Pivoting to Recorded Future Enrichment Data in Splunk
These instructions will show you how to add a workflow actions for easy pivoting to enrichment data from any event in Splunk. Here we assume you have already installed the Splunk Enterprise integration from Recorded Future.
This is a typical event view within the search app in Splunk, notice there are limited actions available:
It is important to note the fields you want to enrich. In this case we will use “dst” as this is the destination point for traffic going through our firewall originating from our network.
Step 1: Go to Settings>Fields on your Splunk Search Head:
Step 2. Select “Add new” to the right of Workflow actions:
Step 3. Select the destination app as “TA_recordedfuture-cyber” NOTE: You can select other apps as the destination, we recommend this for organization only and possible role based access controls only:
Step 4. Select a unique name for your workflow action:
Step 5. Select a label for your Workflow Action. NOTE: You can use the variable ($dst$)in this field to have the menu say “RF Enrich IPADDRESS(Used in this example)” or use a static value like “RF destination enrichment”
Step 6. Select the field we wish to enrich:
Step 7. If you want to restrict to specific event types enter them here, else leave this blank. NOTE: Event types are typically defined as part of a TA or App, event types can be created by any search. Example - Creating an event type named fwaccepts with a search string of “index=extfws sourcetype=netscreen:firewall action=allowed” would allow you to restrict the workflow from displaying for any traffic from other devices or any dropped traffic from the firewall.
Step 8. Select show action in Both and action type of link in the dropdown menus.
Step 9. Enter http://yoursearchhead.company.com/en-US/app/TA_recordedfuture-cyber/recorded_future_ip_enrichment?form.name=$dst$ into the URI where yoursearchhead.company.com is the DNS name for your Splunk Search Head. NOTE: We are replacing the end with the variable name from our selected field “$dst”:
Step 10. Select Open link to “New Window” and Link Method to “Get” in the dropdown menus:
Step 11. Select “Save” in the bottom right corner to save your Workflow Action:
After the new Workflow action is saved, it is setup to private only within the Recorded Future App:
Step 12. Select Permissions to the right of the Workflow Actions.
Step 13. Select “All apps” to enable the pivot from other Splunk apps, the appropriate “Role permissions” for the Workflow Action, and then select save:
Step 14. Select an event (in any app if permissions are set to global.) You should now see your Workflow Action available through the event menus:
When you select the action you will be presented with a new window/tab with the entity enrichment dashboard:
If you have any questions or need assistance please reach out to [email protected]