Common Splunk Search Strings for Recorded Future Risk Lists

This page includes example searches for correlating Recorded Future risklists with various log files commonly configured for indexing in Splunk Enterprise. It is unlikely that any of these searches can be used directly ‘as is’; rather, they are intended to provide knowledgeable Splunk engineers with a starting point to build searches that correlate Recorded Future risk lists with various log files that are in client Splunk instances.  Many of the examples focus on IP addresses, and similar searches for domains, vulnerabilities, and hashes are straightforward to create from the examples found here.

Here’s the list of available searches in this support page:

Suggestions for additional common and useful searches are welcome! 

Single source – Single field example:

This search correlates the most recent 24 hours of data from a firewall (e.g., netscreen) with the Recorded Future IP risklist lookup. Any destination (“dst”) IP address from the firewall logs that correlate with non-zero risk will be shown in the result.

sourcetype=netscreen:firewall earliest=-24h | eval Name=dst | eval Time=start_time | lookup rf_ip_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval RiskScore = Risk | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")| search Risk != "" | sort -RiskScore | table Name, Time, RiskScore, RiskString, Rule, EvidenceString | rename Name as IPAddress

Single source – Multiple field example

This is an example similar to the one above, but the correlation uses both the “src” and “dst” columns of the firewall data to identify risky ip addresses.

sourcetype=netscreen:firewall earliest=-24h | eval Name=src + ";" + dst | makemv delim=";" Name | mvexpand Name | eval Time=start_time | lookup rf_ip_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval RiskScore = Risk | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")| search Risk != "" | sort -RiskScore | table Name, Time, RiskScore, RiskString, Rule, EvidenceString | rename Name as IPAddress

Adding Recorded Future risk information to an original logsource:

This is a bulk enrichment example; the sample below assumes vulnerability scan data from Rapid7 has been loaded into Splunk, and we append Recorded Future Risk information to the data set

source=“Rapid7_Nexpose_Splunk_Vulnerability_Data" | fields cve, asset_id, dest | eval Name=cve | lookup rf_vuln_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString") | convert ctime(_time) as Time | table Time, Name, asset_id, dest, Risk, RiskString, Rule, EvidenceString | rename asset_id as "NeXpose AssetID" | sort -Risk </query>

Domain extraction and search:

This search extracts the domain name found in the a “_raw” log field from the last 24 hours and displays any that correlate with a non-zero risk domain scored by Recorded Future.

index=main evalNsourcetype=squid:access earliest=-24h | rex field=_raw "http://(?<domain>[^/]+)/.+" | eval Time=strftime(_time,"%m/%d/%y %I:%M:%S:%p") | eval Name=domain | lookup rf_domain_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval Domain = Name | eval RiskScore = Risk | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString") |sort -RiskScore | table Domain, Time, RiskScore, RiskString, Rule, EvidenceString

Hash extraction and search:

This search correlates hashes logged on an endpoint product device (e.g. Symantec) with Recorded Future’s hash risk list. Hashes that match with data in non-zero risky Recorded Future data will be shown, along with the timestamp of when the hash was observed.

sourcetype="symantec:ep:risk:file" earliest=-24h | rex field=_raw "Application hash: (?<file_hash>[^,]+)" | eval Name=file_hash | eval Time=strftime(_time,"%m/%d/%y %I:%M:%S:%p") | lookup rf_hash_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString") |sort -Risk | table Name, Time, Risk, RiskString, Rule, EvidenceString | rename Name as Hash

Using Splunk Stats to add count into events

This search correlates the “remoteip” field from a haproxy log file to the Recorded Future IP risklist; instead of just showing every correlation of a log record with the risk list, this search groups by the IP address and shows the # of correlated events within the last 24 hrs.

sourcetype="haproxy:http" earliest=-24h | rex field=captured_headers "^(?<remoteip>\d+\.\d+\.\d+\.\d+).*$" | search remoteip=* | eval Name=remoteip | lookup rf_ip_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eventstats count by Name |eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString") | sort -count | table Name, count, Risk, RiskString, Rule, EvidenceString | rename Name as "Destination IP" | rename count as Count | rename Rule as "Rule(s)"

Search for RF data in Splunk Threat Intelligence KV Store

This searches for available Recorded Future risklists in the Threat Intelligence KV store.

| `ip_intel` | search threat_key=rf*

Search for IP in RF lookup table in ES

This is a simple search to look for a specific IP address on the Recorded Future IP risklist lookup table (Splunk ES).

| inputlookup recordedFutureIpThreatList | search Name=162.208.22.34

Search for IP (e.g., 162.208.22.34) in RF lookup table in Core Splunk

This is a simple search to look for a specific IP address on the Recorded Future IP risklist lookup table (Splunk Enterprise).

| inputlookup rf_ip_threatfeed | search Name=162.208.22.34<