Verwenden der Alert-API zum Anzeigen aufgezeichneter zukünftiger Alerts in Splunk
Einführung
With the new Alert API introduced in 2018, clients can access their Recorded Future alerts programmatically. In this support page, we outline how Splunk Integration clients can use the Alert API to incorporate alerts into Splunk. For a general overview of how to use the Alert API, check out this support page.
Beachten Sie, dass bei dieser Add-on-Funktionalität davon ausgegangen wird, dass eine 3.x-Version der Splunk Enterprise Integration Application (Kern) von Recorded Future (siehe https://splunkbase.splunk.com/app/2629/) installiert ist. Außerdem wird in v4.x dieser Integrationsanwendung (Release im September 2018) ein "Alerts"-Dashboard in das Standardpaket integriert.
Grundlegende Anweisungen
- The alerts.py file should be places in the bin directory of the Recorded Future App.
- Möglicherweise muss die Datei in splunk:splunk umgewandelt werden
- Möglicherweise muss die Datei auf 755 chmod geändert werden
- .conf files should be placed into local directory of the Recorded Future App.
- Möglicherweise müssen Dateien in splunk:splunk umgewandelt werden
- May need to adjust path in files if splunk home directory is not /opt/splunk/
- Copy xml file into the local/data/ui/views directory of the Recorded Future App.
- Möglicherweise müssen Dateien in splunk:splunk umgewandelt werden
- May need to adjust permissions for access, set global view (all apps, everyone read, admin write)
- Will need to add to default navigation for visibility in the app
The scripts should pull the api key stored in the kv store,
nothing should need to be entered. If you have any
issues during the setup or configuration, please schedule
a remote session through your account team. The user
for the API key must have alerts shared with them in order
to pull the alerts from the API.