Overview
Recorded Future for Splunk SOAR is a security automation and orchestration product. The purpose of the integration is to make threat intelligence data from Recorded Future available to playbooks in Splunk SOAR.
Playbooks created by Recorded Future automation experts can be accessed on the Template Library page.
Requirements
The Recorded Future for Splunk SOAR integrations is delivered as a tarball file. The app is available through Splunkbase.
To use this app, You will need to have purchased the SecOps Intelligence Module or Threat Intelligence Module and a Recorded Future for Splunk SOAR API token.
If you are upgrading from Recorded Future for Splunk SOAR v2.x to Recorded Future for Splunk SOAR v3.x.x, you will need a new Recorded Future API token. To get a token for Recorded Future for Splunk SOAR token, please fill out the following Recorded Future support form requesting a new integration API token for Splunk SOAR.
Install and Configure the Integration
After you have received the app tarball (tgz file) and an API token from Recorded Future, install and configure the app as follows:
- Place the app tarball in a locally accessible folder, like Downloads
- Log in to Phantom Cyber as an administrator
- Navigate to Administration > Apps
- Click the + APP button
- Locate the tarball file and click Install
- Navigate to Administration > Assets
- Click the + ASSET button
- Name the new asset Recorded Future API or similar.
- Select Recorded Future as the vendor and as the Product.
- Navigate to the Asset Settings tab
- Enter your Recorded Future API Token
- Save the Asset
- Run the connectivity test
Documentation is packaged with the app. To find this documentation, navigate to Apps in the menu and find the Recorded Future app. You will find a link to "Documentation" next to the version number.
Added in Recorded Future for Splunk SOAR v4.3
- Actions
- links search: Find links data in Recorded Future dataset.
- detection rule search: Download detection rules (yara, sigma, snort) into the system for provided entity
- threat actor intelligence: Get intelligence data for threat actor
- threat map: Get a threat map from Recorded Future
- Change the way Playbook alerts are polled from Recorded future into the Splunk SOAR. On the first poll the creation date is used to poll the alerts and all the next poll the alert that were updated during the time period from last poll to current poll
- Now the intelligence commands will not fail with error NotFound but will successfully finish with the message that Recorded future does not have data for that entity
- Added a code_repo_leakage type of playbook alerts
- Recorded Future AI Insights added to Intelligence and Alert Lookup results
- Playbooks
Added in Recorded Future for Splunk SOAR v4.2
- Actions
- list search: Find lists based on a query
- list add entity: Add new entity to list
- list remove entity: Remove entity from list
- list details: Get list details
- list status: Get list status info
- list entities: Get list entities
- playbook alerts search: Search Playbook alerts
- playbook alert update: Update Playbook alert
- playbook alert details: Get Playbook alert details
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- Playbooks
Supported Actions (v4.0)
- Actions
- test connectivity: Validate the asset configuration for connectivity
- alert data lookup: Get details on alerts configured and generated by Recorded Future by alert rule ID and/or time range
- alert rule lookup: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk based on context
- list contexts: Get a list of possible contexts to use in threat triage
- alert_lookup: Get details for a single Recorded Future Alert
- alert_update: Update the status or alert note for a single Recorded Future Alert
- On_poll functionality to download alerts
- alert_rule_lookup renamed to alert_rule_search to better describe the action
- alert_data_lookup renamed to alert_search to better describe the action
- Improved tagging of entities in alert widgets to find the related actions
Each action corresponds to an Intelligence Card in Recorded Future. The action retrieves the current threat intelligence information for the input value, and returns that information to Splunk Phantom. The detailed threat data is returned as a JSON dictionary, and selected data values are highlighted in the Phantom action results table.