Overview
The Recorded Future App for Splunk integrates Recorded Future’s Intelligence directly into Splunk Enterprise and Splunk Enterprise Security. It enables security teams to:
- Detect high-risk indicators using Recorded Future risk lists
- Enrich events and investigations with real-time threat intelligence
- Operationalize threat hunting and detections at scale
- Automate investigation workflows using intelligence-driven searches
Prerequisites
Before you begin, ensure the following:
- Splunk Enterprise or Splunk Cloud with Search Head access (if clustered deployment)
- Admin or equivalent permissions in Splunk
- A valid Recorded Future API token for Splunk
- Autonomous Threat Operations add-on (to detect/hunt custom indicator data sets)
Install the App
Install from Splunkbase
- In Splunk, go to Apps → Find More Apps.
- Search for Recorded Future App for Splunk.
- Click Install (or Update if upgrading) and accept the license terms.
- Restart Splunk if prompted.
Post-Installation Setup
- Click Set up after installation.
- Enter your Recorded Future API token.
- Verify the API connection.
- Confirm the status shows Verified.
Initial Configuration
After installation, configure the core components that power detections and enrichment.
General Settings
Navigate to Configuration → Settings → General:
- Verify API URL and token
- Configure proxy settings if required
- Confirm successful API connectivity
Default Indicator Searches
Go to Configuration → Settings → Default Indicator Searches:
- Configure how Splunk logs are searched for Recorded Future indicators
- Define indexes, sourcetypes, and event fields for IPs, domains, URLs, hashes, and vulnerabilities
- Save settings for each indicator type
These searches are foundational for automated threat hunting and Autonomous Threat Operations.
Core Capabilities
Threat Detection (Correlations)
The app correlates Splunk events against Recorded Future risk lists to identify malicious activity:
- IPs, domains, URLs, hashes, and vulnerabilities
- Near real-time detection with contextual risk scoring
- Optional integration with Splunk Enterprise Security and Risk-Based Alerting
IOC Enrichment
From search results, dashboards, and alerts, you can enrich indicators with:
- Risk scores and triggered risk rules
- MITRE ATT&CK mappings
- Analyst notes and references
Enrichment is available via dashboards and the rfenrich search command.
Alerts and Alert Center
- View Recorded Future Classic and Playbook alerts directly in Splunk
- Manage alert status (new, in progress, resolved)
- Centralized triage through the Alert Center
Autonomous Threat Operations
Autonomous Threat Operations (ATO) enables Recorded Future intelligence to automatically drive threat hunting and detection workflows inside Splunk right from within Recorded Future, reducing manual effort and accelerating response.
Enabling Autonomous Threat Operations
To enable Autonomous Threat Operations:
- Ensure Default Indicator Searches are configured.
- Navigate to Autonomous Threat Operations within Recorded Future
- Launch indicator based detect and hunt of your pre-selected data sets in this instance of Splunk
Validate Your Deployment
After configuration, validate the setup:
- Go to Configuration → Settings → Troubleshooting.
- Run Validate App Deployment.
- Confirm API connectivity, risk list updates, and scheduled searches.
Further Help
For additional documentation and support:
- Recorded Future Support Portal
- In-app troubleshooting and logs
- Contact Recorded Future Support at support@recordedfuture.com
You’re now ready to operationalize Recorded Future intelligence in Splunk and take advantage of Autonomous Threat Operations to stay ahead of evolving threats.