorded Future for Splunk ES, but I'm still not seeing my SecOps Dashboard populating.
Recorded Future for Splunk ES has a setting to bring in all notable events to Collective Insights regardless of which threat feed they have been created off of. e.g. If you are using an ISAC threat feed in Splunk ES to create notable events, those events will be brought into Collective Insights to try and be enriched with Recorded Future intelligence (Malware, Threat Actors and MITRE T-Codes). There is a chance that Recorded Future is unable to associate Malware, Threat Actors and MITRE Codes to notable events created by third party sources. These associations are needed needed in order for the analytical views on the SecOps dashboard to populate. Check the detection explorer to see if Third part notable events are making it to Collective Insights. Also, Try setting up a Splunk ES correlation search using a Recorded Future risk list to confirm Collective Insights are making it from Splunk ES to Recorded Future portal