Adapt and Tune: Adapt Dashboards

Dashboard Modifications

Some of the Recorded Future Dashboard, such as the Correlation Dashboard, can easily be modified. It is recommended to make the modifications to a clone of an existing dashboard and leaving the the default Dashboards unchanged.

The most common reason for modifications is to use different data for the correlation search so it is described in detail below.

Cloning a Dashboard

Click in the upper right corner and select Clone to clone the current dashboard.

Clone menu

Enter the new title and name of the dashboard.

Clone dashboard

If option Private is chosen, the new dashboard is only accessible by the current user. Click on Clone Dashboard followed by View to see the new dashboard. Click Edit to add your modifications.

Customizing

Click Source button to show the source
XML for the dashboard. Note the following three fields, sourcetype, Name and risklist, highlighted in the image below:

Sourcetype and lookup table
  • sourcetype selects the source type of the logs that are stored on the Splunk server.
  • Name specifies the name of the field to be used for correlating data. The screenshot shows a dashboard using the ‘dst’ field which usually contains the destination IP Address in the log.
  • inputlookup specifies the name of the lookup table to correlate the data to, usually a Risk List configured in the inputs section of the Recorded Future App for Splunk.

In this example it is set to “ip_risklist.csv”.

Splunk Explorer Dashboard. is an easy way to test different alternatives to correlate Splunk events data with Risk Lists.

Data Structure
The IP Risk List has the following format


Name,Risk,RiskString,EvidenceDetails
46.18.32.101,66.0,2/47,"{""EvidenceDetails"":[{""Timestamp"":""2016-11-02T16:26:00.000Z"",
""Criticality"":1,""Rule"":""Historical Multicategory Blacklist"",""CriticalityLabel"":"
"Unusual"",""EvidenceString"":""1 sighting on 1 source: hpHosts Latest Additions. Most 
recent link (Nov 2, 2016): hxxp://hosts-file.net/?s=doggytalk.be"",""MitigationString"":""""},
{""Timestamp"":""2018-04-15T12:34:28.869Z"",""Criticality"":3,""Rule"":""Phishing Host"",
""CriticalityLabel"":""Malicious"",""EvidenceString"":""1 sighting on 1 source: PhishTank: 
Phishing Reports (verified phish). IP Address reported as host of 1 active phishing 
URL: hxxp://letiz.be/uploads/bnz.html."",""MitigationString"":""""}]}"

The format is a standard CSV and the field used for correlations is called ‘Name’, which is the same for all default Recorded Future Risk Lists.

Assuming the event source type has the name ‘dest’ instead of ‘dst’ for the field containing IP addresses, the line ‘eval Name=dst’ needs to be updated to ‘eval Name=dest’ to reflect this. Further changes may be needed if the custom Risk List uses a different name for the field used for the correlation so all the subsearches in the dashboard also need to be modified to use the new field name.

Finding Modified Dashboards

Dashboards are displayed under Other → Dashboards . The view shows all dashboards for all add-ons in Splunk, but it can be limited to show only dashboards related to the Recorded Future App by clicking This App’s.

Further Help

“Recorded Future App for Splunk” has been developed by Recorded Future.

Further information and support can be found on our Support web site: support.recordedfuture.com