Configure and Manage Risk Lists
Risk Lists can be used to correlate and enrich events. Each element in a Risk List, like an IP number or Domain, contains has a risk score and the information which contributed to its risk score.
Default Risk Lists
The Recorded Future App is shipped with the five Recorded Future Risk Lists:
- IP address
- Domain names
- URLs
- Hashes of files
- Vulnerabilities (mainly CVEs)
With Fusion access, it is possible to work with customized Risk Lists.
Add Risk Lists
Additional Risk Lists can be downloaded by clicking Add Risk List. The following fields appear at the top:
| Field | Significance | Comment |
|---|---|---|
| Name | Risk List name within the Splunk instance. | The lookup file will be named .csv. |
| Risk List category | The type of entity contained in the Risk List. | IP, Domain, Hash, Vulnerability, or URL. |
| Fusion file | The path to the Fusion Risk List. | The path must point to a defined Fusion file stored as an uncompressed CSV file if used as a lookup. |
| Update Interval | The interval used to check for updates. | Default is as soon as an updated version is available. |
When done configuring the new Risk List, click on Save to save the new configuration.
Manage Risk Lists
All configured Risk Lists are listed under Configuration → Configuration → Risk Lists. The list of Risk List inputs is sorted to show any custom Risk Lists at the top and the default configuration at the bottom. The default Risk List inputs can not be deleted, only disabled.
To edit a configured Risk List, just click on Edit and the fields will unlock. Click Save when done editing the settings.
To remove a Risk List, select the corresponding Delete Risk List checkbox and click on Save.
Special Considerations for Recorded Future App on Splunk ES
Both Recorded Future App for Splunk and Recorded Future App for Splunk ES fetch the same set of default Risk Lists. To avoid unnecessary credit consumption and processing load, it is recommended to access the Risk Lists through Recorded Future App for Splunk ES and to disable them in Recorded Future App for Splunk.
Further Help
“Recorded Future App for Splunk” has been developed by Recorded Future.
Further information and support can be found on our Support web site: support.recordedfuture.com