Install and Configure: Getting Started

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Initial setup of the App

Once the app has been installed on the Splunk server the initial setup of the app is done under Configuration->Global configuration.

The Configuration view has three panes: Proxy, Logging and Add-on Settings.

To be able to see and configure API key, Proxy settings and API URL in the Splunk App, the user needs the capability 'list_storage_passwords'. To be able to change the logging level, the user needs the capability 'admin_all_objects'.

The API key must be configured in the Add-on Settings pane in order for the app to work.

Proxy

Proxy_setup_tab

If the Splunk server uses a proxy to access the Internet this should be configured here. If no proxy is used leave the Enabled checkbox unchecked.

Host and port must always be set. If the proxy requires authentication the username and password should be set here. If authentication is not used these fields should be left empty.

Logging

Logging_setup_tab

If additional logging is required it's possible to adjust the log level here.

The recommended log level is INFO.

The integration logs to the standard Splunk log directory ($SPLUNK_HOME/var/log/splunk). The following log files will be created (depending on app configuration and usage all may not exist):

  • ta_recordedfuture_cyber_recorded_future_risk_list.log
  • ta_recordedfuture_cyber_recorded_future_alerts.log
  • ta_recordedfuture_cyber_rest.log

The events logged into these files can be viewed either as files on the Splunk server of via the Splunk GUI.

Example search:

index=_* source="/opt/splunk/var/log/splunk/ta_recordedfuture_cyber_recorded_future_alerts.log"

Add-on Settings

Addon_settings_tab

The Recorded Future API key required for the proper operation of the app is entered in the Api key field.

In some rare situations it may be necessary to change the URL the the Recorded Future API. If Recorded Future support instructs you to do so the URL should be entered in the Recorded Future Api URL field.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice.  If you do not know who that is, you can also contact support@recordedfuture.com.

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.