[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]
Adapt macros
A macro is defined in a configuration file called macros.conf, usually bundled with a Splunk Application. Most of the macros that come predefined by Recorded Future are made to handle the JSON objects that we get back from the Recorded Future Connect API. However there is one macro called 'rf_hits' that might need some configuration by the user for the correlation dashboards to work correctly.
[rf_hits(1)]
args = infield
definition = dedup $infield$ \
| lookup rf_ip_threatfeed Name as $infield$ OUTPUT Name as RF_Hit, Risk, RiskString, EvidenceDetails \
| search RF_Hit=* \
| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule") \
| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
iseval = 0
It is the fourth row that might need some customisation to use the correct threat list.
Further help
Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact support@recordedfuture.com.
Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".