Additional Information for setting up on Splunk ES
Setup Splunk Enterprise Security
The app has built-in support for Splunk Enterprise Security. The support is available when the app is installed on a search head together with Splunk ES.
Required steps to use the Splunk ES functionality
Enable Splunk ES support
In the Recorded Future for Splunk menu, select Configure. Ensure that the switch to enable support for Splunk ES is enabled.
Required configuration within Splunk ES
To be able to use the full features of Splunk ES functionality, some configuration has to be done in Splunk Enterprise Security.
- In the Enterprise Security menu bar, click Configure → Incident Management → Incident Review Settings.
- Click the button 'Add new entry' in the "Incident Review - Event Attributes" section. Add the following Label and Field Combinations:
Label | Field |
---|---|
RF Risk Score | rf_a_risk |
RF Triggered Rules | rf_b_rules |
RF Very Malicious Evidence | rf_evidence_critical |
RF Malicious Evidence | rf_evidence_malicious |
RF Suspicious Evidence | rf_evidence_suspicious |
RF Unusual Evidence | rf_evidence_unusual |
- A restart of the Splunk instance will be required once the installation has completed.
-
If you haven't already done so, enable the Enterprise Security correlation
search called "Threat Activity Detected"
- In the Enterprise Security menu bar, click Configure → Content Management
- In the filter bar, type "Threat Activity Detected"
- Click the link 'Enable' to enable the correlation search
Enrichment of detected events
Splunk ES detects suspicious events using it's built-in Threat Intelligence framework. Recorded Future leverages the framework to perform detection of suspicious events.
Once an event has been detected it is however necessary to enrich it to make triage efficient. This can be done in two ways:
- Using saved searches which adds data from Recorded Future's Risk Lists to the events.
- Using the provided Adaptive Response action. This method makes a query to Recorded Future's API to fetch up-to-date information.
See below for instructions on how to activate respective method.
Saved Searches to perform Enrichment
By default the app will enable four saved searches that will perform the enrichment of any compatible notable events. See below for the steps needed to switch to Adaptive Response based Enrichment.
Adaptive Response (AR) to perform Enrichment
To activate Adaptive Response (AR) the following steps needs to be performed:
-
Turn off the searches that enrich notable events:
- Go to Configure → Content Management
- Disable "RF IP Threatlist Search", "RF Domain Threatlist Search" and "RF Hash Threatlist Search" (easier to find if you use the app filter, but not necessary).
-
Click on "Threat Activity Detected" to open the settings.
- Next to "Adaptive Response Action", click on "Add New Response Action"
- Select Recorded Future's action
- Leave default "Automatic" selection.
- Click save
Adaptive Response Ad-hoc invocation
Ad-hoc invocations of Adaptive Response can be made - ex from the Incident Review
dashboard. The user invoking the Adaptive Response in this way must have the list_storage_passwords
capability.