Install and Configure: Manage Risk Lists

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Manage risklists

Risk lists can be used to correlate and enrich events. For each element in the risk list (ex an IP number, a URL or a hash) there is a risk score and information about why the score has been set.

Default risklists

By default the app is shipped with five default risk lists pre-configured:

  • IP number
  • Domain names
  • URLs
  • Hashes of files
  • Vulnerabilities (CVEs)

If you have Fusion access it's possible to define and read additional risk lists.

Manage risklists

Default risklists

Navigate to Configuration->Inputs. This will show you all configured inputs (both risk lists and alert monitoring). Clicking on the >-sign will expose additional information about the list.

Under the Actions drop-down it's possible to enable/disable a list, delete, clone or edit it.

Add risklists

![Add risklists][Add risklists]

To create additional risk list, click on the green Create New Input button and select Recorded Future risk list.

Field Significance Comment
Name Risk list name within the Splunk instance. The lookup file will be named .csv.  
Interval The list will be checked for updates after this many seconds. This should be set to 300. This specifies how often the list is checked. Updates only occur if the list has been updated.
Index The modular input produces statistics when running. Set the index where these will be stored. Make sure to select an index with correct role assignments - leave to main/default if you are unsure.
Risk list category Select which kind of element the risk list has data about. IP, Domain, Hash, Vulnerability or URL
Fusion file The path to the Fusion risk list. If the list is to used as a lookup the Fusion Flow must be defined to produce an uncompressed csv file. Must correspond to a defined Fusion file. If this field is left blank the default risk list for the category will be used.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice.  If you do not know who that is, you can also contact [email protected]

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.