Setup Alert monitoring
Alert monitoring is configured in Configuration -> Inputs. By default no alert monitoring is configured.
Adding an alert monitoring input will do the following:
- The app will reach out to Recorded Future's API and look for alerts that matches the configured criteria.
- If there are Recorded Future alerts that matches, information about these will be retrieved. For each of these alerts an event (sourcetype rf:alerts) will be created in the Splunk system. Using these events it's possible to setup Splunk based alerts or generate reports.
The app does not keep track of whether it has already retrieved an alert or not. As long as the alert matches the filter criteria an event will be created.
Add alert monitoring
Click on the green "Create New Input" and select "Recorded Future
- The Name is the risklist handle.
- The interval controls how often Splunk will poll for alerts. Default is every 300 seconds but this can be adjusted according to company requirements. Small intervals may consume many API credits but long intervals may result in delays between when a Recorded Future alert is triggered and when it is available in Splunk.
- Index controls the index where the rf:alerts events are indexed. Make sure to select an index with correct role assignments - leave to main/default if you are unsure.
- Alert status. By default the filter matches any alert status but this can be configured as needed.
Triggered: filter on when the alert was triggered. Default is anytime.
The notation is the same as in the Recorded Future web client. Ex:
- "-2d to now"
- "-2h to -1h"
- Alert rule. By default any alert rule will be matched but it is possible to specify a particular rule if required.
Maintaining alert monitoring
In the list of configured Inputs (Configuration -> Inputs) there are drop-down menus for each input.
Use "Edit" to reconfigure the alert monitoring. To disable the monitoring use "Disable", this can be re-enabled at any time in the same drop-down menu.