Recorded Future for Splunk: Install and Configure

 

Install

The app is available at Splunkbase. It can either be installed directly from SplunkBase or downloaded and installed manually.

Configure

Once the app has been installed on the Splunk server, it must be configured. The configuration

menu is located at Configuration App Settings.

  1. Verify that the application is connected with Recorded Future’s API. "Status: Verified" will

    show when the connection is successful.

  2. If the Status is not Verified, the connection can require a proxy. Check “Connect via proxy server” to activate a connection via proxy.

  3. Enter the required fields. If the proxy server requires authentication, enter a valid username and password, otherwise leave these fields blank.

  4. Connect by clicking [ Verify API URL ]. The Status should be Verified, if it doesn’t, review the proxy settings.

    - Only change the API URL or disable SSL verification if asked by your Recorded Future point of contact.

  5. Enter the API Token. Contact Recorded Future to receive one.

  6. Click [ Verify API Token ].

Install on a Search Head Cluster

The app detects if it is running in a Search Head Cluster and automatically ensures that only the captain node retrieves the Risk Lists and the alerts.

  1. Download the package into $SPLUNK_HOME/etc/shcluster/apps on the deployer of the Search Head Cluster.

  2. Unpack the package, ex:

       tar zxvfp recorded-future-app-for-splunk_240.tgz
    
  3. Remove the package file:

       rm recorded-future-app-for-splunk_240.tgz
    
  4. Push the new app to the Cluster nodes:

    splunk apply shcluster-bundle...

  5. Connect to any Search Head Cluster node and follow the normal initial configuration procedure. The app will propagate the configuration to all nodes in the cluster.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more