Data Flow - Recorded Future App for Splunk Enterprise

Version 3.0.5 https://splunkbase.splunk.com/app/2629/ (This version is Splunk Certified)

Install and configuration instructions

https://splunkbase.splunk.com/app/2629/#/details

Diagram of Main Data flow of RF App for Splunk Enterprise

image1.png

The script rf_risklist.py is called every hour to download IP and Domain risk lists and at 1 AM, local time, every day to download Hash and Vulnerability risk lists.

 

The script makes a request to the Recorded Future API for the list or lists (see table below). Access to the Api requires a valid access key, this key is configured during the setup process and stored in Splunks storage password mechanism in encrypted form. When the script executes it retrieves the access key from the storage password using an internal REST api call.

 

Once a list has been retrieved, it is processed and stored as a lookup CSV file for use in the different views in the dashboard.

Http requests made by the script to Recorded Future’s API

Purpose

URL

Interval

IP threat list

https://api.recordedfuture.com/v2/ip/risklist

1 hour

Domain threat list

https://api.recordedfuture.com/v2/domain/risklist

1 hour

Hash threat list

https://api.recordedfuture.com/v2/hash/risklist

24 hours

Vuln threat list

https://api.recordedfuture.com/v2/vulnerability/risklist

24 hours

 

The enrichment dashboards are used to lookup specific IPs, domains, hashes or vulnerabilities. The script rf_entityquery.py gets called by the dashboard with the value from the input field and makes one or two API calls to fetch data related to the entity asked for. In the case of IP addresses, two requests are made. One for the actual IP address and one for the whole /24 subnet to show possibly related data.

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.