Install and Configure: Global Map

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Global Map

The Global Map shows the geolocation of all matching IP Addresses when correlating firewall logs with a Recorded Future risk list.

    sourcetype=netscreen:firewall earliest=-24h
    | eval Name=dst
    | eval Time=start_time
    | lookup rf_ip_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
    | search Risk != ""
    | eval RiskScore = Risk
    | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
    | eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
    | search Risk != ""
    | iplocation Name
    | fields + Name, Risk, lat, lon, City, Country
    | geostats count latfield=lat longfield=lon

The search might have to be adapted to suit the local setup. The most common changes lie in the first 4 rows of the search.

  • The value 'netscreen:firewall' should match the sourcetype of your firewall logs.
  • The 'eval Name=dst' statement should match the fieldname of the destination IP Address in your firewall logs
  • The lookup 'rf_ip_risklist.csv' should match the name of the risk list you want to correlate the firewall logs with

Furthermore the style of the map can be changed by installing additional Splunk Apps containing visualisations, such as leaflet_maps_app. These changes are done by clicking on the 'Edit' button on the dashboard:

Edit button

and then clicking on the 'Select visualization' button to select the new theme for the map:

Select visualization

Here is an example of how the map looks with the leaflet theme:

Global Map with Leaflet theme applied

Compared to the standard Splunk map:

Global Map with the default Splunk theme

Active Threats

The first row shows the current size of each of the default risk lists are shown. The default risk lists are:

  • IP
  • Domain
  • Hash
  • Vulnerability
  • URL

The pie chart shows the top 10 countries in the IP Risk List. The tables show the top 10 risk rules that have triggered in each list.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice.  If you do not know who that is, you can also contact support@recordedfuture.com.

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.