Splunk Enrichment Dashboards

The Recorded Future Enrichment Dashboards use the Recorded Future API to fetch all information about an entity, such as IP address or domain.

The different types of Enrichment dashboards may contain the following elements:

  • Summary shows a short summary of the collected information.
  • The Risk meter graphically displays the current risk score.
  • Triggered Risk Rules show the rules that have been triggered.
  • Total Reference Count shows the number of references collected over time.
  • Context of up to 15 different category types related to the entity, such as Related Attacker, Related
  • Malware, and Related Technologies.
  • References contain two tables showing recent and first references.

The actual elements displayed depend on the type of entity and on the information available. Any elements that do no contain any information will not be displayed.

Dashboard Sections

Summary

The summary shows all the basic information about an entity, such as number of references, criticality, risk score, and dates of the first and last reference.

Enrichment summary
Threat Research Insikt Group

Any related analyst notes will be listed here.

Triggered Risk Rules

The risk rules triggered by the entity are shown here with up to 10 entries per page. The criticality column is sorted according to criticality (1-5) and is color coded to better show the severity of the entry.

Total Reference Count

A graphical representation based on the timestamps of the references related to the entity. It can be explored further by marking a smaller time interval with the mouse or using the options in the lower right corner (such as Open in search or Inspect).

Total reference count
Related Entities

Up to 15 tables containing related entities will be shown here. The different types of related entities are:

  • Related Attacker
  • Related Target
  • Related Actors
  • Related Malware
  • Related Vulnerabilities
  • Related IP Addresses
  • Related Domains
  • Related Products
  • Related Countries
  • Related Hashes
  • Related Technologies
  • Related E-Mail Addresses
  • Related Attack Vectors
  • Related Malware Categories
  • Related Operations

All items in the tables are linked to further information, either another Enrichment Dashboard or an Intelligence Card in the Recorded Future Portal.

References

This section is made up of two tables which show the first reference and the most recent references of when they were added into the Recorded Future system.

Special elements

GEOIP and CIDR details

This table contains the risk score and geographical information of the registered subnet related to the IP address. The table is sorted by risk score and is only available in the IP Address Enrichment Dashboard.

In Threat Lists

This table displays information of other risk lists which contain the entity. The table is only available in the IP Address Enrichment Dashboard and Domain Enrichment Dashboard.

NVD Summary

This panel shows a summary and related information from the National Vulnerability Database by NIST. It is only available in the Vulnerability Enrichment Dashboard.

Affected Version

This table contains the software and versions which are affected by the vulnerability. It is sorted by software and version number and is only available in the Vulnerability Enrichment Dashboard.

Advisories, Assessments and Migitations

This section displays links to various documents which contain more information about the vulnerability. The table is only available in the Vulnerability Enrichment Dashboard.

Further Help

“Recorded Future App for Splunk” has been developed by Recorded Future.

Further information and support can be found on our Support web site: support.recordedfuture.com