Adapt and Tune: Adapt Dashboards

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Adapt dashboards

Some dashboard, such as the correlation dashboards, can easily be modified to suit your needs. We recommend that you clone an existing dashboard before editing the source code.

Cloning a dashboard

Cloning an existing dashboard can be done by clicking the triple dots in the upper right corner and select clone.

Clone menu

Enter the new title and name of the dashboard and click on "Clone Dashboard", and then "Edit". The difference between Private and Clone permissions is if the dashboard should only be accessable by the current user or all users.

Clone dashboard

You have now entered the edit view on the new dashboard.

Customising

The most common task is to change which data to correlate. This is done by clicking on the "Source" button to show the source XML for the dashboard. The three most important fields in a correlation dashboard are the ones highlighted in the image below:

Sourcetype and lookup table

The first one selects the sourcetype of the logs on the Splunk Enterprise server. The second one is the name of the field containing the information we are matching on. In this image we are matching on the 'dst' field, usually containing the destination IP Address in the log. The third one is the name of the lookup table to correlate the data against and usually corresponds to a threat list configured in in the inputs section of this Splunk App. An easy way to find good ways to correlate Splunk data with risk lists is by using the Splunk Explorer Dashboard.

Data structure

This is the format of our IP Address Threat Lists:

Name,Risk,RiskString,EvidenceDetails
46.18.32.101,66.0,2/47,"{""EvidenceDetails"":[{""Timestamp"":""2016-11-02T16:26:00.000Z"",""Criticality"":1,""Rule"":""Historical Multicategory Blacklist"",""CriticalityLabel"":""Unusual"",""EvidenceString"":""1 sighting on 1 source: hpHosts Latest Additions. Most recent link (Nov 2, 2016): hxxp://hosts-file.net/?s=doggytalk.be"",""MitigationString"":""""},{""Timestamp"":""2018-04-15T12:34:28.869Z"",""Criticality"":3,""Rule"":""Phishing Host"",""CriticalityLabel"":""Malicious"",""EvidenceString"":""1 sighting on 1 source: PhishTank: Phishing Reports (verified phish). IP Address reported as host of 1 active phishing URL: hxxp://letiz.be/uploads/bnz.html."",""MitigationString"":""""}]}"

The format is a standard CSV where the column we match on is 'Name'. This is the same for all default Recorded Future Risk Lists. There are two possibilities here, either your sourcetype has a different name for the field such as 'dest' instead of 'dst'. Then just change 'eval Name=dst' to 'eval Name=dest'. If your custom correlation list has another field name to match on, such as 'IP', then more changes are needed such as changing all the subsearches in the dashboard to use the new field name.

Disappearing dashboards

If you, for some reason, accidentally loose your newly cloned dashboard, you can access it by going to Other -> Dashboards. This will show all dashboards for all add-ons in Splunk, but you can click on the 'This App's' button to only show dashboards related to the Recorded Future Splunk app.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice.  If you do not know who that is, you can also contact support@recordedfuture.com.

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.