Getting started with Recorded Future's Splunk ES TA

Initial setup of the App
Once the app has been installed on the Splunk server the initial setup of the app is done under Configuration->Global configuration.

The Configuration view has three panes: Proxy, Logging and Add-on Settings.

To be able to see and configure API key, Proxy settings and API URL in the Splunk App, the user needs the capability 'list_storage_passwords'. To be able to change the logging level, the user needs the capability 'admin_all_objects'.

The API key must be configured in the Add-on Settings pane in order for the app to work.

Prerequisites
Splunk ES must be installed on the Splunk system. In a clustered environment the app should be installed on one or more search head.
A valid Recorded Future API token is required.
The Splunk server running the app must be able to download CSV files containing Recorded Future's risk lists from https://api.recordedfuture.com/.
Splunk Enterprise Security
To be able to use the full features of this Splunk Enterprise Security Add-on, some configuration has to be done in Splunk Enterprise Security.

In the Enterprise Security menu bar, click Configure -> Incident Management -> Incident Review Settings.
Click the button 'Add new entry' in the "Incident Review - Event Attributes" section. Add the following Label and Field Combinations:
Label Field
RF Risk Score rf_a_risk
RF Triggered Rules rf_b_rules
RF Very Malicious Evidence rf_evidence_critical
RF Malicious Evidence rf_evidence_malicious
RF Suspicious Evidence rf_evidence_suspicious
RF Unusual Evidence rf_evidence_unusual
A restart of the Splunk instance will be required once the installation has completed.
If you haven't already done so, enable the Enterprise Security correlation search called "Threat Activity Detected"
In the Enterprise Security menu bar, click Configure -> Content Management
In the filter bar, type "Threat Activity Detected"
Click the link 'Enable' to enable the correlation search
Adaptive Response (AR)
To activate Adaptive Response (AR) the following steps needs to be performed:

Turn off the searches that enrich notable events:
Go to Configure→Content Management
Disable "RF IP Threatlist Search", "RF Domain Threatlist Search" and "RF Hash Threatlist Search" (easier to find if you use the app filter, but not necessary).
Click on "Threat Activity Detected" to open the settings.
Next to "Adaptive Response Action", click on "Add New Response Action"
Select Recorded Future's action
Leave default "Automatic" selection.
Click save
Adaptive Response Ad-hoc invocation
Ad-hoc invocations of Adaptive Response can be made - ex from the Incident Review dashboard. The user invoking the Adaptive Response in this way must have the list_storage_passwords capability.

Proxy
Proxy_setup_tab

If the Splunk server uses a proxy to access the Internet this should be configured here. If no proxy is used leave the Enabled checkbox unchecked.

Host and port must always be set. If the proxy requires authentication the username and password should be set here. If authentication is not used these fields should be left empty.

Logging
Logging_setup_tab

If additional logging is required it's possible to adjust the log level here.

The recommended log level is INFO.

The integration logs to the standard Splunk log directory ($SPLUNK_HOME/var/log/splunk). The following log files will be created (depending on app configuration and usage all may not exist):

ta_recorded_future_recorded_future_risk_list.log
ta_recorded_future_recorded_future_alerts.log
ta_recorded_future_rest.log
The events logged into these files can be viewed either as files on the Splunk server of via the Splunk GUI.

Example search:

index=_* source="/opt/splunk/var/log/splunk/ta_recorded_future_recorded_future_alerts.log"
Add-on Settings
Addon_settings_tab

The Recorded Future API key required for the proper operation of the app is entered in the Api key field.

In some rare situations it may be necessary to change the URL the the Recorded Future API. If Recorded Future support instructs you to do so the URL should be entered in the Recorded Future Api URL field.

Was this article helpful?
0 out of 0 found this helpful

The content of this article is confidential and intended solely for the use of individuals with authorized access to the Recorded Future service. Do not download or distribute this article.
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.