The types of issues involving the Recorded Future App for Splunk can be divided into three categories. The Recorded Future App contains three reports, one for each category, to assist troubleshooting:
|Credential/Network||Validate app deployment||This report displays the result of a number of tests and lookups that is performed when the report is run.|
|Risk List Download/Frequency||Latest updates of all Risk Lists||This report show the last 5 Risk List updates.|
|Other||All logs from the App||This report displays all the logs produced by the app in one view.|
How to Use the Reports
Check configuration/network connectivity
Run the report Validate App Deployment when the Recorded Future App for Splunk has been deployed and configured or as an initial step during troubleshooting. The built-in validator performs a number of tests and collects useful troubleshooting information. “Ok” and “NA” indicates that the App’s connectivity/setup is working so anything else, ie “Warning” or “Error”, should be investigated.
Verify that Risk Lists are downloaded correctly
The Recorded Future Risk Lists are available from the Recorded Future API. The report Latest Update of all Risk Lists” shows all Risk Lists that have been downloaded successfully. We save the timestamps from the last 5 successful downloads. Any Risk Lists not shown in the report have never been downloaded successfully.
The recommended update frequency of the Recorded Future Risk Lists depends on how often they are updated. The current schedule can be found on the Recorded Future Support site.
There are several issues that can impact the download of a Risk List. Follow the following guide to troubleshoot Risk Lists which that are not updated as expected:
- If all Risk Lists fail to be updated, it is likely that there is an issue with network connectivity or the API Token used. Run the report Validate app deployment described above.
- Check that the configuration specifies the correct interval for updates on the configuration page.
- The Fusion path may not exist or it was spelled wrong. This can be verified by performing the following search: index=_* sourcetype=”tarecordedfuture:cyber:log” ERROR 404 “File or directory” path=*
- Check that the path field corresponds to a Fusion file. Note that it is URL encoded which means that the Fusion file path /home/custom.csv will read %2Fhome%2Fcustom.csv.
- Ensure that the Recorded Future API Token used by the app belongs to the correct enterprise in Recorded Future’s system. With the exception of public Fusion files (paths starting with /public/), no Fusion files are available outside of the Enterprise that owns them.
- Ensure that the Fusion Flow responsible for generating the Fusion file was successfully executed.
- The Recorded Future App does not update a Risk List that has not been changed since the last download. To check when the fusion file was last modified, use the HEAD method to check its timestamp. * needs help!*
The report “All logs from the App”lists all the events created by the app. The log level can be adjusted in the Configuration page. Default is INFO but when troubleshooting it may be appropriate to increase the level to DEBUG.
A good starting place is to look for errors (loglevel ERROR). The report can be opened in the search view: select Open in Search via the Edit button.
Raising an issue with Recorded Future
When reporting an issue to Recorded Future, the following procedure will generate a good set of information for further analysis:
- Short summary of the issue: what is or is not happening? Is it happening all the time or is it intermittent or limited to a subset of entities?
- Take screenshots showing the results of reports “Validate App Deployment” and “Latest Update of all Risk Lists”.
- Increase the log level to DEBUG
- Trigger the issue.
- Note the date and time the issue was triggered.
- Run the report “All logs from the App” and export the results as a CSV file.
“Recorded Future App for Splunk” has been developed by Recorded Future.
Further information and support can be found on our Support web site: support.recordedfuture.com