Correlation Dashboards
The Correlation Dashboards display correlations between events and Recorded Future Risk Lists. The Risk List used for the correlation depend on which type of Correlation Dashboard is chosen. By default only the events of the last 24 hours are used.
The Correlation Dashboards need to be configured to ensure that the events used contain the correct type of entity, for instance that the IP address Risk List is matched to events that contain IP addresses.
The correlation dashboards contain four elements:
- Summary shows the number of entities which were found to match one or more events.
- “Top Rule Hits” shows the rules which are triggered by these entities.
- “Top Counts” displays the the entities with the number of events they were matched to.
- “High Risk” contains matching entities with the risk information.
Dashboard Sections
Summary
Summary displays the number of the events for which a match was found in the Risk List.
Top Rule Hits
Section “Top Rule Hits” contains a list of all Recorded Future Rules that have been triggered by the matching entities and is sorted by the number of entities that have triggered the rule.
Top Counts
Section “Top Counts” lists all the entities were matched to the events and the list is sorted by the number of events that the entity was matched to. Click on an entity to bring up its corresponding Enrichment Dashboard in a new window.
High Risk
This is a table with the matched entities listed in descending Risk order. The Risk column is ordered and color coded according to the risk score.
| Field | Description |
|---|---|
| Risk | The risk score assigned to the entity by Recorded Future |
| Entity | The matched entity |
| Count | The number of events matched to the entity |
| Rules | The number of Recorded Future rules triggered for the entity out of the total number of rules set up for this type of entity by Recorded Future. |
| Evidence | Each of the triggered rules is listed in descending criticality. The criticality is signalled by a color coded dot at the start of the line. The rule is written in bold followed by the details in regular text. |
Further information can be obtained by two drill down options:
- Click on the entity, such as the IP address or the Domain, to open a new Search window looking for events involving the entity.
- Click on any other part of the line to open the Enrichment Dashboard for the entity.
Configuration
Information on how to configure the Correlation Dashboards can be found under Help → Adapt and tune → Adapt dashboards.
Further Help
“Recorded Future App for Splunk Enterprise” has been developed by Recorded Future.
Further information and support can be found on our Support web site: support.recordedfuture.com