[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]
The Splunk Explorer is a Splunk dashboard designed to help the user find different ways of correlating their data with Recorded Future Risk Lists. The dashboard uses a REST call to find all the available lookup files in the lookups folder within the Splunk App.
To use the dashboard, just follow these few steps:
- Select among the available risk lists in the first drop down menu.
- Select among the different sourcetypes available in the local install in the second drop down menu.
- Select among the different fields, automatically populated after selecting the sourcetype, which one you want to use to correlate against the risk list chosen in the first drop down menu.
The different panels display different statistics. From left to right:
- The amount of rows in the selected risk list
- The amount of events in Splunk with the selected field and sourcetype during the last 36 hours
- The amount of events where the field selected matches a row in the risk list
- Table containing most frequently occurring values in the selected field and sourcetype
- Table containing the correlated matches enriched with information from the risk list
Below is an example screenshot of the Splunk Explorer Dashboard using an IP risk list with firewall logs and the dst (destination) field within that sourcetype.
Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact firstname.lastname@example.org.
Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".