Using the Alert API to view Recorded Future Alerts in Splunk

 

Introduction

With the new Alert API introduced in 2018, customers can access their Recorded Future alerts programmatically.  In this support page, we outline how Splunk Integration customers can use the Alert API to incorporate alerts into Splunk.  For a general overview of how to use the Alert API, check out this support page
 
Note that this add-on functionality assume that a 3.x version of Recorded Future's (core) Splunk Enterprise Integration Application (see https://splunkbase.splunk.com/app/2629/) is installed.  Also, in v4.x of this integration application (release in September 2018), an "Alerts" dashboard will be incorporated into the standard package. 
 
 

Basic Instructions

  1. The alerts.py file should be places in the bin directory of the Recorded Future App.
    • May need to chown file to splunk:splunk
    • May need to chmod file to 755
  2. .conf files should be placed into local directory of the Recorded Future App.
    • May need to chown files to splunk:splunk
    • May need to adjust path in files if splunk home directory is not /opt/splunk/
  3. Copy xml file into the local/data/ui/views directory of the Recorded Future App.
    • May need to chown files to splunk:splunk
    • May need to adjust permissions for access, set global view (all apps, everyone read, admin write)
    • Will need to add to default navigation for visibility in the app
The scripts should pull the api key stored in the kv store, nothing should need to be entered.  If you have any issues during the setup or configuration, please schedule a remote session through your account team.  The user for the API key must have alerts shared with them in order to pull the alerts from the API.
Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.