[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]
Risk lists can be used to correlate and enrich events. For each element in the risk list (ex an IP number, a URL or a hash) there is a risk score and information about why the score has been set.
By default the app is shipped with five default risk lists pre-configured:
- IP number
- Domain names
- Hashes of files
- Vulnerabilities (CVEs)
If you have Fusion access it's possible to define and read additional risk lists.
Navigate to Configuration->Inputs. This will show you all configured inputs (both risk lists and alert monitoring). Clicking on the >-sign will expose additional information about the list.
Under the Actions drop-down it's possible to enable/disable a list, delete, clone or edit it.
![Add risklists][Add risklists]
To create additional risk list, click on the green Create New Input button and select Recorded Future risk list.
|Name||Risk list name within the Splunk instance. The lookup file will be named .csv.|
|Interval||The list will be checked for updates after this many seconds. This should be set to 300.||This specifies how often the list is checked. Updates only occur if the list has been updated.|
|Index||The modular input produces statistics when running. Set the index where these will be stored.||Make sure to select an index with correct role assignments - leave to main/default if you are unsure.|
|Risk list category||Select which kind of element the risk list has data about.||IP, Domain, Hash, Vulnerability or URL|
|Fusion file||The path to the Fusion risk list. If the list is to used as a lookup the Fusion Flow must be defined to produce an uncompressed csv file.||Must correspond to a defined Fusion file. If this field is left blank the default risk list for the category will be used.|
Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact email@example.com.
Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".