Overview
Security operations teams rely on Splunk Enterprise and Enterprise Security to detect complex threats with actionable intelligence and advanced streaming analytics at scale. Pairing Recorded Future’s intelligence from across the open, dark web, and technical sources with Splunk’s powerful analytics reduces security risk by automatically positioning this threat data right in your Splunk environment, ensuring analysts see relevant data to them and minimizing the need to switch between tools. This empowers analysts to identify and triage alerts faster, proactively block threats, and helps to identify risks to your business to improve analyst efficiency.
The Recorded Future for Splunk App can help in many different areas:
- Enrichments
- Enrich IOCs (IPs, domains, hashes, and vulnerabilities) in the Recorded Future for Splunk app. Look up and see rich context around IOCs of interest
- Correlations
- Compare customer log data to Recorded Future's threat lists for IPs, Domains, Hashes, URLs to surface threats in a sea of raw data. Create correlation dashboards to show # of risky indicators, along with the associated risk metrics and last seen timestamps.
- Targeted correlation dashboards: giving end users a more tailored experience when using Recorded Future for Splunk as compared to using the default risk lists.
- Recorded Future Alert Triage
- Bring specific Recorded Future alerts that are configured in the platform into the Splunk alerting dashboard for easy triage and remediation.
- Recorded Future Collective Insights
- Recorded Future Collective Insights is a new type of analytic, providing clients a complete view of what threats matters to an organization. Recorded Future looks at those detections along with the supporting context to provide a complete point of view for new and emerging threats. Collective Insights can aggregate detections across all client integrations to show trends across all detections to help TI and SecOps users better prevent and protect client networks by prioritizing their actions based on which detections and TTPs are most common across their networks.
Recorded Future Enrichment
Enrichment dashboards put threat intel context around your review of notable events and incidents. Each dashboard retrieves the current Recorded Future Intelligence Card for the specified IP address, Domain, Hash, URL, Vulnerability (Vulnerability Module Required!) and Malware.
The enrichment dashboards show:
-
- Risk score and evidence
- A summary timeline of reporting
- Related entities in Recorded Future
- Recent reports from highlighted sources
Drill down and investigate further in Recorded Future using the Intelligence Card link.
Recorded Future Correlation
Correlation dashboards allow you to Simultaneously view Splunk events next to the Recorded Future Risk List scores and evidence and prioritize events for further review using Recorded Future Risk List scores
Correlation is one of the key use cases for Splunk. Our out of the box implementation is configured to correlate against our demo data. Configuration changes are required to correlate against customer feeds of indicators. Additionally, customers often have their own existing correlation dashboards and they may want to incorporate our correlation functionality into those dashboards. This demo illustrates the initial possibilities. Our Professional Services team can work with them to make sure correlation is implemented in the best possible way for their security architecture
Targeted Correlation Dashboards
(Exclusive to Recorded Future for Splunk v2.0+)
Recorded Future for Splunk v2.0 offers an easy way to set up correlation dashboards targeting specific threat intelligence use cases. This gives end users a more tailored experience when using Recorded Future for Splunk as compared to using the default risk lists. We support targeted correlation dashboards for 5 IOC types: IPs, Hashes, Domains, URLs and Vulnerabilities. A list of use cases will become available when creating a new correlation dashboards in Recorded Future for Splunk v2.0. Clients can build correlation dashboards based on their security protocols, looking at which threat lists are most important to them.
Recorded Future Collective Insights
Recorded Future Intelligence Cloud features are only available to clients running Recorded Future for Splunk v2.1+
Recorded Future for Splunk enrichment dashboards are enabled to display historical correlation events. Pivoting to the enrichment dashboard or does an ad hoc look up an IOC in the enrichment dashboards a new panel will be available. This panel will display all historical correlations for that IOC with the timestamp and associated 'use case' (Recorded Future risk list name). This gives analysts historical context of an IOC related to their environment instead of starting from scratch when going through an investigation, giving another data point to help prioritize SIEM alerts. The use case that the IOC was correlated against helps answer the ‘why?’ something historically triggered.
Recorded Future Sigma Rule Detections
(Exclusive to Recorded Future for Splunk v2.1.1+)
Deploying Sigma Rules can be a tedious process, especially for lower-maturity clients. Splunk v2.1 streamlines the process of deploying Sigma rules in Splunk for targeted detections. Sigma detections help our clients move up the pyramid of pain, and Recorded Future for Splunk’s guided Sigma rule setup gives end users an easy way to deploy relevant rules for high-value detections as part of their incident response.
Training Available
Check out this course in Recorded Future University to learn about Sigma Rules and how they can be deployed inside the Recorded Future Splunk app.
Recorded Future Alert Triage
(Exclusive to Recorded Future for Splunk v2.0+)
Recorded Future for Splunk v2.0+ offers an easy way to bring specific Recorded Future alerts that are configured in the platform into the Splunk alerting dashboard for easy triage and remediation. Recorded Future alert details are included in the v2.1.1 of the app. You can also update alert status and add alert notes to Recorded Future alerts that will be synced with your Recorded Future enterprise.
**Note: You must first set up alerts in your Record Future enterprise. All active alerts in a client’s Recorded Future enterprise will be available to bring into Splunk**
Note: Recorded Future for Splunk v1.x.x will be end of life at the end of January (1/31). This is so that our awesome integrations team can continue to support and innovate for our latest app versions. What does end of life mean? The v1.x.x will still be available on the Recorded Future for Splunk Splunkbase listing, but there will not be any new active development for the Recorded Future for Splunk v1.x.x app versions. Clients will be directed to upgrade to the v2.x version if any bugs are reported for our v1.x.x version of our app.