Recorded Future App for Splunk Help

Upgrade Documentation

The 5:th generation is a complete re-engineering of the app. While most of the changes are not visible there are some significant technical and behavioural changes:

  • The configuration view and underlying code is completely changed.
  • Recorded Future Alerts are no longer indexed, instead they are retrieved when needed.
  • Modular Inputs previously used to fetch Risk Lists and Alerts have been replaced by new endpoints in a custom REST handler used by saved searches.

Recommended upgrade procedure

We recommend all clients to uninstall the old version of the app (once current configuration and customizations have been documented) and then install the new version.

Caution

The new app does not attempt to migrate configurations from previous major version (version 4.x or lower). Any non-default Risk Lists, Alert configurations, Proxy settings or similar must be configured. We recommend to document the configuration before upgrading.

Due to the way Splunk handles upgrades of apps, any customized dashboards, saved searches or similar override updated versions in the new app. For this reason, it is recommended that clients with customized items in the app remove the old app and then install the new version. Please document customization before doing this.

Changed behaviour

  • The Modular Inputs used to fetch Risk Lists have been replaced by two custom REST endpoints and a saved search. One of the REST endpoints is acting as a scheduler, the other is performing the actual fetching of a Risk List. The saved search calls the scheduler every five minutes.
  • The Modular Inputs-based Alerts mechanism has been replaced by a custom REST endpoint. The previous version of the Alerts dashboard searched for alert events and presented these. The new version connects directly to Recorded Future’s API and displays the current state of configured alert rules. Clients with a system relying on the indexed events can reproduce this functionality by means of a scheduled saved search.

Initial configuration

The app will initially need to be configured with an API key to enable access to Recorded Future’s API for the app. The API key field appears to be populated following the installation, but it is empty.

When upgrading from 4.x to 5.x, the upgraded app will have only the default settings. Any customisation will have to be added again.

Risk List configuration

Risk Lists are configured under the “Risk Lists” tab of the configuration page. The app is pre-configured with the default Risk Lists. These cannot be deleted but they can be disabled. Their update intervals can also be changed.

Additional Risk Lists have to be added manually.

To specify the minimum amount of time between Risk List updated, a new setting “Update Interval” is used. It specifies the time that must have elapsed before a new update will be attempted. A Risk List will not be downloaded until a new version of it is available. It is not possible to update more frequently than what is available on the API.

Alert configuration

Alert inputs are configured under the “Alerting Rules” tab of the configuration page. There is a new setting “limit” which specifies how many alerts of that specific input that will be fetched.

Upgrading Customized Dashboards and menus

Enrichment dashboards

Customized Enrichment dashboards will hide the new versions of corresponding dashboards supplied in the new version. Some of these have been improved and extended but these new features will be hidden by the old customized version. It is recommended that the local version is removed and that the customization is made to the new version instead.

Correlation dashboards

The correlation dashboards have only had minor changes, such as hiding the Action, Zone and “Log Source” fields in the bottom table, but this should not have any functional impact on customized dashboards.

Alerts dashboard

The previous version of the Alerts dashboards used a search to list triggered Recorded Future Alerts matching the configuration and timerange. With the new version the alerts are not indexed and therefor the dashboard was adapted to rely on the new REST endpoint for alerts. If the Alerts dashboard has been customized the search must be updated accordingly.

The rest command is as follows:


| rest /services/TA-recordedfuture/download_alerts/ALERT_STANZA

Other cleanup that may be required

To avoid errors from btool, it is recommended to either remove all the modular input stanzas from inputs.conf manually or to remove the file as it is no longer used.

If any information needs to be indexed, this can be accomplished by using setting up a saved search using the makeresults command.

Compatability with Splunk ES app

A clean installation of the Splunk Enterprise app is recommended if paired with our Splunk ES app. This is due to potential problems related to poor code isolation between apps in Splunk.

Further Help

Recorded Future clients can request any additional help or assistance with installation through your account team or on-boarding manager.

“Recorded Future App for Splunk” has been developed by Recorded Future.

Further information and support can be found on our Support web site: support.recordedfuture.com