Data Flow - Recorded Future App for Splunk Enterprise

Version 3.0.5 (This version is Splunk Certified)

Install and configuration instructions

Diagram of Main Data flow of RF App for Splunk Enterprise


The script is called every hour to download IP and Domain risk lists and at 1 AM, local time, every day to download Hash and Vulnerability risk lists.


The script makes a request to the Recorded Future API for the list or lists (see table below). Access to the Api requires a valid access key, this key is configured during the setup process and stored in Splunks storage password mechanism in encrypted form. When the script executes it retrieves the access key from the storage password using an internal REST api call.


Once a list has been retrieved, it is processed and stored as a lookup CSV file for use in the different views in the dashboard.

Http requests made by the script to Recorded Future’s API




IP threat list

1 hour

Domain threat list

1 hour

Hash threat list

24 hours

Vuln threat list

24 hours


The enrichment dashboards are used to lookup specific IPs, domains, hashes or vulnerabilities. The script gets called by the dashboard with the value from the input field and makes one or two API calls to fetch data related to the entity asked for. In the case of IP addresses, two requests are made. One for the actual IP address and one for the whole /24 subnet to show possibly related data.

Was this article helpful?
0 out of 0 found this helpful

This content is confidential. Downloading or distributing this content is in violation of your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Have more questions? Submit a request



Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.