Initial Setup of the App

When the app has been installed on the Splunk server, finalise the initial setup under Configuration → Configuration.

The Configuration view has three panes: Setup, Risk Lists and Alerting Rules.

Configure the API-key with Connect API access and a working API endpoint under the Setup view.

The API-key must be configured in the Setup pane in order for the app to work. A user needs the capability of ‘list_storage_passwords’ to configure API key and Proxy settings in the App.

Setup

Setup tab

Here all the settings except for Risk Lists and Alerting Rules are configured. The minimum possible configuration is setting the API-key here.

If you need to disable certificate validation, for example if a networking device in between the Splunk machine and the internet is modifying the SSL certificate, this can be done by unchecking the “SSL Verification” checkbox.

If the splunk server requires a proxy for Internet access, the Proxy checkbox should be checked. This will reveal new fields that need to be filled in. The username and password should only be configured if the proxy requires authentication. Proxy host and port are required settings.

Recorded Future support may in rare circumstances instruct a user to use a different URL to the Recorded Future API, in which case the Recorded Future API URL should be modified.

There are five levels of logging: CRITICAL, ERROR, WARNING, INFO and DEBUG.

The recommended log level is INFO. To report an issue with the Recorded Future App, temporarily change it to DEBUG to collect additional logs that can be used for trouble shooting.

The logs generated by the Recorded Future App are located in the default Splunk log directory $SPLUNK_HOME/var/log/splunk and will be written to the following file:

  • ta_recordedfuture_cyber_rest.log

The information contained in the log files can be viewed either in the Splunk GUI or as files on the Splunk server.

Example search:


index=_* source="/opt/splunk/var/log/splunk/ta_recordedfuture_cyber_rest.log"

More information about the other tabs can be found under their respective help pages.

Further Help

“Recorded Future App for Splunk” has been developed by Recorded Future.

Further information and support can be found on our Support web site: support.recordedfuture.com