Splunk Explorer Dashboard

The Splunk Explorer Dashboard is found under Other → Splunk Explorer Dashboard. It is designed to perform a quick correlation between the Recorded Future Risk Lists and a subset of Splunk events. The Dashboard uses a REST call to find all the available lookup files in the lookups folder within the Splunk App.

To perform a new correlation:

• Select a Risk List in the first drop down menu.
• Select one of the available source types, specified in the local install, in the second drop down menu.
• The fields contained in third drop down menu depends on the source type. The correlation will start automatically when the field is chosen.

The following panels show the result of the correlation:

• Current Entity Risk List Size shows the number of items in the selected Risk List.
• Events with the Selected Values displays the number of events in Splunk which contain the selected source type and field during the last 36 hours.
• Recorded Future Match Count of Selected Values contains the number of events where the chosen field matches one item in the Risk List.
• Most Active Selected Values displays the most frequently occurring values in the selected field and source type.
• Recorded Future Matches Details of Selected Values shows the correlated matches enriched with information from the Risk List.

Below is an example screenshot of the Splunk Explorer Dashboard using an IP address Risk List combined with firewall logs/dst as source type/field where dst typically stands for destination IP address.

Example of the Splunk Explorer Dashboard

Further Help

“Recorded Future App for Splunk” has been developed by Recorded Future.

Further information and support can be found on our Support web site: support.recordedfuture.com