Additional Information for setting up on Splunk ES

Setup Splunk Enterprise Security

The app has built-in support for Splunk Enterprise Security. The support is available when the app is installed on a search head together with Splunk ES.

Required steps to use the Splunk ES functionality

Enable Splunk ES support

In the Recorded Future for Splunk menu, select Configure. Ensure that the switch to enable support for Splunk ES is enabled.

Required configuration within Splunk ES

To be able to use the full features of Splunk ES functionality, some configuration has to be done in Splunk Enterprise Security.

  • In the Enterprise Security menu bar, click Configure → Incident Management → Incident Review Settings.
  • Click the button 'Add new entry' in the "Incident Review - Event Attributes" section. Add the following Label and Field Combinations:
Label Field
RF Risk Score rf_a_risk
RF Triggered Rules rf_b_rules
RF Very Malicious Evidence rf_evidence_critical
RF Malicious Evidence rf_evidence_malicious
RF Suspicious Evidence rf_evidence_suspicious
RF Unusual Evidence rf_evidence_unusual
  • A restart of the Splunk instance will be required once the installation has completed.
  • If you haven't already done so, enable the Enterprise Security correlation search called "Threat Activity Detected"
    1. In the Enterprise Security menu bar, click Configure → Content Management
    2. In the filter bar, type "Threat Activity Detected"
    3. Click the link 'Enable' to enable the correlation search

Enrichment of detected events

Splunk ES detects suspicious events using it's built-in Threat Intelligence framework. Recorded Future leverages the framework to perform detection of suspicious events.

Once an event has been detected it is however necessary to enrich it to make triage efficient. This can be done in two ways:

  1. Using saved searches which adds data from Recorded Future's Risk Lists to the events.
  2. Using the provided Adaptive Response action. This method makes a query to Recorded Future's API to fetch up-to-date information.

See below for instructions on how to activate respective method.

Saved Searches to perform Enrichment

By default the app will enable four saved searches that will perform the enrichment of any compatible notable events. See below for the steps needed to switch to Adaptive Response based Enrichment.

Adaptive Response (AR) to perform Enrichment

To activate Adaptive Response (AR) the following steps needs to be performed:

  • Turn off the searches that enrich notable events:
    1. Go to Configure → Content Management
    2. Disable "RF IP Threatlist Search", "RF Domain Threatlist Search" and "RF Hash Threatlist Search" (easier to find if you use the app filter, but not necessary).
  • Click on "Threat Activity Detected" to open the settings.
    1. Next to "Adaptive Response Action", click on "Add New Response Action"
    2. Select Recorded Future's action
    3. Leave default "Automatic" selection.
  • Click save

Adaptive Response Ad-hoc invocation

Ad-hoc invocations of Adaptive Response can be made - ex from the Incident Review dashboard. The user invoking the Adaptive Response in this way must have the list_storage_passwords capability.