Install and Configure: Setup Alerts

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Setup Alert monitoring

Alert monitoring is configured in Configuration -> Inputs. By default no alert monitoring is configured.

Adding an alert monitoring input will do the following:

  1. The app will reach out to Recorded Future's API and look for alerts that matches the configured criteria.
  2. If there are Recorded Future alerts that matches, information about these will be retrieved. For each of these alerts an event (sourcetype rf:alerts) will be created in the Splunk system. Using these events it's possible to setup Splunk based alerts or generate reports.

The app does not keep track of whether it has already retrieved an alert or not. As long as the alert matches the filter criteria an event will be created.

Add alert monitoring

Add a new alert monitoring

  1. Click on the green "Create New Input" and select "Recorded Future alerts".
    Add an Alert monitoring
  2. The Name is the risklist handle.
  3. The interval controls how often Splunk will poll for alerts. Default is every 300 seconds but this can be adjusted according to company requirements. Small intervals may consume many API credits but long intervals may result in delays between when a Recorded Future alert is triggered and when it is available in Splunk.
  4. Index controls the index where the rf:alerts events are indexed. Make sure to select an index with correct role assignments - leave to main/default if you are unsure.
  5. Alert status. By default the filter matches any alert status but this can be configured as needed.
  6. Triggered: filter on when the alert was triggered. Default is anytime. The notation is the same as in the Recorded Future web client. Ex:
    1. "-2d to now"
    2. "-2h to -1h"
    3. "yesteday"
  7. Alert rule. By default any alert rule will be matched but it is possible to specify a particular rule if required.

Maintaining alert monitoring

In the list of configured Inputs (Configuration -> Inputs) there are drop-down menus for each input.

Maintain alert monitoring

Use "Edit" to reconfigure the alert monitoring. To disable the monitoring use "Disable", this can be re-enabled at any time in the same drop-down menu.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice.  If you do not know who that is, you can also contact [email protected]

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.