Pivoting to Recorded Future Enrichment Data in Splunk

These instructions will show you how to add a workflow actions for easy pivoting to enrichment data from any event in Splunk.  Here we assume you have already installed the Splunk Enterprise integration from Recorded Future.

 

This is a typical event view within the search app in Splunk, notice there are limited actions available:

pivoting-recorded-future-enrichment-data-splunk-screenshot1.png

pivoting-recorded-future-enrichment-data-splunk-screenshot2.png

It is important to note the fields you want to enrich. In this case we will use “dst” as this is the destination point for traffic going through our firewall originating from our network. 

Step 1: Go to Settings>Fields on your Splunk Search Head:

pivoting-recorded-future-enrichment-data-splunk-screenshot3-.png

 

Step 2. Select “Add new” to the right of Workflow actions:

pivoting-recorded-future-enrichment-data-splunk-screenshot4-.png

 

Step 3. Select the destination app as “TA_recordedfuture-cyber” NOTE: You can select other apps as the destination, we recommend this for organization only and possible role based access controls only:

pivoting-recorded-future-enrichment-data-splunk-screenshot5.png

Step 4. Select a unique name for your workflow action:

pivoting-recorded-future-enrichment-data-splunk-screenshot6.png

Step 5. Select a label for your Workflow Action. NOTE: You can use the variable ($dst$)in this field to have the menu say “RF Enrich IPADDRESS(Used in this example)” or use a static value like “RF destination enrichment”

pivoting-recorded-future-enrichment-data-splunk-screenshot7.png

Step 6. Select the field we wish to enrich:

pivoting-recorded-future-enrichment-data-splunk-screenshot8.png

Step 7. If you want to restrict to specific event types enter them here, else leave this blank. NOTE: Event types are typically defined as part of a TA or App, event types can be created by any search. Example - Creating an event type named fwaccepts with a search string of “index=extfws sourcetype=netscreen:firewall action=allowed” would allow you to restrict the workflow from displaying for any traffic from other devices or any dropped traffic from the firewall.

pivoting-recorded-future-enrichment-data-splunk-screenshot9.png

Step 8. Select show action in Both and action type of link in the dropdown menus.

pivoting-recorded-future-enrichment-data-splunk-screenshot10.png

Step 9. Enter http://yoursearchhead.company.com/en-US/app/TA_recordedfuture-cyber/recorded_future_ip_enrichment?form.name=$dst$ into the URI where yoursearchhead.company.com is the DNS name for your Splunk Search Head. NOTE: We are replacing the end with the variable name from our selected field “$dst”:

pivoting-recorded-future-enrichment-data-splunk-screenshot11.png

Step 10. Select Open link to “New Window” and Link Method to “Get” in the dropdown menus:

pivoting-recorded-future-enrichment-data-splunk-screenshot12.png

Step 11. Select “Save” in the bottom right corner to save your Workflow Action:

pivoting-recorded-future-enrichment-data-splunk-screenshot13-.png

 

After the new Workflow action is saved, it is setup to private only within the Recorded Future App:

pivoting-recorded-future-enrichment-data-splunk-screenshot14-.png

Step 12. Select Permissions to the right of the Workflow Actions.

Step 13. Select “All apps” to enable the pivot from other Splunk apps, the appropriate “Role permissions” for the Workflow Action, and then select save:

pivoting-recorded-future-enrichment-data-splunk-screenshot15-.png

 

Step 14. Select an event (in any app if permissions are set to global.) You should now see your Workflow Action available through the event menus:

pivoting-recorded-future-enrichment-data-splunk-screenshot16.png

pivoting-recorded-future-enrichment-data-splunk-screenshot17.png

When you select the action you will be presented with a new window/tab with the entity enrichment dashboard:

pivoting-recorded-future-enrichment-data-splunk-screenshot18.png

If you have any questions or need assistance please reach out to [email protected]