Install
The app is available at Splunkbase. It can either be installed directly from SplunkBase or downloaded and installed manually.
Configure
Once the app has been installed on the Splunk server, it must be configured. The configuration
menu is located at Configuration › App Settings.
-
Verify that the application is connected with Recorded Future’s API. "Status: Verified" will
show when the connection is successful.
-
If the Status is not Verified, the connection can require a proxy. Check “Connect via proxy server” to activate a connection via proxy.
-
Enter the required fields. If the proxy server requires authentication, enter a valid username and password, otherwise leave these fields blank.
-
Connect by clicking [ Verify API URL ]. The Status should be Verified, if it doesn’t, review the proxy settings.
- Only change the API URL or disable SSL verification if asked by your Recorded Future point of contact.
-
Enter the API Token. Contact Recorded Future to receive one.
-
Click [ Verify API Token ].
Install on a Search Head Cluster
The app detects if it is running in a Search Head Cluster and automatically ensures that only the captain node retrieves the Risk Lists and the alerts.
-
Download the package into $SPLUNK_HOME/etc/shcluster/apps on the deployer of the Search Head Cluster.
-
Unpack the package, ex:
tar zxvfp recorded-future-app-for-splunk_240.tgz
-
Remove the package file:
rm recorded-future-app-for-splunk_240.tgz
-
Push the new app to the Cluster nodes:
splunk apply shcluster-bundle...
-
Connect to any Search Head Cluster node and follow the normal initial configuration procedure. The app will propagate the configuration to all nodes in the cluster.