Customizing the Global Map

The Global Map shows the geolocation of all matching IP Addresses when correlating firewall logs with a Recorded Future Risk List.

Adapting to Local Source Types

It is possible to change the source type as long as the field name in the search statement is modified at the same time.


    sourcetype=netscreen:firewall earliest=-24h
    | eval Name=dst
    | eval Time=start_time
    | lookup default_ip_risklist.csv Name OUTPUT Risk, RiskString, EvidenceDetails
    | search Risk != ""
    | eval RiskScore = Risk
    | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")
    | eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")
    | search Risk != ""
    | iplocation Name
    | fields + Name, Risk, lat, lon, City, Country
    | geostats count latfield=lat longfield=lon

The search can be adapted to suit the local setup. The most typical changes are involve the first 4 rows of the search:

  • The value netscreen:firewall should match the source type of your firewall logs.
  • The eval Name=dst statement should match the field name of the destination IP Address in your firewall logs
  • The lookup default_ip_risklist.csv should match the name of the risk list you want to correlate the firewall logs with

Customize with a Different Map Widget

The style of the map can be changed by installing additional Splunk Apps containing visualisations, such as leaflet_maps_app. Click Edit on the dashboard:

Edit button

Choose the new theme of the map by clicking on the Select visualization:

Select visualization

This is what the map looks like within the leaflet theme:

Global Map with Leaflet theme applied

This is the standard Splunk map:

Global Map with the default Splunk theme

Active Threats

The first row shows the current size of each of category of the default Risk Lists which are the following:

  • IP
  • Domain
  • Hash
  • Vulnerability
  • URL

The map collates the IP addresses in the Risk List based on location and displays top ten countries in a pie chart as well as the top ten risk rules per entity that have been triggered the most by the correlated events.

Further Help

“Recorded Future App for Splunk” has been developed by Recorded Future.

Further information and support can be found on our Support web site: support.recordedfuture.com