Overview of risklists
Risk lists can be used to correlate and enrich events. For each element in the risk list (ex an IP number, a URL or a hash) there is a risk score and information about why the score has been set.
Correlation
Any risklist that is configured is downloaded to the Splunk server and processed locally. Part of the information is inserted into the Threat Intelligence framework that is part of Splunk Enterprise Security. The framework maintains lists of Indicators of Compromise (IOCs) from external sources (such as Recorded Future).
If an event matches an entry of the appropriate list it is flagged for possible further action. Examples of further action are correlation searches such as "Threat Activity Detected" rule. Events matching this rule will be highlighted as Notable events in Splunk Enterprise Security.
Enrichment
Any downloaded risklist is also stored as a lookup table. Recorded Future's Add-on for Spunk Enterprise Security has pre-configured save searches that will look at notable events and create new notable events for any event where additional data is available. The new event will contain additional information such as the Recorded Future Risk Score and details of why this risk has been assigned to the IOC.
Default risklists
By default the app is shipped with four default risk lists pre-configured:
- IP number
- Domain names
- URLs
- Hashes
If you have Fusion access it's possible to define and read additional risk lists.
Manage risklists
Navigate to Configuration->Inputs. This will show you all configured inputs (both risk lists and alert monitoring). Clicking on the >-sign will expose additional information about the list.
Under the Actions drop-down it's possible to enable/disable a list, delete, clone or edit it.
Add or modify risklists downloads
To create additional risk list, click on the green "Create New Input" button and select Recorded Future risk list.
Field | Significance | Comment |
---|---|---|
Nom | Risk list name within the Splunk instance. The lookup file will be named <name>.csv. | |
Interval | The list will be checked for updates after this many seconds. This should be set to 300. | This specifies how often the list is checked. Updates only occur if the list has been updated. |
Index | The modular input produces statistics when running. Set the index where these will be stored. | Make sure to select an index with correct role assignments - leave to main/default if you are unsure. |
Risk list category | Select which kind of element the risk list has data about. | IP, Domain, Hash, Vulnerability or URL |
Fusion file | The path to the Fusion risk list. If the list is to used as a lookup the Fusion Flow must be defined to produce an uncompressed csv file. | Must correspond to a defined Fusion file. If this field is left blank the default risk list for the category will be used. |
Once the new risklist has been setup it will be downloaded and made available to Splunk's Threat Intellegence framework. Typically this is done with a couple of minutes. Once complete the risklist will be used for detection of suspicious IOCs.
In order to enable enrichment a new correlation search is needed however.
- Go to Settings->Seaches, reports and alerts
- Select "Type: All" and "App: Recorded Future Add-on for Splunk ES".
- Locate "Threat - RF IP Threatlist Search - Rule" (or corresponding Domain, Hash or URL depending on what type of risklist it is).
- In the "Edit" dropdown menu, select "Clone".
- Change the "New Title" field to something sensible, ex "Threat - RF IP My Custom Threatlist Search - Rule".
- Consider changing the description.
- Ensure the Permissions are set to Clone.
- Go to Settings->Seaches, reports and alerts
- Select "Type: All" and "App: Recorded Future Add-on for Splunk ES".
- Click on the newly created search.
-
Change the Search:
- Change the first parameter of the macro (ex rf_ip_risklist) to the name of the new risklist.
- Save