The Recorded Future for Splunk app has a number of Correlation Use Cases available for different Threat profiles. The saved search responsible for detection can be disabled via the toggle in Configuration › Correlation. Disabled correlations will keep the risk lists up to date but not generate any new alerts.
Correlation Types
When setting up a correlation, there are three types.
-
"Correlation" - looks at a specific index and specific source type. This also gives you the flexibility of using an entirely custom search if you so want to.
-
"Data model correlation" - When you have a specific data model that you want to correlate with.
-
"Splunk Enterprise Security Correlation" - This is looking at default ES data models, such as network traffic and web data models.
When you save a correlation the following happens in the background.
-
The app fetches the Risk List associated with the Use Case. After the initial download, the Risk List will be kept in sync with the Recorded Future API.
-
The app creates a Saved Search.
-
This search uses a Lookup file to correlate events from the search with the content of the lookup file.
-
The search is run once with a -7d time frame. After that the search will run on a three- minute schedule correlating logs from three minutes at a time.
-
Matches, or Correlations, are stored in a KV store collection file on the Splunk server called correlation_cache_<datatype>
-
The correlation caches are split up based on the data type they contain (ip, domain, hash, etc.) and each file has a defined age-out setting defining how much data can be stored. By default these values are set to 365 days or 100,000 rows but this can be modified in recordedfuture_settings.conf.
-
-
The Correlation dashboard is dynamically populated with correlations from the correlation cache lookup files.
Correlation Dashboard Set Up
- Go to Configuration › Correlation
- Click New Correlation › Add Correlation
- Add a title for the Correlation
- Select an IOC: The correlated entity type can be an IP, domain, hash, vulnerability or URL
- Select the source of the events that are to be inspected:
- Index: this is the index that is used by the sourcetype. Once selected, the UI will show the number of events that have been indexed over the last 24 hours.
- Sourcetype: this is the sourcetype of the events that are being inspected. Once selected, the UI will show how many events this sourcetype has produced over the last 24 hours.
- Field: the field containing IOCs that we will correlate against the Risk List. Once selected, the UI will show how many events with this field the sourcetype has produced over the last 24 hours. The UI will also show the percentage of IOCs found that can be used in a correlation (e.g., the percentage of IOCs that are valid IP addresses). Select a Correlation Use Case. Hover over the line of a Correlation Use Case to show more details.
6. Click Save
Correlation Dashboard Set Up with Data Model
-
Go to Configuration › Correlations
-
Click New Correlation › Add Data Model Correlation
-
Add a title for the Correlation
-
Select an IOC: The correlated entity type can be an IP, domain, hash, vulnerability or URL
-
Select a Correlation Use Case. Hover over the line of a Correlation Use Case to show more details.
-
Select the source of the events that are to be inspected:
-
Data Model: This is the name of the Data Model that contains the events. A green check mark indicates that the data model contains events from the last 24 hours.
-
Section: This is the section of the events that are being inspected. Once selected, the UI will indicate that the section has produced over the last 24 hours with a green check mark.
-
Field: The field containing IOCs that we will correlate against the Risk List. Once selected, the UI will show how many events with this field the sourcetype has produced over the last 24 hours.
-
-
Click [ Save ]