Installing and configuring the Splunk ES TA

Installing and configuring

Installation

To install this Add-on, perform the following steps:

  1. Download the latest TA release from Splunkbase

  2. In Splunk, select "Manage Apps" from the drop-down menu next to the Splunk logo on the upper left of the screen

  3. Select "Install app from file"

  4. Browse to the location of the TA-recorded_future.spl file, select it and upload. Restart Splunk when prompted to do so.

  5. Go back to "Manage Apps". Locate "Splunk ES Add-on for Recorded Future" in the list and run "Set up".

  6. In the Enterprise Security menu bar, click Configure -> Incident Management -> Incident Review Settings.

  7. Click the button 'Add new entry' in the "Incident Review - Event Attributes" section. Add the following Label and Field combinations:

    Label Field
    RF Risk Score rf_a_risk
    RF Triggered Rules rf_b_rules
    RF Very Malicious Evidence rf_evidence_critical
    RF Malicious Evidence rf_evidence_malicious
    RF Suspicious Evidence rf_evidence_suspicious
    RF Unusual Evidence rf_evidence_unusual
  8. A restart of the Splunk instance will be required once the installation has completed.

  9. If you haven't already done so, enable the Enterprise Security correlation search called "Threat Activity Detected"

    1. In the Enterprise Security menu bar, click Configure -> Content Management
    2. In the filter bar, type "Threat Activity Detected"
    3. Click the link 'Enable' to enable the correlation search
  10. Optionally, create a post install verification report. Run the "Validate app deployment" report. It will perform a number of tests, none of which should yield an error.

    1. Go to Dashboards, Reports... -> Reports.
    2. Run Validate app deployment.

Alternatively, you can download the Add-on using the Splunk Web interface's "Find more apps online" feature. Steps 5 and onwards above must still be completed.

Configuration

After installation, you will need to set up the Add-on for Recorded Future to communicate with the Recorded Future API.

  1. Go to Configuration -> Configuration.
  2. Select the Add-on Settings tab.
  3. Enter the API Key.
  4. Review the other tabs if additional configuration is required.

Upgrading from previous versions

The setup needs to be run after the upgrade. The API key (previously called token in our documentation) will not carry over from the old configuration. The same goes for proxy and loglevel configurations.

Upgrade from 3.x versions

Due to the extent of the changes between version 2 and 3 of the app we recommend that you remove the app directory ($SPLUNK_HOME/etc/apps/TA-recorded_future) and make a fresh install of the app.

If that is not possible proceed with the instructions below.

Files and directories that can be removed

The following files and directories can be removed since they are not used anymore:

From the bin folder:

future
libfuturize
past
requests
rf_integrations
rf_splunk
rfapi
splunklib
get-rf-threatlists.py
rf_es_setup.py
verify_rf_app.py

From the local folder (if present):

commands.conf

From the local/data/ui/nav folder (if present):

default.xml

Files that must be reviewed

Any file in the local folder is the result of a local configuration. These have precedence over the new settings shipped with the app. Review differences in each file in the local folder compared to the new default in the default folder and adjust if required.

In particular correlation searches in savedsearches.conf are likely to cause issues if in place.