Recorded Future FAQs

Certain features and functionality are limited to Admin users within your Recorded Future enterprise. These features include:

Viewing API Usage for all tokens in your enterprise

Enabling and configuring Intelligence Card extensions

Configuring which lists in your enterprise are mapped to the Threat View Watch Lists

Creating additional Organizations for Multi-Org Threat Views

Changing ownership of workspace items

Pinning items to a user's workspace

Importing lists by entity ID

To confirm if you are an Admin user or not, simply click on the menu in the top-right corner of the Web App. If you see "Extensions," "Watch List Configuration," and "Threat View Configuration," you are an Admin user.

If you do not see these menu options, you are not an Admin user. If you believe that you should have these capabilities, please reach out to your Intelligence Services Analyst.

Recorded Future officially supports the following web browsers: Google Chrome (recommended), Mozilla Firefox, Safari, and Edge.

Internet Explorer support (all versions) will be deprecated on December 15, 2019. We recommend migrating to a browser listed above to ensure an optimal Recorded Future experience.Our practice is to support the latest major release of each browserand to support the previous major release for a transition period of at least 24 months.

Please consider the following:

Make sure Javascript is enabled.

Older versions of the above-listed browsers may not provide a full experience and it is recommended that you update to the latest version of the browser you choose.

In Internet Explorer, the high-security level for the Internet zone will prevent some Recorded Future views from displaying. You can resolve this issue by configuring Internet Explorer to run Recorded Future at the medium-high security level, either by adding Recorded Future to your list of trusted sites or by lowering the security level for the Internet zone to medium-high.

Separately, please add recordedfuture.com to your browser's trusted sites.

This is a list of our current technology integrations. In particular, these integrations use Recorded Future's API to pull information into a partner's platform.They require a Recorded Future API subscription to enable.

Some abbreviations used:

IR = Incident Response

SIEM = Security Incident and Event Management

SOAR = Security Orchestration and Automation Response

TIP = Threat Intelligence Platform

Partner

Product

Product Category

Use Cases

Anomali

ThreatStream

TIP

Correlation, Enrichment

Brinqa

Brinqa

Vulnerability management

Risklist summary, Enrichment

Carbon Black

Carbon Black

Endpoint Protection

Hash risklist

EclecticIQ

EclecticIQ

TIP

Correlation, Enrichment

Exabeam

Incident Response

IR

Enrichment

IBM

QRadar

SIEM

Correlation, Enrichment

IBM

Resilient

IR

Enrichment

IBM

X-Force Exchange

Threat Intelligence Exchange

Enrichment

King & Union

Avalon

Deep Analysis

Enrichment

LogRhythm

LogRhythm

SIEM

Correlation, Enrichment

Maltego

Maltego

Deep Analysis

Entity transformations

McAfee

Enterprise Security Manager

SIEM

Correlation

Microfocus

ArcSight

SIEM

Correlation, Enrichment

Palantir

Palantir

Deep analysis

Varies by client

Palo Alto Networks

Demisto

SOAR

Various automated workflows

Palo Alto Networks

Minemeld

TIP

Threat Intelligence collection, aggregation, and distribution

Polarity

Polarity

Enrichment Tool

Enrichment

Protectwise

Protectwise

Network Analysis

Enrichment

RSA

Archer

GRC

Third-Party Risk

RSA

Archer

GRC

Vulnerability management

RSA

Netwitness

SIEM

Correlation

ServiceNow

Third-PartyRisk Management

Vendor and business partner portfolio management

Third-Party Risk

ServiceNow

Security Operations: Security Incident Response and Threat Intelligence

Incident Response

Enrichment

Splunk

Splunk Enterprise

SIEM

Correlation, Enrichment, Alerts from Recorded Future

Splunk

Splunk ES

SIEM

Correlation, Enrichment,Alerts from Recorded Future

ThreatConnect

ThreatConnect

TIP

Correlation, Enrichment (Playbook and automation integration priced separately)

ThreatQuotient

ThreatQ

TIP

Correlation, Enrichment

Versive

Versive Security Engine (VSE)

Network Analysis

Enrichment

Threat Actor Intelligence Cards (aka Threat Actor Cards) provide an on-demand summary of essential information related to a specific threat actor group. Threat Actor Cards are updated in real time as Recorded Future collects new information. You can use Threat Actor Cards as a starting point when identifying a threat actorand making a risk assessment for your organization, or when updating a risk assessment. Threat Actor Cards are also pivot points during investigations that startwith an indicator, malware tool, or vulnerability.Descriptions of several common components of the Threat Actor Card are found in the Overview of Intelligence Cards ; the details below are specific to the Threat Actor Card:

Heading

The heading section identifies the Threat Actor Group. Many cards listmultiple names for the same group, as used by different communities ofpractitioners,researchers, and vendors.

Many Intelligence Cards link threat actors to one or moreThreat Actor Categories. These categories organize threat actors into risk areas like financially motivated, nation-state sponsored, and hacking communities. Categories also capture the Country from which the threat actor group is reported to operate. The Nation State Sponsored categories represent APT threat actors who use advanced methods to remain persistent in target networks, oftenwith the objective of exfiltrating high-value data.

Identification, attribution, and characterizationof threat actor groups is notoriously difficult. The assignment of threat actor groups to countries and categories in Recorded Future is not intended as a definitive statement of fact. Instead, it captures the consensus or leading hypothesis in the security community, as observed by our team - or can link a threat actor group to multiple categories when there are strong competing hypotheses in the security community.We welcome feedback, suggestions, and critiqueson threat actor metadata. Please use theRequest Data Reviewaction to contact us.

Recent Event Timelines

Most Threat Actor Cards present two timelines. The first timeline section, colored in blue,gives summary metrics for all reporting involving the Threat Actor, and shows a timeline of reporting in the last 60 days.

The second timeline sectionsummarizes reportedCyber Attack and Cyber Exploit events where the Threat Actor was directly reported as the attacker. Each day in the cyber event timeline is color-coded by the criticality of the Cyber Threat signal for this Threat Actoron that date.

Targeting and Operations

This section summaries Methods, Targets, and Operations or Campaigns from Cyber Attack events where this Threat Actor was directly reported as the attacker. Methods include generic attack vectors, malware tools and malware categories, and vulnerabilities.You can click on any of these top entities to view theevents reporting this link. Use theShow in Timelineaction to drill down as see more related entities, in the Timeline, Table, Tree Map, etc.

Context

This section summarizes other infrastructure and entities reported with the Threat Actor, organized by entity type.You can view the specific events for each link by clicking on the related entity in the list. Currentrisk scores are shown where available.You can view more related entities, beyond the top list shown in the Intelligence Card, by clicking theShow in Tableaction.

Recent References and First Reference

Each Threat Actor Card concludes with a set of individual references, highlighted based on time of reporting (most recent report and first report) or highlighted as the most recent report from an event type or group of sources. These highlighted recent events include Cyber Events, Paste Sites, Social Media, Information Security sources, Underground Forums, and Dark Web sources.

Recorded Futuremaintains a list of relevant sub-contractors and vendors on this Support page, and will add the names of new and replacement sub-contractors/vendors as appropriate.

Name of company

Use Case

Location

Recorded Future, Inc.

Primary Vendor

363 Highland Avenue, Somerville, MA 02144

Amazon Web Services, Inc.

Server

2021 Seventh Ave., Seattle, Washington 98121, USA

Atlassian JIRA, Confluence, Statuspage

Development Tools

Level 6. 341 George Street, Sydney, NSW 2000, Australia

Avalara

Sales Tax Compliance

255 South King St., Suite 1800 Seattle, WA 9810

Clari, Inc.

Sales Forecasting

1154 Sonora Court, Sunnyvale, CA 94086

Cloudflare

Security

101 Townsend Street, San Francisco, CA 94107

CloudHealth Technologies

Cloud Automation

100 Summer Street, 20th Floor, Boston, MA 02210

Delighted, LLC

Client Feedback

1027 Alma Street, Suite B, Palo Alto, CA 94301

Detectify

Security

Lngholmsgatan 34, 117 33 Stockholm, Sweden

Docusign

e-Signature

221 Main St.,, Suite 1000, San Francisco,CA 94105

FraudWatch International Pty Ltd

Takedown Services

20 Albert Street, Blackburn, VIC, 3130, Australia

Gainsight

Analytics

1400 Bridge Parkway, Suite 101, Redwood City, CA94065

Google, Inc. (G Suite and Analytics)

Productivity and Analytics

1600 Amphitheatre Pkwy, Mountain View, California 94043, USA

Hubspot

Client Communications

25 First St, Cambridge, MA 02141

Infinit-O

Tier-I Customer Support and Premium Alert Monitoring

24/F Pacific Star Building, Sen. Gil Puyat corner Makati Avenue, Makati, 1200 Philippines

LinkSquares, Inc.

Contract Management

38 Chauncy St Suite 1100,Boston, MA 02111

LogMeIn, Inc. - GoToMeeting

Teleconferencing

320 Summer St, Boston, MA 02210

Mailchimp Mandrill

Client Communications

The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000. Atlanta, GA 30308

Recorded Future AB

EMEA Subsidiary

Vstra Hamngatan 24, 411 17 Gteborg, Sweden

Redash.io

Analytics

18 Moskowitz Street, Rehovot, Israel 7647305

Salesforce

Account Administration

The Landmark @ One Market, Suite 300, San Francisco, CA 94105

SmartBooks Corp

Accounting

2352 Main St #200, Concord, MA 01742

Stripe, Inc.

Payment Processing

185 Berry Street, Suite 550, San Francisco, CA 94107

Zendesk, Inc.

Support tickets

1019 Market Street, San Francisco, CA 94103 USA

Zoom

Teleconferencing

55 Almaden Boulevard, 6th Floor, San Jose, CA 95113

Intelligence Cards bundle essential information related to a specific investigation topic, like a technical indicator, malware family, or software vulnerability. Intelligence Cards are a starting point for triage, and are pivot points during an investigation.

Six types of Intelligence Cards are available, and more detail about each is available through the links in the list below. The rest of this page includesgeneral descriptions of common components found in most, if not all, Intelligence Cards.

IP Address - individual IPs and IP ranges (CIDRs)

Domain - Domains and DNS names for FQDNs, Name Servers, Mail Exchanges, etc.

Hash - includes MD5, SHA-1 and SHA256 hashes

Vulnerability - primarily CVE vulnerabilities from NIST NVD

Malware -malware family names

Threat Actor - threat actor groups

Across all types, Intelligence Cards provide a similar baseline set of information sections. This overview introduces these common sections first, then adds details for specific Intelligence Card types.

Heading

The heading section identifies the entity summarized in this card, and provides the first and last dates when reporting about this entity was observed. The heading section also offers actions, including data exports and creating a share link for this card.

Risk Score

Risk Scores are provided for IP Addresses, Domains, Hashes, and Vulnerabilities. The score is based on a set of risk rules. Each rule triggers based on specific evidence, and can independently age out. The input sources for risk rules include over 700,000 web sources including social media, TOR forums and information security repositories and over 30 threat feeds.

Each risk rule has a severity level. The risk score for an entity is in a banded determined by the highest severity risk rule that is currently triggered. Additional risk rules triggered at lower severity levels will slightly increase the overall risk score. Multiple risk rules triggered at same severity levels cause a larger increase in score, but will never cause the score to risk into the band of risk scores reserved for higher severity levels.

Intelligence Cards provide transparency into the evidence for each risk rule, usually including one or more reporting sources and links back to documents published by these sources.

In addition to this transparency (i.e., about how many risk rules were triggered by an entity), we also mention how many risk rules in total are being used to evaluate an entity's risk. In the exampleabove, IP Address 138.201.95.72has triggered 5 out of a total of 40 risk rules. Because our research on risk rules is continuous, updates to the risk rules may change at any time, and does not instantaneouslypropagate throughout our data. It is possible for some minor discrepancies to occur as our data is being updated (e.g., two different Intelligence Cards for the same entity type such as a file hash may not agree on the total number of hash risk rules). Such discrepancies are expected to be short lived and relatively infrequent.

Threat Lists

When the entity is currently including in one more threat lists, this is reflected on the Intelligence Card. Recorded Future tracks updates to threat lists, daily or more frequently depending on the cadence of the threat list provider. A removal of the entity from an external threat list is rapidly reflected in Recorded Future, and risk rules are updated accordingly. Note that entities included in whitelists and mitigation lists will also reflect that list here. A description of each list is available here.

Recent Event Timelines

Recorded Future organizes reporting involving the entity by time, and Intelligence Cards include a timeline of reporting in the last 60 days.

Malware, Vulnerability, and Threat Actorcards may show two timelines. The first timeline, colored in blue, summarizes all reported events involving this entity in the last 60 days. The second timeline summarizes reportedCyber Attack and Cyber Exploit events specifically. Each day in the cyber event timeline is color-coded by the criticality of the Cyber Threat signal for this entity on that date.

Context

These lists summarizeother infrastructure and entities reported together with the primary entity for the Intelligence Card. The Context section records co-occurrences, which are mentions of the Intelligence Card entity and the related entity from this section in the same sentence or document. The co-occurrences do not make any assertion about the nature or strength of the connection between entities, just that they were mentioned together.

The length of the blue bar for each related entity shows the relative frequency with which it is mentioned in conjunction with the primary entity. You can view the specific events for each link by clicking on the related entity in the list. You can view more related entities, beyond the top list shown in the Intelligence Card, by clicking the Show in Table action.

Extensions

Extensions areintegrations that enhance Intelligence Cardswith content from ourIntelligence Partners. Click here to learn more.

Technical Profile and Enrichment Service Links

Convenience navigation links are included for several enrichment services that publish information to the security community. These include DomainTools (domain registration and WHOIS), Shodan (open ports and services) and VirusTotal (malware linked to the infrastructure through static or sandbox behavioral analysis.)

Recent References and First Reference

Each Intelligence Card concludes with a set of individual references, highlighted based on time of reporting (most recent report and first report) or highlighted as the most recent report from an event type or group of sources. These highlighted recent events include Cyber Events, Paste Sites, Social Media, Information Security sources, Underground Forums, and Dark Web sources.

Request Data Review

Recorded Future processes unstructured data from open web, technical web, dark web, expert research, and customer provided sources with machine learning and natural language processing techniques. While we have both rigorous automated and manual processes in place to ensure the highest quality threat intelligence, there may be small errors or misattributions in our intelligence cards. If you come across a data inaccuracy, help us improve the information by Requesting a Data Review and one of our expert researchers will conduct a review.

On any intelligence card

Navigate to the top right-hand corner

Click the menu

Click Request Data Review

A dialogue window will appear. Please include as much information as possible about the request so that our expert researchers are able to focus their attention on the specific data element.

Under standard commercial terms, Recorded Future clients that are Managed Security Service Providers (MSSPs) do not have access to Insikt Group threat research notes, and cannot redistribute Recorded Future threat research content to their end clients.

MSSPs clients who are interested in an expanded scope of commercial use should contact their account executive for more information.

IP Risk Score

Wheres this data coming from?

The Recorded Future Cyber Daily email identifies specific technical indicators published recently that are currently trending in noteworthy ways. These IT security trends are culled from reporting by over 800,000 web sources across in over 13 languages.

Whats the difference between the (free)Cyber Daily and the Premium Cyber Daily I receive as a client?

The Cyber Daily Basic and Plus versions are complimentary resources for thousands of information security professionals. The Premium Cyber Dailyversion is for client of Recorded Future only and includes the more content, including more data per category, risk scores for vulnerabilities and suspicious IPs, and categories not included in the free versions (e.g., Corporate Targets, Emerging Malware, Cyber Operations).How can I get more info?

Click on any listed title entityin the email (i.e., company name, threat actor, operation name, malware, vulnerability, or IP address)to open up a newRecorded Future table view specific to that entity. to do more research and learn more about why that entity was identified in our report.

What is Threat Research from Insikt Group?

Insikt Group is the Recorded Future threat research team. Intelligence in this section includes both recent posts on the Insikt Group blog, and recently published analyst notes with TTP leads, indicators, and other current intelligence.

What are Hits?

The Hit count refers to the number of documents that reference that particular entity in Recorded Futures data set during the previous 24 hours.

What defines Related?

Many sections contain a Related line. These values are products or technologies that appear prominently in the most recent reporting on this vulnerability. Some products and technologies come from Recorded Futures curated taxonomies while others are detected based on language patterns. This is helpful in surfacing novel or less frequently discussed technology concepts, at the cost of some false-positive noise.

What defines Corporate Targets?

Corporate Targets are companies and organizations that we have found mentioned over the past 24 hrs as a victim in relation to a cyber attack.What defines Threat Actors?

This section highlights entities, both organizations and people, assigned a threat actor attribute that generated significant amounts of event reporting during the previous 24 hours.

What defines Exploited Vulnerabilities?

This section highlights identified vulnerabilities reported during the past 24 hours with language indicating malcode activity. These language indicators range from security research (reverse engineering, proof of concept) to malicious exploitation (exploited in the wild, weaponized). These vulnerabilities are usually different from the overall top vulnerabilities in the following section.

What defines Cyber Operations?

This section highlights Cyber Operations -- typically of a hacktivist nature -- recently reported in the media sources we monitor.

What defines Malware in Cyber Attacks?

This section highlights malware recently reported as used in cyber attack events. This section is oriented toward awareness of malware being reported as currently in use by threat actors.

What defines Emerging Malware?

This section highlights malware with high number of recent mentions, irrespective of whether there is a specific cyber attack event involved. Because of the broader filter criteria, malware listed in this section will have higher hit counts than in the "Malware in Cyber Attacks" section.

What defines Vulnerabilities?

This section highlights cyber vulnerabilitiesrecently reported in the media sources we monitor. In addition, Recorded Future's Vulnerability Risk Score is included in the entry.

What defines Exploited Vulnerabilities?

This section highlights cyber vulnerabilitiesrecently reported with exploits. As a result of the narrower definition, hit counts in this section will be lower than in the previous "Vulnerabilities" section. Recorded Future's Vulnerability Risk Score is included in the entry.

What defines Suspicious IP Addresses?

This section highlights IP addresses that have recently been reported with language indicating malicious activity. These language indicators include terms such as malicious and exploit or mention of IP addresses co-occurring with any malware entity. Recorded Future's is included in the entry.

Well apply an Emerging label next to any IP address which Recorded Future recently detected for the first time.

Hash Intelligence Cards (aka Hash Cards) provide an on-demand summary of essential information related to a specific Hash, and areupdated in real time as Recorded Future collects new information. You can use HashCards as a starting point when assessing whether observation of a given Hashin a specific context is an Indicator of Compromise, and further can be used in security control rules to block or detect incidents. Hash Cards are also pivot points during investigations that start with another indicator, a malware tool, a vulnerability, or a threat actor.Descriptions of several common components of the Hash Card are found in the Overview of Intelligence Cards ; the details below are specific to the Hash Card:

Hash Card: Risk Scoring

Hash Risk Scores distinguish malicious file hashes from web reporting on hashes used for other technical purposes: passwords, digital fingerprints, certificates, etc. The risk rules for Hashes currently do not have an age out criteria. Once scored as malicious, a hash Risk Score will not decrease due to age and will generally remain permanently malicious (but could change based on discovery of new information).

training page

Hash Cards provide full transparency, sourcing all of the evidence behind a Risk Score.

Intelligence Partner Extensions

Extensions areintegrations that enhanceHash Cards with content from ourIntelligence Partners. Click here to learn more. We also havespecific to the extensions available on aHash Card.

In organizations where multiple teams use Recorded Future, it is helpful to create groups of users. This simplifies access configuration for alerts, lists, and other content without having to enumerate individuals users in access lists.The Recorded Future team can set up of groups of users in our Enterprise account. Contact us at [email protected].

The header area of each Intelligence Card includes two dates (Last Reference Collected On and First Reference Collected On) which help you understand how long Recorded Future has tracked this entity.Last Reference Collected OnThe latest (most recent) document download date for any event involving this entity.First Reference Collected OnThe earliest document download date for any event involving this entity.

These two dates are download dates, bracketing the earliest and latest times when Recorded Future collected new events involving the Intelligence Card entity.

Note that these dates are not publication dates, like most other dates shown inIntelligence Cards. It is possible for the First Reference Collected On date to be later than the publication date of First Referenceshown inthe Intelligence Card. For example, theFirst Referenceevent may come from a historic document that wascollected significantly after its original publication date, when Recorded Future explored a link in a newly published document.

Recorded Future makes it straightforward to quickly navigate or link to Intelligence Cards for IP Addresses, Domains, and Hashes. These cards serve as a starting point for investigation or incident response, e.g., what can external threat intelligence from Recorded Future tell me about this observable? The summary pages have a consistent URL structure, which makes it easy to deep link into Recorded Future from other systems. The URL structure for these deep links to app.recordedfuture.comis:

/live/sc/entity/ip:<IP Address> Example

Please note: URLs to IP Intelligence Cards need to have leading zeros removed from IPv4 Addresses

/live/sc/entity/idn:<Internet Domain Name> Example

/live/sc/entity/hash:<Hash value> Example

/live/sc/entity/?name=< Vulnerability name or CVE number> Example 1, Example 2

Clients who do not wish to expose the Intelligence Card details in the URL may instead POST a request to the following link with entity parameters in the body of the POST:

https://app.recordedfuture.com/live/sc/entity For example, here is a simple HTML file illustrating this method; note the different "Name" field for CVEs compared to the other indicator types. <html> <body> Hash,IP,IDN <form method="post" action="https://app.recordedfuture.com/live/sc/entity"> <label>Entity id:<label><input type="text" name="id"/> <button type="submit">Submit</button> </form> <br> <br> CVE <form method="post" action="https://app.recordedfuture.com/live/sc/entity"> <label>Entity name:<label><input type="text" name="name"/> <button type="submit">Submit</button> </form> </body> </html> Please note: Authenticated Recorded Future users will see the full Intelligence Card; non-Recorded Future users will see an abbreviated set of information on the Intelligence Card.

IP Address Intelligence Cards (aka IP Address Cards) provide an on-demand summary of essential information related to a specific IP Address or CIDR (an IP Address range). IP Address Cards are updated in real time as Recorded Future collects new information. You can use IP Address Cards as a starting point when assessing whether observation of this IP in a specific context is an Indicator of Compromise, and further can be used in security control rules to block or detect incidents. IP Address Cards are also pivot points during investigations that start with another indicator, a malware tool, a vulnerability, or a threat actor.Descriptions of several common components of the IP Address Card are found in the Overview of Intelligence Cards ; the details below are specific to the IP Address Card:

Risk Scoring

IP Address Risk Scores help to identify potentially malicious IP Addresses. The risk rules for IP Addresses currently age out after a period of time, if we no longer see evidence that an individual rule matches. More information can be found by looking at the IP Address Risk Rules.

training page

Risks in the /24 Subnet

IP AddressCards include a summary of other IP addresses in the same /24 Subnet (historically known as a Class C block) with current risk scores. This subnet summary provides quick context of the network neighborhood around the individual IP address.

Technical Profile

IP Address Cards includes GeoIP information (courtesy of MaxMind GeoLite) such as AS Number, names of organizations which administer the enclosing IP range, and geographic location.

Intelligence Partner Extensions

Extensions areintegrations that enhanceIP Address Cards with content from ourIntelligence Partners. Click here to learn more. We also have specific to the extensions available on an IP Address Card.

Vulnerability Intelligence Cards (aka Vulnerability Cards) provide an on-demand summary of essential information related to a specific Vulnerability, and are updated in real time as Recorded Future collects new information. You can use Vulnerability Cards as a starting point when assessing whether this Vulnerabilityposes a specific risk to your organization, and further can be used in identifying associated indicators of compromise. Vulnerability Cards are also pivot points during investigations that start with another indicator, a malware, or a threat actor.

Descriptions of several common components of the Vulnerability Card are found in the Overview of Intelligence Cards ; the details below are specific to the Vulnerability Card:

Risk Score

For CVEs, the Vulnerability card presents a vulnerabilityrisk score determined by several factors that Recorded Future considers, including the NVD score. More information can be found by looking at the Vulnerability Risk Rules.

Risk Evidence, NVD Summary, Affected Products, and Notable Links

Each Vulnerability Card presents an overall Risk Score supported bycomponent risk rules. Some risk rules for CVE vulnerabilitiesdirectly reflect theNIST CVSS score.

For CVEs, the Vulnerability card includes the latest information about the CVE published by NIST NVD. This includes the text summary of the vulnerability, the set of affected products in the CPE (Common Product Enumeration), and notable links as identified by NVD. Affected Products are shown with human-readable names, and you can click on any Product Identifier to see the correspondingCPE identifier and CPE well-formed name.It is common for a very recently disclosed vulnerability to include partial information, while NVD is vetting and confirming portions of the disclosure.

Timelines

Vulnerability Cards may show two timelines. The first timeline, colored in blue, summarizes all reported events involving this entity in the last 60 days. The second timeline summarizes reportedCyber Attack and Cyber Exploit events specifically. Each day in the cyber event timeline is color-coded by the criticality of the Cyber Threat signal for this entity on that date.

External Links

This section includes links to pages with more information about the vulnerability, specifically around patches and remediations.

Recent Exploit Reference

Helpful lookup of a recent referenceto any availableexploits for this vulnerability.

Domain Intelligence Cards (aka Domain Cards) provide an on-demand summary of essential information related to a specific Domain or DNS Names, and areupdated in real time as Recorded Future collects new information. You can use DomainCards as a starting point when assessing whether observation of a given Domain in a specific context is an Indicator of Compromise, and further can be used in security control rules to block or detect incidents. Domain Cards are also pivot points during investigations that start with another indicator, a malware tool, a vulnerability, or a threat actor.Descriptions of several common components of the Domain Card are found in the Overview of Intelligence Cards ; the details below are specific to the Domain Card:

Domain Cards: Parent Domain, Siblings, and DNS Names within a Domain

Similar to the /24 Subnet summary shown in IP Address Cards, Domain Cards present a summary of related Domains and DNS names. For a DNS name within a domain, this summary section includes the parent Domain and sibling DNS names. For a Domain, this summary section includes DNS names within the Domain.

Intelligence Partner Extensions

Extensions areintegrations that enhanceDomain Cards with content from ourIntelligence Partners. Click here to learn more.

Malware Intelligence Cards (aka Malware Cards) provide an on-demand summary of essential information related to a specific Malware, and are updated in real time as Recorded Future collects new information. You can use Malware Cards as a starting point when assessing whether this Malware poses a specific risk to your organization, and further can be used in identify associated indicators of compromise. Malware Cards are also pivot points during investigations that start with another indicator, a vulnerability, or a threat actor.

Descriptions of several common components of the Malware Card are found in the Overview of Intelligence Cards ; the details below are specific to the Malware Card:

Header

The Malware Card header include known synonyms for the Malware family. Along with the usual reference counts and first/last seen dates, the header also includes Malware Category information:

Timelines

Malware Cards may show two timelines. The first timeline, colored in blue, summarizes all reported events involving this entity in the last 60 days. The second timeline summarizes reportedCyber Attack and Cyber Exploit events specifically. Each day in the cyber event timeline is color coded by the criticality of the Cyber Threat signal for this entity on that date.

Related Email Addresses

In addition to the standard related entity lists, Malware cards also offer a list of related Email Address entities. This can be valuable in identifying online personas related to the malware too.

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Download the App

The latest version of the Recorded Future app for Splunk Enterprise is available on splunkbase.

Initial setup of the App

Once the app has been installed on the Splunk server the initial setup of the app is done under Configuration->Global configuration.

The Configuration view has three panes: Proxy, Logging and Add-on Settings.

To be able to see and configure API key, Proxy settings and API URL in the Splunk App, the user needs the capability 'list_storage_passwords'. To be able to change the logging level, the user needs the capability 'admin_all_objects'.

TheAPI key must be configuredin the Add-on Settings pane in order for the app to work.

Proxy

If the Splunk server uses a proxy to access the Internet this should be configured here. If no proxy is used leave the Enabled checkbox unchecked.

Host and port must always be set. If the proxy requires authentication the username and password should be set here. If authentication is not used these fields should be left empty.

Logging

If additional logging is required it's possible to adjust the log level here.

The recommended log level is INFO.

The integration logs to the standard Splunk log directory ($SPLUNK_HOME/var/log/splunk). The following log files will be created (depending on app configuration and usage all may not exist):

ta_recordedfuture_cyber_recorded_future_risk_list.log

ta_recordedfuture_cyber_recorded_future_alerts.log

ta_recordedfuture_cyber_rest.log

The events logged into these files can be viewed either as files on the Splunk server of via the Splunk GUI.

Example search:

index=_* source="/opt/splunk/var/log/splunk/ta_recordedfuture_cyber_recorded_future_alerts.log"

Add-on Settings

The Recorded Future API key required for the proper operation of the app is entered in the Api key field.

In some rare situations it may be necessary to change the URL the the Recorded Future API. If Recorded Future support instructs you to do so the URL should be entered in the Recorded Future Api URL field.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact [email protected].

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

While we take strong measures to ensure the security and confidentiality of your information, it is extremely important that you also recognize and do your part. We realize you know all of this already but it is our job to remind you!

You play a role in protecting the security of your personal information. In addition to following safe computing practices, here are some other best practices that can help you keep your information secure.

Stay informed and follow any new security practices that may emerge over time.

Protect Your Password. Passwords should be strong, unique, and never shared.

Notify Recorded Future of any phishing or odd emails regarding our service.

Keep your operating system and software up-to-date

Use two-factor authentication where available, especially with your email account. Your email is often the link to unlocking many other sensitive services like social networks, banking and retail. Similarly insist on and use dual factor authentication with other important accounts like banking and sites that have direct links to your bank like paypal and ebay

Beware of Phishing Emails - Don't respond or visit links from unsolicited emails. If in doubtdon'tclick the link - go directly to the site in question.

Dont Visit Suspicious or Unsafe Websites - Be sure to check the URL, especially the domain, carefully before navigating to an external website.

Be circumspect with what information you provide to internet sites or over email. Provide only information that is absolutely needed and nothing more.

Stay safe!

To change the password onyour Recorded Future useraccount:

Loginto Recorded Future.

Open theaccount drop-downmenu in the upper-right corner of the page.

Select the User Settingsmenu option.

You will find the change password form in thisUser Settings page.

Enter the new passwordfor your account and save your settings.

Before accepting the new password, Recorded Future checks its strength and validates that the new password meets the password length requirement specified foryour Recorded Future deployment.You can also reset a forgotten password on your Recorded Future user account.

Open the login page and click on the Forgot your password?link.

Enter the email address for your Recorded Future user account.

Look for an email with instructions for resetting your password.

Follow the instructions in this email to reset your password.

If you don't receive this email, please check your spam filter or folder, and double check the email address that you have entered in the password reset form. For security reasons, the form does not present an error message if the email address is not linked to any user account. And for further help, please submit a ticket.

Your profile name in Recorded Future will also affect how you are displayed on both the Support site and the Community site. By default, this is typically your full name.

If you would like to mask your identity (such as when commenting on an article, or posting something to the community site), you can do this in Recorded Future. Changes are retroactive, meaning that when you update your profile name, all comments/posts are updated to reflect this as well.

Tochange the profile nameonyour Recorded Future useraccount:

Loginto Recorded Future.

Open the menu in the upper-right corner of the page.

Select theUser Settingsmenu option underTools.

Navigate to the Public Profile Info tab.

Enter the new profile name for your account and save.

Contact our Support Team to activate two factor authentication (2FA) for your organizations account. All user accounts for your organization will be required to activate 2FA.Recorded Future implements 2FA authentication withTime-Based One-Time Passwords (TOTP). To use TOTP, download one of the following smartphone apps and follow the directions below:

For Android, iOS, and Blackberry: Google Authenticator

For Android and iOS: Duo Mobile

For Windows Phone: Authenticator

Setting Up 2FA on your Recorded Future Account

1. After Recorded Future confirms that 2FA is enabled for your organization, log in using a valid username and password. You will be automatically directed to the 2FA setup page.

GitHub

2. Use your TOTPauthenticator app to scan the barcode. This stores a shared secret code known to Recorded Future and the authenticator, which is used to generate six-digit verification codes.

3. Your TOTP authenticator will generate a verification code. To confirm receipt of the shared secret, enter the verification code to complete 2FA setup and login to Recorded Future.

4. After logging in, you will find scratch codes for your user account in your User Settings page. Scratch codes enable youto reset the 2FA security on your user accountif you lose access to the TOTP shared secret. Store your scratch codes only in secure, private location.

Experiencing Issues?

Occasionally, smart phones become out of sync and apps suchGoogle'sAuthenticatorcreate passwords that will notbe valid.

Resetting your phone's time settings may help:

Android: From withinAuthenticator

Go to the Main Menu

Select Settings

Select Time correction for codes

Select Sync now

iPhone/iOS: From withintheSettings app

Select General

Select Date & Time

Enable Set Automatically

If its already enabled, disable it, wait a few seconds and re-enable

Setting Up 2FA When Changing Phones

If you're getting ready to change or upgrade your phone, you have the ability to set your new phone up ahead of time for two factor authentication without any access disruptions.

While logged in to Recorded Future, you have access to scratch codes dedicated to your specific account. You can use these scratch codes and manually enter them into your phone's authenticator application, which can then be used when logging in to Recorded Future at a later date.

While logged in to your account:

Choose Menu from the top right of your screen

Click User Settings

Under User Settings, go to the Security tab

Once there, your scratch codes will be available below:

Use one of the codes in question and enter it as a manual entry in your authenticator application

Additional Support Links

Google's 2FA troubleshooting guide Common issues with 2-Step Verification.

Additional TOTP resources for Windows, Android, and iOS can be found on s TOTP site.

clientRecorded Future produces several types of threat intelligence research reports. This article identifies each reporting stream and provides links to learn more.

Analyst On-Demand

For organizations just getting started with threat intelligence or sophisticated teams requiring supplementary intelligence products, Recorded Future offers threat research reporting by our analyst team.Reporting options include both on-demand threat research (RFI response) and recurring threat landscape summaries.

Analyst On-Demand reporting enables clients to focus our team on threats and incidents that are urgent for them, when the intelligence is needed most. Redacted content from on-demand reports are later released to the full Recorded Future community, whenever appropriate.

Learn more about Analyst On-Demand reporting on our public website or by contacting your Recorded Future account representative.

Insikt Group

Insikt Group is our self-directed threat research team, and is comprised of threat intelligence analysts, linguists, and security researchers with deep government and industry experience. The word insikt is Swedish for insight and highlights their mission: finding insights that reduce risk for ourclients, with intelligence that produces tangible outcomes and prevents business loss.

Insikt Group publishes their threat research first to the Recorded Future community. All Recorded Futureclients have full access to Insikt Group threat research reports.

Research highlights are published to our client-facing blog (login required.) All Insikt Group threat reports are indexed and integrated into the Recorded Future portal and APIs.

Published Threat Research

We also release selected threat research to all audiences through our public blog. Often, this research is related to Insikt Group or Analyst On-Demand reporting. Some public blog posts highlight the quantitative analysis work of our Data Science team.

Learn more by reading and subscribing to our public blog.

https://learning.recordedfuture.com/ Need help? We have a solution.

You can access on-demand training at our portal, https://learning.recordedfuture.com

Need some live support? Simply reach out to our team at [email protected].

Our online learning portal is available to all Recorded Future clients, 24/7.

Access theRecorded Future University Campus via Platform login

Explore recordings in Backpacks

Groups for community sharing

Videos on platform elements

Enroll and take courses on broad topics such as Recorded Future 101

Review Weekly Analyst Tips

Product feature videos

Integrations overviews, demos & more

Access at

Mission

Recorded Future training supports ourclients and the cybersecurity community to understand and apply threat intelligence. We want to share our vision of a world where defenders apply vast intelligence at the speed and scale of the internet to gain the advantage over attackers.

For our Enterpriseclients, you can request additional training on advanced topics with Training Credits. These courses include navigating the criminal economy on dark web or using xubuntu and open tools to conduct threat hunting. For more information contact your Intelligence Services consultant.

If you are the owner of copyrighted work, or authorized agent, and believe that content on Recorded Future may be infringing please email [email protected].

While using Recorded Future, you may encounter threat intelligence shared through the Automated Indicator Sharing (AIS) program. The AIS program is managed by the US Department of Homeland Security and is further documented here: https://www.us-cert.gov/ais

AIS threat intelligence is labeled using the Traffic Light Protocol (TLP), to ensure that sensitive information is shared exclusively with the appropriate audience. In Recorded Future, you will see a TLP designator on each AIS threat intelligence note. The TLP system is further explained here: https://www.us-cert.gov/tlp

Recorded Future redistributes AIS threat intelligence labeled TLP:WHITE and TLP:GREEN only. You may share AIS threat intelligence with others, subject to these TLP restrictions. In particular, note that threat intel labeled TLP:GREEN, or higher, should not be shared via publicly accessible channels (blogs, social media, etc.)

Recorded Future, each AIS Participant and the National Cybersecurity & Communications Integration Center (NCCIC), to the maximum extent permitted by law, provide no representations or warranties regarding any Indicators or other data provided through AIS, or any other use of AIS. More information

Recorded Futures mission is to empower our clients to reduce risk.

While Recorded Future seeks to serve as broad a range of organizations as possible, while abiding by all applicable export-control and other regulations, there are certain limits that are imposed on the use of our service.

Recorded Future prohibits:

Illegal Activities: The use of any of its services for any unlawful purpose or in furtherance of any illegal activities.

Discrimination: The use of any of its services to perform targeted collection on the basis of protected characteristics such as race, sex or gender, sexual-orientation, religion, age, national or ethnic origin, disability status, marital status, or genetic information.

Physical or Financial Harm: The use of any of its services for causing any physical or financial harm to any other individual or entity. This includes, but is not limited to, facilitating unauthorized access to protected systems, or damaging infrastructure.

Misuse of Financial or PII Data: The use of any of its services for fraud, theft, misappropriation of data, or otherwise misuse financial, personal, or other sensitive information.

Harassment or Stalking: The use of any of its services to harass or stalk any individual as detailed by MGL Ch. 265 43 and 43A, and other applicable laws.

Obscenity, Pornography, or Sexually Explicit Material: The use of any of its services to improperly access or view obscene, pornographic, or otherwise sexually explicit material.

Extortion: The use of any of its services to engage in blackmail, extortion, or for otherwise inappropriate purposes.

Copyright Infringement: The use of any of its services to violate copyright, or any other applicable intellectual property law.

While Recorded Futureendeavors to provide accurate information on a range of companies, IPs, domains, and many other entities, we appreciate any feedback that can be used to improve our offerings.

Pleasee-mail [email protected] if you have feedback or corrections on the risk scores assigned to any entity, and our team will review as soon as possible.

Recorded Future is not a people search website, instead, our technology analyzes the web to find trends in the entities, places, and times mentioned. Generally, specific people that are identified by our system are individuals that have appeared in numerous news articles, forums, and/or social media sites.

In the unlikely event Recorded Future has retained information about a private individual, a request to delete the data can be made by the named individual, their guardian, or legal representative if mandated by the applicable privacy laws of their respective jurisdiction.

All requests, accompanied by proof of identification, should be sent to [email protected]

Version 2.1 Updated January 17, 2018

Recorded Future, Inc. is a threat intelligence company, which analyzes threat data to provide better, faster security.

What We May Collect About You

When you visit the Recorded Future website, or use our services, we may collect the following types of information:

Information About People or Entities Online

The purpose of Recorded Futures services is to amass data from thousands of selected sources at high pace and extract information from that data. Thus, from publicly available data, including commercially available data, we correlate different data sources to extract meaningful information from the raw data. This includes information about individual companies, people, organizations, places, etc. as well as events in which they are involved. By analyzing dates referenced in that public information, we can also add temporal information about subjects and events not only what events are happening, but when they are happening and who are the participants. We honor robots.txt and behave as a responsible crawler. The raw and analyzed data is stored in a centrally located and secured location. We harvest publicly accessible data to build an awesome user experience and an API that our users can benefit from in doing all kinds of information, analysis, and search tasks. We currently offer multiple kinds of capabilities and expect to build many other types of services in the future.

While the underlying documents that we process during harvesting are not stored beyond a brief caching period, the indexes and other data that we generate in our harvesting process will be stored for a long time in order to enhance the quality of the services offered. The information collected is limited only by the nature of the information publicly posted online or commercially available, in government filings (e.g., SEC filings) or in publicly accessible locations. This means that much of the information will relate to high profile people, companies or events (e.g., the President of the United States, CEO of General Electric, etc.), but it can include information about just about anyone if that information is in a public source. If you want to know what information the Recorded Future index contains about you from public sources, simply query the user interface, but remember that not every potential source on the internet is indexed (actually, far from it). If you find an error, or want us to add a new source, enter a note of correction in our user interface and we will respond to your request as appropriate.

To create these indices, Recorded Future processes the information referenced above for certain legitimate business purposes, which may include:

Empowering organizations to remediate compromised credentials;

Locating data that may have been breached or leaked online;

Tracking vulnerabilities and exploits targeting our clients;

Providing enrichment for data logs and security infrastructure; and

Enabling organizations to better research threats.

We analyze threat intelligence to better protect the organizations that use our service, and we believe this makes technology more secure.

When we process personal information for our legitimate interests, we make sure to consider and balance any potential impact on potential data subjects and their rights under data protection laws.

Information You Provide to Us

When you sign up as a client, vendor, or partner, you may be asked to provide certain information about yourself, including personally identifiable information, (name, address, email address) billing and other related information. Additionally, some clients may use our "Analyst Notes" feature to add custom annotations to Intelligence Cards that are visible to others in your organization. We will use this information strictly to provide services to you, and will not share this information with third parties without your consent, except to the extent necessary to process your requests (Example: Process a credit card for payment.)

Information About How You Use Our Services

When you interact with Recorded Future, by using our services, posting queries, performing analysis, annotating results, a record of these activities may be collected automatically as a result of your use of the website. When you create this information by engaging in actions like posing queries, doing analysis, annotating results, etc. you should be aware that the information may be collected, stored or archived by Recorded Future. Information about your interaction with Recorded Future (queries, visualizations, analysis, etc.) is saved for 14 days on our servers unless you delete that information or delete your account. While our servers automatically collect information as a consequence of your using the service, we do not examine or inspect individual search queries, and we encrypt the logs related to your searches or inquiries. You should note that, if you have chosen to share results of queries, analysis or similar searches (and similar) with others, copies of that information may remain viewable by those with whom you have shared the query or similar even after you remove information from your profile or delete your account. We log queries you make when you use our system, we anonymize them, but we do not manually inspect them. We will not share your queries with anyone, unless you ask us to do so through the user interface, although you are free to share queries information yourself.

Recorded Future is not a data broker. Recorded Future does not maintain files on individuals purchases, nor sell lists of consumers. Recorded Future does not collect consumer information for targeting of ads. Recorded Future does not provide consumer scoring. In addition, Recorded Future:

Does not maintain transaction-specific data about consumer purchases.

Does not obtain payment data from retailers and/or catalog companies.

Does not track consumer product purchases, the dollar amount of the purchase, the date of the purchase, or payment types.

Does not obtain information from magazine publishers about the types of subscriptions sold.

Put simply, Recorded Future does not provide consumer marketing databases, or even the means to produce consumer marketing databases, in any shape or form.

Cookies

When you visit the Recorded Future website, we may send one or more cookies a small file containing a string of characters to your computer, mobile phone, or other device that uniquely identifies your browser. When you return to our site, we may detect the presence of that cookie, and the information contained in it. We will not share this cookie information with anyone, and will use it solely to provide services to you.

Cookies allow Recorded Future to provide clients, and visitors to our site, a better, more secure experience. While the exact names and parameters of cookies used by Recorded Future will periodically change, they are generally used for authentication, security, performance, or analytics. To learn more about how Recorded Future uses Cookies, please click here.

Internet Log Information

When you access any Recorded Future website, network, server, or other electronic asset, our servers automatically record information that your browser sends whenever you visit any website. These logs may include information such as your nature and content of your web request, your Internet Protocol address (and approximate geographic location), browser type and version, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser. In the event of an actual or attempted unauthorized or malicious access to our website or servers, we may use this information to conduct investigations and to protect the integrity of your information. We may preserve your information if we believe it is reasonably necessary to protect our systems, enforce our Terms of Service, or address any security or technical issues.

Your Communications With Us

When you send or receive email or other communications with us, we may retain those communications in order to process your inquiries, respond to your requests and improve our services, to inform you about changes in our policies or pricing or service offerings or to fulfill or respond to requests you may initiate. While we do not currently do so, we may in the future use a service that will let us know when you have received or opened email we have sent to you. We will use this information solely for the purposes of tracking whether or not you have received an email from us for quality control and response purposes. We also offer an email alerting capability called Alerts which automatically sends information you have requested to an email account you have registered with us. You have ultimate control over the information sent to you through this service, including the nature and scope of the information, and the frequency of such alerts. To access this service and put in your personal controls, visit the Alerts management page and update your settings.

Links In and Out

Recorded Future may collect information about sites that have linked to our sites, or sites that we link to. Therefore, Recorded Future may collect information about the website your came from when you were directed to us, or the website you visit as a result of a link on our site.

How We Use the Information

When We Share

Recorded Future does not share your personal information with any other companies or individuals except for the following:

Consent: We will not share your nonpublic information except to deliver services to you unless you affirmatively opt-in to such sharing. If you share this data with third parties, this is, of course consent to such sharing.

While non-anonymized data is never shared, metadata and anonymized information may be transmitted to our data provider partners when their databases are queried. This allows us to provide you with enriched context about that data from a wider variety of sources.

Legal Requirements: We may share, or log your information without your consent if we have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or valid governmental request, (b) enforce applicable Terms of Service, Terms of Use or contractual obligations including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property, safety or security of Recorded Future, its users or the public as required or permitted by law.

Sharing in the Event of a Merger or Acquisition

If Recorded Future becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, the assets of Recorded Future may include information assets including the information we have collected about you. In that event, we will continue ensure the confidentiality of any personal information involved in such transactions and provide you with notice before any of your personal information is transferred and may become subject to a different privacy policy.

Using Aggregated Information to Improve Our Service

We may use information about how you have used our service in order to improve our service offering to you or to others. By knowing, for example what kinds of information you are seeking on our site, and the results delivered to you, we may be able to analyze this information to deliver more targeted results. While we will not share the individual search results or what we call identified information about your searches or results, we may share with third parties certain pieces of aggregated, non-personal information, such as the number of users who searched for a particular term, for example, or the nature of the results returned to aggregated users. Such information does not identify you or your searches or results individually.

How We Protect Your Information

We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data, including data that relates to your personally identifiable information. These include internal reviews of our data collection, storage and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data. Additionally, all log data is automatically deleted after 14 days. We restrict access to personal information to Recorded Future employees, contractors and agents (including third party hosting platforms) who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

Data Integrity and Quality

Recorded Future processes personal information only for the purposes for which it was collected and in accordance with this Privacy Policy. We review our data collection, storage and processing practices to ensure that we only collect, store and process the personal information needed to provide or improve our services or as otherwise permitted under this Policy. We take reasonable steps to ensure that the personal information we process is accurate, complete, and current, but we depend on our users to update or correct their personal information whenever necessary.

Quality of Internet Information

The information we deliver to our clients and clients, (that is the aggregated, analyzed and indexed information from public sources), is only as accurate as the original source material itself. Thus, we cannot remove information from a public website, blog, posting, filing or other source, and if the underlying information is erroneous, our index of that information will merely reflect what was posted. Therefore, before you act on any information we may provide to you from public sources, you should undertake reasonable steps to validate the accuracy of the information, not merely its existence. We accept no responsibility to validate the accuracy of information posted by others online, nor frankly would we have the ability to do so.

Accessing and Updating Personal Information

When you use Recorded Future services, we make good faith efforts to provide you with access to your personal information and either to correct this data if it is inaccurate or to delete such data at your request if it is not otherwise required to be retained by law or for legitimate business purposes. We ask individual users to identify themselves and the information requested to be accessed, corrected or removed before processing such requests, and we may decline to process requests that are unreasonably repetitive or systematic, jeopardize the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup tapes), or for which access is not otherwise required. In any case where we provide information access and correction, we perform this service free of charge, except if doing so would require a disproportionate effort. All requests, accompanied by proof of identification, should be sent to privacy [at] recordedfuture [dot] com

Enforcement

Recorded Future regularly reviews its compliance with this Privacy Policy. Please feel free to direct any questions or concerns regarding this Privacy Policy or Recorded Futures treatment of personal information by contacting us by email to privacy [at] recordedfuture [dot] com, or by writing to us at Recorded Future/Privacy Policy, 363 Highland Avenue, Suite 2, Somerville, MA, 02144, USA. When we receive formal written complaints at this address, it is Recorded Futures policy to contact the complaining user regarding his or her concerns. We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that cannot be resolved between Recorded Future and an individual.

EU-U.S. Privacy Shield Framework

Recorded Future, and its subsidiaries, comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.

Recorded Future has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, Recorded Future commits to resolve complaints about our collection or use of your personal information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Recorded Futures Data Protection Officer at privacy [at] recordedfuture [dot] com.

Recorded Future has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit JAMS for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Furthermore, individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. For additional information, please refer to Annex I of the Privacy Shield Framework.

In the context of an onward transfer, Recorded Future has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Depending on the circumstances, Recorded Future may remain liable under the Privacy Shield if its agent processes such personal information in a manner inconsistent with the Principles.

Under the EU-U.S. Privacy Shield Framework, the Federal Trade Commission has jurisdiction over Recorded Futures compliance with the Framework.

Changes to this Privacy Policy

Please note that this Privacy Policy may change from time to time. However, we anticipate most changes to our Privacy Policy will be minor. Regardless, we will post any Privacy Policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes). By using, or continuing to use this service after being provided notice of the change is policy, you will be deemed to have consented to the change. Each version of this Privacy Policy will be identified at the top of the page by its effective date, and we will also keep prior version of this Privacy Policy in an archive for your review. If you have any additional questions or concerns about this Privacy Policy, please feel free to contact us any time by email to privacy [at] recordedfuture [dot] com.

For the latest version of the Recorded Future Privacy Policy please click here.

Recorded Future Child Pornography Policy (2258A)If you see material on Recorded Future of suspected child abuse, please reach out to NCMEC and/or local law enforcement. Additionally, you can report the material to Recorded Future via email - [email protected]

Introduction

blog

Demisto is a popular Security Orchestration and Automation Response (SOAR) platform. With it, security teams create standardized, automated, and coordinated responses across their entire security product stack. Playbooks that automate common procedures are enabled by thousands of security actions from a large ecosystem of partners make scalable, accelerated incident response a reality.

Available Functionality

The Demisto integration includes four actions:

IP address reputation lookup

Domain reputation lookup

File hash reputation lookup

Related entities for an IP address, domain, or file hash

How to enable the integration

The integration is available directly from Demisto ( https://support.demisto.com/hc/en-us/articles/360006572474 ). Enabling the integration requires a valid Recorded Future API token. Instructions for generating a Recorded Future API token are found on this support page.

For More Information

More information about this integration, including suggested use cases for enrichment and interactive investigation of complex threats, is available on this written by Demisto.

This page includes example searches for correlating Recorded Future risklists with various log files commonly configured for indexing in Splunk Enterprise. It is unlikely that any of these searches can be used directly 'as is'; rather, they are intended to provide knowledgeable Splunk engineers with a starting point to build searches that correlate Recorded Future risk lists with various log files that are in client Splunk instances. Many of the examples focus on IP addresses, and similar searches for domains, vulnerabilities, and hashes are straightforward to create from the examples found here.

Here's the list of available searches in this support page:

Single source - Single field example

Single source - Multiple field example

Adding Recorded Future risk information to an original logsource

Domain extraction and search

Hash extraction and search

Using Splunk Stats to add count into events

Search for RF data in Splunk Threat Intelligence KV Store

Search for IP in Recorded Future lookup table in ES

Search for IP in Recorded Future lookup table in Core Splunk

Suggestions for additional common and useful searches are welcome!

Single source - Single field example:

This search correlates the most recent 24 hours of data from a firewall (e.g., netscreen) with the Recorded Future IP risklist lookup. Any destination ("dst") IP address from the firewall logs that correlate with non-zero risk will be shown in the result.

sourcetype=netscreen:firewall earliest=-24h | eval Name=dst | eval Time=start_time | lookup rf_ip_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval RiskScore = Risk | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")| search Risk != "" | sort -RiskScore | table Name, Time, RiskScore, RiskString, Rule, EvidenceString | rename Name as IPAddress

Single source - Multiple field example

This is an example similar to the one above, but the correlation uses both the "src" and "dst" columns of the firewall data to identify risky ip addresses.

sourcetype=netscreen:firewall earliest=-24h | eval Name=src + ";" + dst | makemv delim=";" Name | mvexpand Name | eval Time=start_time | lookup rf_ip_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval RiskScore = Risk | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")| search Risk != "" | sort -RiskScore | table Name, Time, RiskScore, RiskString, Rule, EvidenceString | rename Name as IPAddress

Adding Recorded Future risk information to an original logsource:

This is a bulk enrichment example; the sample below assumes vulnerability scan data from Rapid7 has been loaded into Splunk, and we append Recorded Future Risk information to the data set

source=Rapid7_Nexpose_Splunk_Vulnerability_Data" | fields cve, asset_id, dest | eval Name=cve | lookup rf_vuln_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString") | convert ctime(_time) as Time | table Time, Name, asset_id, dest, Risk, RiskString, Rule, EvidenceString | rename asset_id as "NeXpose AssetID" | sort -Risk </query>

Domain extraction and search:

This search extracts the domain name found in the a "_raw" log field from the last 24 hours and displays any that correlate with a non-zero risk domain scored by Recorded Future.

index=main evalNsourcetype=squid:access earliest=-24h | rex field=_raw "http://(?<domain>[^/]+)/.+" | eval Time=strftime(_time,"%m/%d/%y %I:%M:%S:%p") | eval Name=domain | lookup rf_domain_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval Domain = Name | eval RiskScore = Risk | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString") |sort -RiskScore | table Domain, Time, RiskScore, RiskString, Rule, EvidenceString

Hash extraction and search:

This search correlates hashes logged on an endpoint product device (e.g. Symantec) with Recorded Future's hash risk list. Hashes that match with data in non-zero risky Recorded Future data will be shown, along with the timestamp of when the hash was observed.

sourcetype="symantec:ep:risk:file" earliest=-24h | rex field=_raw "Application hash: (?<file_hash>[^,]+)" | eval Name=file_hash | eval Time=strftime(_time,"%m/%d/%y %I:%M:%S:%p") | lookup rf_hash_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString") |sort -Risk | table Name, Time, Risk, RiskString, Rule, EvidenceString | rename Name as Hash

Using Splunk Stats to add count into events

This search correlates the "remoteip" field from a haproxy log file to the Recorded Future IP risklist; instead of just showing every correlation of a log record with the risk list, this search groups by the IP address and shows the # of correlated events within the last 24 hrs.

sourcetype="haproxy:http" earliest=-24h | rex field=captured_headers "^(?<remoteip>\d+\.\d+\.\d+\.\d+).*$" | search remoteip=* | eval Name=remoteip | lookup rf_ip_threatfeed Name OUTPUT Risk, RiskString, EvidenceDetails | search Risk != "" | eventstats count by Name |eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule")| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString") | sort -count | table Name, count, Risk, RiskString, Rule, EvidenceString | rename Name as "Destination IP" | rename count as Count | rename Rule as "Rule(s)"

Search for RF data in Splunk Threat Intelligence KV Store

This searches for available Recorded Future risklists in the Threat Intelligence KV store.

| `ip_intel` | search threat_key=rf*

Search for IP in RF lookup table in ES

This is a simple search to look for a specific IP address on the Recorded Future IP risklist lookup table (Splunk ES).

| inputlookup recordedFutureIpThreatList | search Name=162.208.22.34

Search for IP (e.g., 162.208.22.34) in RF lookup table in Core Splunk

This is a simple search to look for a specific IP address on the Recorded Future IP risklist lookup table (Splunk Enterprise).

| inputlookup rf_ip_threatfeed | search Name=162.208.22.34<

Required configuration for Search Head clusters

Overview

The Recorded Future Add-on for Splunk Enterprise Security is designed to run on Search Heads within a Splunk system. In the case of a Search Head cluster (SHC) the installation proceedure is the standard one for SHCs, ie it should be installed on the deployer node and then deployed the SHC nodes.

Before deploying the app the required configuration change below should have been made to ensure SHC configuration coherency.

The app will detect that it is operated on a SHC. Only the captain node of the SHC will run the modular inputs for updating risklists and alerts.

Required configuration

In order to maintain coherent configuration across the SHC it is necessary to modify the list of configuration file types that are synchronized across the SHC. Two additional configuration files are required:

input.conf which contains the configured modular inputs used to update risklists and alers.

ta_recorded_future_settings.conf which contains the configure API key (encrypted) and various app specific settings.

Splunk does not allow apps to ship with the required configuration settings at this time so this configuration must be done by the client.

The following stanza is needed in$SPLUNK_HOME/etc/system/local/server.conf:

[shclustering]

conf_replication_include.ta_recorded_future_settings = true

conf_replication_include.inputs = true

Once this change had been made and the app has been deployed it's possible to connect to any of the SCH search head nodes and perform setup.

For web application security purposes, Recorded Future defines and enforces a Content Security Policy (CSP) for app.recordedfuture.com. This CSP restricts the allowedcontent from third-party web sites in Recorded Future portal pages.

If you suspectthat the CSP is interfering with your use of Recorded Future, please check your browser console for Content Security Policy violation error messages. Please contact our support team for technical assistance, and provide the specific details of these CSP errors.

Note that the name and navigation path to the console where CSP error messages are shown feature varies by browser. In Chrome, navigate to Developer Tools | Console. In Firefox, navigate to the Browser Console. You may need to enable a Developer mode for your browser to access this console.

When you log in to Recorded Future, you see the "Remember me" option. Whenyou select this option, your login session lasts 30 days. When this period expires, your login session ends automatically and you will be asked to log in again. When "remember me" is selected, your session will not end based on inactivity.

When you do not select the "Remember me" option, your session will be automatically logged out after 10 minutes of inactivity. Note that some views in the Recorded Future portal make background requests to check for new andupdated information, and these background requests are counted as user session activity.

Introduction

With the new Alert API introduced in 2018,clients can access their Recorded Future alerts programmatically. In this support page, we outline how Splunk Integration clients can use the Alert API to incorporate alerts into Splunk. For a general overview of how to use the Alert API, check out this support page.

Note that this add-on functionality assume that a 3.x version of Recorded Future's(core) Splunk Enterprise Integration Application (see https://splunkbase.splunk.com/app/2629/ ) is installed. Also, in v4.x of this integration application (release in September 2018), an "Alerts" dashboard will be incorporated into the standard package.

Basic Instructions

The alerts.py file should be places in the bin directory of the Recorded Future App.

May need to chown file to splunk:splunk

May need to chmod file to 755

.conf files should be placed into local directory of the Recorded Future App.

May need to chown files to splunk:splunk

May need to adjust path in files if splunk home directory is not /opt/splunk/

Copy xml file into the local/data/ui/views directoryof the Recorded Future App.

May need to chown files to splunk:splunk

May need to adjust permissions for access, set global view (all apps, everyone read, admin write)

Will need to add to default navigation for visibility in the app

The scripts should pull the api key stored in the kv store, nothing should need to be entered. If you have any issues during the setup or configuration, please schedule a remote session through your account team. The user for the API key must have alerts shared with them in order to pull the alerts from the API.

ARecorded Future app for Splunk Phantom is currently available. Contact Glenn Wong for information beyond this article.

About Splunk Phantom

Splunk Phantom is a security automation and orchestration product. The purpose of the integration is to make threat intelligence data from Recorded Future available to playbooks in Splunk Phantom.

Requirements

The integration is packaged as Splunk Phantom app, and delivered as a tarball file. It is available through the Phantom App store.The integration was built and tested using Splunk Phantom v2.0. It is expected to be backward compatible to Phantom v1.To use this app, you will need API access to Recorded Future.

Install and Configurethe Integration

After you have receivedthe app tarball (tgz file) and an API token from Recorded Future,install and configure the app as follows:

Place the app tarball in a locally accessible folder, like Downloads

Log in to Phantom Cyber as an administrator

Navigate to Administration > Apps

Click the + APP button

Locate the tarball file and click Install

Navigate to Administration > Assets

Click the + ASSET button

Name the new asset Recorded Future APIor similar.

Select Recorded Future as the vendor and as the Product.

Navigate to the Asset Settings tab

Enter your Recorded Future API Token

Save the Asset

Run the connectivity test

Install and configuration is complete. Your asset should look like this:

A successful connectivity test looks like this:

Documentation is packaged with the app. To find this documentation, navigate to Administration > Apps and click on the Recorded Future app.

Supported Actions

The app currently supports these actions:

enrich vulnerability - Execute vulnerability enrichment on the given vulnerability

enrich hash - Execute hash enrichment on the given hash

enrich ip - Execute ip address enrichment on the given ip address

enrich domain - Execute domain enrichment on the given domain

test connectivity - Validate the asset configuration for connectivity

Each actioncorresponds to an Intelligence Card in Recorded Future. The action retrieves the current threat intelligence information for the input value, and returns that information to Splunk Phantom. The detailed threat data is returned as a JSON dictionary, and selected data values are highlighted in the Phantom action results table.Here is an example of enrichment output for an IP Address.

Change Log

All notable changes to the Recorded Future Splunk ES add-on will be documented in this file.

[4.0.0] - 2018-10-23

New

Adaptive Response has been added.

The Adaptive Response can be added to any correlation search yielding supported IOC types (IP, domain, hash and URL). A new notable event will be created if the event can be enriched.

Ad-hoc mode is available (ex from the Incidents review panel), once used a drilldown link will open a panel with latest information about the IOC.

Added URL risk information.

Improved display of risk evidence in the Incident Review dashboard.

Support for Custom risklist using Recorded Future Fusion was added. Any number of risklists can be added.

Support for retreiving alerts from Recorded Future has been added.

Help pages are included in the app (including this Changelog).

New reports:

A new report "Latest updates of all risklists" was added.

A new report that show all log events from the app was added.

A new validation feature has been added. This feature can be used to verify that the app can work or to gather information about potential issues.

New options to customize access to Recorded Future's API (non-standard URL and optional SSL verification).

Search head cluster synchronization:

Only one cluster member retrieves risklists before distributing them to the rest of the cluster.

Configuration is synchronized, ex the API key can be added to any node in the cluster, it will be propagated to all nodes.

Changed

The filenames of the risklists in the the lookups folder have changed. Ex: rf_ip_threatfeed.csv has become rf_ip_risklist.csv. The transform used to map between the name and the file name has been adapted to ensure backwards compatibility.

Complete rewrite of the scripts included in the app.

Updates of the risklists and retreival of alerts have been implemented as modular inputs to improve reliability and scalability. Updates are performed as soon as new versions of the risklists become available.

The setup GUI has been extended and leverages Splunk's framework.

Minor graphical changes to adapt to Splunk's GUI changes introduced in Splunk 7.1.

[3.2.3]

Added a config stanza to manually override management host and port.

[3.2.2]

Adjusted config files to comply with certification requirements.

Improved how SPLUNK_HOME is detected if the environment variable is unset.

[3.2.1]

Bug fix in verify_rf_app.py which failed to take default values into account in one of the verification steps.

Modified verify_rf_app.py to flag missing folders which are created when running the risk list retreival script as warnings rather than errors.

[3.2.0]

Moved python modules into the bin directory (requirement from Splunk).

Added a new script (| script verifyRFApp) that performs a number of test on the system and app environment to help troubleshoot any issues.

[3.1.4]

Bug fix: changed the workflow to lookup an IOC from encoding the URL.

[3.1.3] - 2017-10-10

Handle case when there is a UniversalForwarder running on standard REST endpoint and the Splunk Enterprise is running on a non standard port.

[3.1.2] - 2017-10-03

Handle when Splunk refuse to tell which version of ES is running.

[3.1.1] - 2017-09-22

Updated icons.

Improved implementation of CLI launch detection.

Added verification that any proxy added in gui is a https one.

Obfuscate the token in the Setup form.

[3.1.0] - 2017-09-04

Made sure the update intervals don't slip.

Improved the setup GUI.

Added detection and prevention of CLI launch.

Added instrumentation of Splunk and Splunk ES version.

Renamed the default stanza to logging (new Splunk requirement)

Replaced 0 and 1 with false and true in inputs.conf

[3.0.6] - 2017-08-16

Handle byte order marks (BOMs) in web.conf.

Fixed wrong default log level (should be INFO).

[3.0.5] - 2017-07-24

Detect and use non default management port configuration.

[3.0.4] - 2017-07-18

Change application log to $SPLUNK_HOME/var/log/TA-recorded_future/get-rf-threatlists.py

Removed Eventgen samples and config.

Log version and OS when starting.

Create directory for lookups if it doesn't exist (can be the case on search head clusters).

Updated information about deployment on clusters.

[3.0.3] - 2017-07-11

Added the possibility to run "| script updateRFThreatlists" in the web GUI. This will print some stats about the risk lists and if needed update them.

Added logging in many places.

Catch and log before exiting in most places.

Added specific exit codes in most places.

Test if the passwords.conf file exist if the program fails to optain a token.

Added unittests for api_key.py.

Updated installation instructions.

[3.0.2] - 2017-06-21

Added saved searches to purge the Threat intelligence framework of outdated Recorded Future data.

Added per risk list configuration of interval, max_entries and enabled.

The get-rf-threatlists.py script now runs every 5 minutes by default. During each run it checks whether a new download is requrired for any of the enabled risk lists.

Removed the algorithm field from the generated CSV for the Threat Intelligence framework since this wasn't parsed by the framework.

Some changes to make support running on Windows.

Modified correlation search for domain based events to properly extract the domain from a URL.

[3.0.1] - 2017-06-01

GUI enabled to allow access to Setup in a search head cluster.

[3.0.0] - 2017-04-19

Make use of new Recorded Future Python API endpoints and corresponding Python library.

Added the domain and hash risk lists.

Generates separate minimized CSV files for the Threat Intelligence framework.

Renamed threat_keys to have rf_ prefix.

Reduced the size of the lookup files.

Added blacklisting to minimize the size of the Knowledge bundle.

Improved workflows to be more robust.

Added support to limit the maximum number of entries in each risk list.

Added support to enable/disable specific risk lists.

Added support to change the loglevel. Improved logging.

Removed JavaScript from setup.xml.

[2.4.2] - 2017-02-19

Temporary workaround for issues with Splunk password store.

[2.4.1] - 2017-02-15

Added instrumentation for troubleshooting interaction with Splunk password store.

[2.4.0]

Updated the RF correlation search so that it piggybacks off of the ES correlation search, 'Threat Activity Detected'.

[2.3.9] - 2016-12-31

Corrected issue in config_file.

[2.3.8] - 2016-12-22

Reworked the threshold so that a target number of entries is specified, the system will then select a threshold that will yield a number of entries in the vicinity of that number.

[2.3.7] - 2016-12-19

Added a threshold which only included entries with a risk score above a certain level.

[2.3.6] - 2016-11-29

Cleaned unused searches.

[2.3.5] - 2016-11-22

Merge

[2.3.4] - 2016-11-17

Improved resilience of temporary2.0.5 file handling.

[2.3.3]

Fixed bug - input script hitting API every minute

[2.3.0] - 2016-10-31

Various fixes to meet the criterias for certification.

[2.1.3]

Removed unused import in python setup script.

Various file permissions updated to match Splunk guide lines.

File name conventions and paths updated to match Splunk guide lines.

Changed location of temporary files to within the app directory.

Added documentation about requirements and cluster considerations.

[2.1.2]

Force lookup on correlation search to run on the search head and not on any remote peers

[2.1.1] - 2016-09-22

Fixed bug with temporary files left behind.

[2.1.0] - 2016-09-16

Fixed bug

Updated get-rf-threatlist.py to make sure rfsetup.conf exists before trying to get API token

Removed inputs.conf stanza to run get-rf-threatlist.py every 30 min

Created commands.conf file and added a saved search to run every 30 min that will run get-rf-threatlist.py

[2.0.6] - 2016-09-06

Removed wrong drop-down menu for Title in Incident View.

[2.0.5] - 2016-09-02

Fixed issue causing Splunk error "A script exited abnormally"

[2.0.4] - 2016-08-26 Ess

Fixed some issues with character encoding.

Improved error handling and cleanup after an error.

Fixed issue with wrong correlation search in saved searches.

[2.0.3] - 2016-08-24

Improved how the Evidence Details are displayed.

Risk Score, Triggered Rules (previously Risk String) and Evidences Details are listed in that order.

[2.0.2]

RF risk score is considered in Splunk ES overall severity.

[2.0.0]

Changed from STIX feed to CSV feed

Added fields for 'Risk Score', 'Risk String', 'Evidence String'

Fixed bug (data not removing from KV store after disabling app)

2016-04-03

Initial release (Beaker)

Alert dashboards

The Alert Dashboard displays current alerts. By default the modular input responsible for retrieving the alert from Recorded Future polls the API every five minutes, this dashboard checks for any active alert in the last ten minutes.

By default the sum of all configured modular inputs for alerts are shown but specific inputs can be selected using the drop down menu "Select an Alert config". It should be noted that this drop down does not reflect the current configured inputs, but is instead based on the available data in Splunk. If no alert has been fetched for a configured input, it will not show in the drop down, meanwhile a removed input will still show if there is an alert indexed in Splunk.

The dashboard contains three fields:

The number of active alerts.

The "Counts by Rule" which displays which alert rules that have triggered and their count.

Detailed Alert Information which displays the details of each alert.

Click on an alert in the "Detailed Alert Information" to open a new window showing the alert in Recorded Future's GUI.

Adaptive Response

The Adaptive Response action provided by the app allows for enriching IOCs with information from Recorded Future. This is similar to the enrichment based on the Recorded Future but for a few differences:

Risklist enrichment

Adaptive Response

Enrichment is based upon what information is present in the risklist.

Enrichment is done real-time towards the Recorded Future API

Information may not be fully up-to-date due to refresh cycles of the risklists.

Information is always fully up-to-date

Only IOCs present in the risk lists are enriched (see note).

Any known IOC is enriched.

The enrichment uses no API credit.

The enrichment uses one API credit per successfully enriched IOC.

Note: Typically list only contain IOCs with a risk score above some threshold. This is done to keep the lists to a manageable size.

Setup Adaptive Response

The normal way to use an Adaptive Response is to add it to the list of Adaptive Responses of a Correlation Search which gathers events that should be investigated.

Once this has been setup the Adaptive Response is executed for each event found by the search.

An example of such a search is "Threat Activity Detected" which detects all network events that matches threats known to Splunk's Threat Intelligence framework.

It is possible to use the same Adaptive Response on multiple Correlation Searches.

Adding an Adaptive Response action

Here is how you would add the Adaptive Response to that Correlation Search:

In Splunk Enterprise Security, go to Configure->Content Management.

Locate "Threat Activity Detected" and click on the name.

Near the bottom of the page is the section "Adaptive Response Action". Click on "+ Add New Response Action".

From the drop-down list, click on "Enrich with Recorded Future"

In most cases no changes are necessary - just click on Save. If the Correlation Search uses another field than "threat_match_value" to indicate which IOC it has detected that field name must be entered as the field value.

Warning:each IOC that is enriched may consume one API credit. Ensure that the Correlation Search used does not yield excessive numbers of events.

Removing the Adaptive Response action

If at some point the Adaptive Response action needs to be removed from a Correlation Search this is very straight forward.

In Splunk Enterprise Security, go to Configure->Content Management.

Locate the correlation search and select it.

Near the bottom of the page is the section "Adaptive Response Action".

Click on the X next to the action and save.

Ad-hoc use of the Adaptive Response

It is possible to make ad-hoc calls to the Adaptive Response, for example from with the Incident Review panel.

When reviewing a notable event in the Incident Review panel, click on event actions.

Select "Run an Adaptive Response".

Select "Recorded Future" and run it. Close the pop-up.

Click on the reload symbol just above the "Adaptive Responses" section of the panel.

When the Check mark and "success" is visible in the Status column the enrichment is done. Clicking on the "Enrich with Recorded Future" will open an enrichment view (in a separate view) with the information returned by the enrichment.

Setup Alert monitoring

Alert monitoring is configured in Configuration -> Inputs. By default no alert monitoring is configured.

Adding an alert monitoring input will do the following:

The app will reach out to Recorded Future's API and look for alerts that matches the configured criteria.

If there are Recorded Future alerts that matches, information about these will be retrieved. For each of these alerts an event (sourcetype rf:alerts) will be created in the Splunk system. Using these events it's possible to setup Splunk based alerts or generate reports.

The app does not keep track of whether it has already retrieved an alert or not. As long as the alert matches the filter criteria an event will be created.

Add alert monitoring

Click on the green "Create New Input" and select "Recorded Future alerts".

The Name is the risklist handle.

The interval controls how often Splunk will poll for alerts. Default is every 300 seconds but this can be adjusted according to company requirements. Small intervals may consume many API credits but long intervals may result in delays between when a Recorded Future alert is triggered and when it is available in Splunk.

Index controls the index where the rf:alerts events are indexed. Make sure to select an index with correct role assignments - leave to main/default if you are unsure.

Alert status. By default the filter matches any alert status but this can be configured as needed.

Triggered: filter on when the alert was triggered. Default is anytime. The notation is the same as in the Recorded Future web client. Ex:

"-2d to now"

"-2h to -1h"

"yesteday"

Alert rule. By default any alert rule will be matched but it is possible to specify a particular rule if required.

Maintaining alert monitoring

In the list of configured Inputs (Configuration -> Inputs) there are drop-down menus for each input.

Use "Edit" to reconfigure the alert monitoring. To disable the monitoring use "Disable", this can be re-enabled at any time in the same drop-down menu.

Overview of risklists

Risk lists can be used to correlate and enrich events. For each element in the risk list (ex an IP number, a URL or a hash) there is a risk score and information about why the score has been set.

Correlation

Any risklist that is configured is downloaded to the Splunk server and processed locally. Part of the information is inserted into the Threat Intelligence framework that is part of Splunk Enterprise Security. The framework maintains lists of Indicators of Compromise (IOCs) from external sources (such as Recorded Future).

If an event matches an entry of the appropriate list it is flagged for possible further action. Examples of further action are correlation searches such as "Threat Activity Detected" rule. Events matching this rule will be highlighted as Notable events in Splunk Enterprise Security.

Enrichment

Any downloaded risklist is also stored as a lookup table. Recorded Future's Add-on for Spunk Enterprise Security has pre-configured save searches that will look at notable events and create new notable events for any event where additional data is available. The new event will contain additional information such as the Recorded Future Risk Score and details of why this risk has been assigned to the IOC.

Default risklists

By default the app is shipped with four default risk lists pre-configured:

IP number

Domain names

URLs

Hashes

If you have Fusion access it's possible to define and read additional risk lists.

Manage risklists

Navigate to Configuration->Inputs. This will show you all configured inputs (both risk lists and alert monitoring). Clicking on the >-sign will expose additional information about the list.

Under the Actions drop-down it's possible to enable/disable a list, delete, clone or edit it.

Add or modify risklists downloads

To create additional risk list, click on the green "Create New Input" button and select Recorded Future risk list.

Field

Significance

Comment

Name

Risk list name within the Splunk instance. The lookup file will be named <name>.csv.

Interval

The list will be checked for updates after this many seconds. This should be set to 300.

This specifies how often the list is checked. Updates only occur if the list has been updated.

Index

The modular input produces statistics when running. Set the index where these will be stored.

Make sure to select an index with correct role assignments - leave to main/default if you are unsure.

Risk list category

Select which kind of element the risk list has data about.

IP, Domain, Hash, Vulnerability or URL

Fusion file

The path to the Fusion risk list. If the list is to used as a lookup the Fusion Flow must be defined to produce an uncompressed csv file.

Must correspond to a defined Fusion file. If this field is left blank the default risk list for the category will be used.

Once the new risklist has been setup it will be downloaded and made available to Splunk's Threat Intellegence framework. Typically this is done with a couple of minutes. Once complete the risklist will be used fordetectionof suspicious IOCs.

In order to enableenrichmenta new correlation search is needed however.

Go to Settings->Seaches, reports and alerts

Select "Type: All" and "App: Recorded Future Add-on for Splunk ES".

Locate "Threat - RF IP Threatlist Search - Rule" (or corresponding Domain, Hash or URL depending on what type of risklist it is).

In the "Edit" dropdown menu, select "Clone".

Change the "New Title" field to something sensible, ex "Threat - RF IP My Custom Threatlist Search - Rule".

Consider changing the description.

Ensure the Permissions are set to Clone.

Go to Settings->Seaches, reports and alerts

Select "Type: All" and "App: Recorded Future Add-on for Splunk ES".

Click on the newly created search.

Change the Search:

Change the first parameter of the macro (ex rf_ip_risklist) to the name of the new risklist.

Save

Initial setup of the AppOnce the app has been installed on the Splunk server the initial setup of the app is done under Configuration->Global configuration.

The Configuration view has three panes: Proxy, Logging and Add-on Settings.

To be able to see and configure API key, Proxy settings and API URL in the Splunk App, the user needs the capability 'list_storage_passwords'. To be able to change the logging level, the user needs the capability 'admin_all_objects'.

The API key must be configured in the Add-on Settings pane in order for the app to work.

PrerequisitesSplunk ES must be installed on the Splunk system. In a clustered environment the app should be installed on one or more search head.A valid Recorded Future API token is required.The Splunk server running the app must be able to download CSV files containing Recorded Future's risk lists from https://api.recordedfuture.com/.Splunk Enterprise SecurityTo be able to use the full features of this Splunk Enterprise Security Add-on, some configuration has to be done in Splunk Enterprise Security.

In the Enterprise Security menu bar, click Configure -> Incident Management -> Incident Review Settings.Click the button 'Add new entry' in the "Incident Review - Event Attributes" section. Add the following Label and Field Combinations:Label FieldRF Risk Score rf_a_riskRF Triggered Rules rf_b_rulesRF Very Malicious Evidence rf_evidence_criticalRF Malicious Evidence rf_evidence_maliciousRF Suspicious Evidence rf_evidence_suspiciousRF Unusual Evidence rf_evidence_unusualA restart of the Splunk instance will be required once the installation has completed.If you haven't already done so, enable the Enterprise Security correlation search called "Threat Activity Detected"In the Enterprise Security menu bar, click Configure -> Content ManagementIn the filter bar, type "Threat Activity Detected"Click the link 'Enable' to enable the correlation searchAdaptive Response (AR)To activate Adaptive Response (AR) the following steps needs to be performed:

Turn off the searches that enrich notable events:Go to ConfigureContent ManagementDisable "RF IP Threatlist Search", "RF Domain Threatlist Search" and "RF Hash Threatlist Search" (easier to find if you use the app filter, but not necessary).Click on "Threat Activity Detected" to open the settings.Next to "Adaptive Response Action", click on "Add New Response Action"Select Recorded Future's actionLeave default "Automatic" selection.Click saveAdaptive Response Ad-hoc invocationAd-hoc invocations of Adaptive Response can be made - ex from the Incident Review dashboard. The user invoking the Adaptive Response in this way must have the list_storage_passwords capability.

ProxyProxy_setup_tab

If the Splunk server uses a proxy to access the Internet this should be configured here. If no proxy is used leave the Enabled checkbox unchecked.

Host and port must always be set. If the proxy requires authentication the username and password should be set here. If authentication is not used these fields should be left empty.

LoggingLogging_setup_tab

If additional logging is required it's possible to adjust the log level here.

The recommended log level is INFO.

The integration logs to the standard Splunk log directory ($SPLUNK_HOME/var/log/splunk). The following log files will be created (depending on app configuration and usage all may not exist):

ta_recorded_future_recorded_future_risk_list.logta_recorded_future_recorded_future_alerts.logta_recorded_future_rest.logThe events logged into these files can be viewed either as files on the Splunk server of via the Splunk GUI.

Example search:

index=_* source="/opt/splunk/var/log/splunk/ta_recorded_future_recorded_future_alerts.log"Add-on SettingsAddon_settings_tab

The Recorded Future API key required for the proper operation of the app is entered in the Api key field.

In some rare situations it may be necessary to change the URL the the Recorded Future API. If Recorded Future support instructs you to do so the URL should be entered in the Recorded Future Api URL field.

Change Log

All notable changes to the Recorded Future Splunk add-on will be documented in this file.

[4.0.3] - 2018-11-09

Bug fix

Compatibility issue with python-requests shipped with the Splunk server.

Internal rest calls intermittently failed on clusters.

Links to advisories from the Vulnerability enrichments dashboard were broken.

Fixed naming of Intelligence card in some locations.

Fixed improper sizing of logotypes in some locations.

Added setting to disable SSL verification if needed.

Search head cluster checks in the validation report.

Problems reading config files on Windows

Improvements

Sample data has been filtered to avoid being flagged as malware.

Improved validation report which detects missing configuration on search head clusters.

Added configuration option to disable SSL verification (needed with some proxy configurations).

[4.0.2] - 2018-09-11

Bug fix

Detection of Search head failed on Splunk server running without licenses.

Link to ASN information cards was wrong.

Improvements

Updated XML in dashboard to new SimpleXML specification.

Updated color settings to adapt to new visuals in Splunk 7.1.

Minor look-n-feel improvements to dashboards.

Changed the default SOC view to the Alerts view.

[4.0.1] - 2018-06-27

Improved

Added a placeholder for the getting_started dashboard to redirect old installations with customized navigation to the new start page.

Documentation improvements.

Removed

Removed server.conf since Splunk prohibits it. Search head installs will have to manually add it.

[4.0.0] - 2018-06-01

New

New enrichment dashboards

URLs

Malwares

New correlation dashboard:

URLs

A new Explorer dashboard has been added. Using drop-down menus it's possible to explore different sourcetypes, risklists and fields to find the best way to correlate event data.

A new Global Map dashboard was added.

A new Alerts dashboard was added. It displays summary information about alerts pulled from Recorded Future using the alerts modular input.

Support for Custom risklist using Recorded Future Fusion was added. Any number of risklists can be added.

New macros:

rf_correlate - extends the functionality of previously available rf_hits with support for multiple risklists. This macro does however not unpack and format the evidence string. The new macro format_evidence can be used for this.

format_evidence - unpacks and reformats the evidence details for a matching entity.

to_date - extract the date from data and formats it.

to_time - extract the date and time from data and formats it.

to_splunk_time - extract the date and time but perform no formatting.

unpack_metrics - unpacks the metrics field used in enrichment.

unpack_relatedEntities - unpacks Related Entities used in enrichment.

unpack_riskyCIDRIPs - unpacks the information about risky IPs in the CIDR used by IP enrichment.

Support for retreiving alerts from Recorded Future has been added.

Help pages are included in the app (including this Changelog).

New reports:

A new report "Latest updates of all risklists" was added.

A new report that show all log events from the app was added.

A new validation feature has been added. This feature can be used to verify that the app can work or to gather information about potential issues.

Search head cluster synchronization:

Only one cluster member retrieves risklists before distributing them to the rest of the cluster.

Configuration is synchronized, ex the API key can be added to any node in the cluster, it will be propagated to all nodes.

Changed

Correlation dashboards have been improved:

The Triggered Rules and Evidence strings that were previously shown in two different fields have now been combined into one, making it much easier to match Risk Rule with the corresponding Evidence String. For each event the Evidence is listed in descending criticality. A colored dot also provides information about how critical the evidence is.

An addtional column has been added to the table of events found in the correlation search: the count of occurences of the entity (ex IP).

Two additional panes have been added:

The top Risk Rules over the last 24 hours.

The top entity (ex IP) which matches the risk list during the last 24 hours.

Enrichment dashboards have been improved:

To help focus on the most relevant information the respective dashboard mimics the corresponding information card from Recorded Future.

The "Current Risk Indicators" panel has been renamed to "Triggered Risk Rules". The content is sorted by descending Criticality (which is shown and color coded).

When Recorded Future has information that the entity is present on a Treat list this information is shown in the "In Threat Lists" panel.

If Recorded Future's Insikt Group has produced research about the entity this is shown in the "Threat Research Insikt Group" panel.

The number of categories of related entities has been increased. Only panels with information are shown. The following categories have been added:

Related Attacker

Related Target

Related Actors

Related Products

Related Countries

Related Technologies

Related E-Mail Addresses

Related Attack Vectors

Related Operations

Some dashboards have been made more efficient by removing additional API calls.

Recorded Future Cyber Vulnerability Enrichment has been improved:

Information from NVD is displayed in the "NVD Summary" panel.

Information about affected versions is shown in the "Affeced Versions" panel.

Information third party information is shown in the "Advisories, Assessments and Mitigations" panel.

The filenames of the risklists in the the lookups folder have changed. Ex: rf_ip_threatfeed.csv has become rf_ip_risklist.csv. The transform used to map between the name and the file name has been adapted to ensure backwards compatibility.

Complete rewrite of the scripts included in the app.

Updates of the risklists and retreival of alerts have been implemented as modular inputs to improve reliability and scalability. Updates are performed as soon as new versions of the risklists become available.

Enrichment is performed using an extension of Splunk's REST endpoint.

The setup GUI has been extended and leverages Splunk's framework.

Removed

The monitoring dashboards have been removed since this goal is better achieved using alerts within Recorded Future's service.

## [3.0.5] - 2017-08-15

### Changed

- IP/Domain risk lists download once an hour

## [3.0.4] - 2017-05-26

### Changed

- Risk Lists do not download to /tmp first

- Single risklist.py scrip to download

- Commands to download risk list (Splunk Macros)

- Reduced size of demo data

- Layout of enrichment dashboards

- Default values for enrichment dashboards

### Removed

- Conifg dashboards

## [3.0.3] - 2017-05-02

### Changed

## Addressed Certification Issues

- Removed error key log of Session Key

- Updated documentation for API Token entry to be more explicit

## [3.0.2] - 2017-04-25

### Changed

## Addressed Certification Issues

- Validate user proxy input

## [3.0.1] - 2017-04-17

### Changed

## Addressed Certification Issues

- Removed Javascript from setup.xml

- Renamed the folder for the example log files

## [3.0.0] - 2017-03-17

### Changed

## Addressed Key Certification Issues

- API Token is encrypted

- Risk Lists are downloaded first to tmp then lookups not bin to lookups

- Getting Started has been updated to reflect new additions

- Installation Guide has been updated to reflect changes

- Proxy can be added through the UI

- Default frequency of Risk List downloads (IP/Domain 4hrs, Vuln/Hash 1 day)

- Updated layout of Enrichment dashboards

- Threat Landscape is changed to Monitor

- Changed naming conventions of .py files to fit with multiple entity types

- Updated download commands to take arguments

- Gave users permission to access stored passwords (encrypted api token)

- Refactored to take advantage of the new API

- Use Requests instead of urllib2

- Updated to new logo

- IP Correlate dashboard no longer references Wordpress demo data

- Changed version numbers to major.minor.bugfix

- Recorded Future link is now app.recordedfuture.com

- Scheduled Reports return current date when completed successfully

- Added example logs files for Correlation dashboards

### Added

- Enrichment dashboards for Vulnerabilities

- Correlate dashboards for Vulnerabilities, Domains, and Hashes

- Config dashboards to filter Risk Lists by Risk Rule

- Package sample Risk Lists and correlation data

### Removed

- Current Threat Trends Dashboard

- Deleted deprecated code

- Removed unused macros and commands

## [2.12.13] - 2016-12-13

### Changed

- Altered read/write/execute rights on bin folder

### Added

- Addition of lib folder with Python modules for encryption of key

### Removed

- Removal of Recorded Future - Threatfeed from savedsearches.conf

### Added

- Heatmap color-coding has been added to table panels in the following dashboards:

Log Correlations

IP Monitoring

Domain Monitoring

Current Threat Trends

### Changed

- Altered dashboards to use rf_threatfeed.csv lookup.

## [2.2.4] - 2016-02-04

### Changed

- IP enrichment dashboard API query uses IpAddress data_group

- Domain enrichment dashboard API query uses InternetDomainName data_group

- Hash enrichment dashboard API query uses Hash data_group

- The three changes above now give accurate risk scores and match RF Intelligence Cards

- /bin/rf_observablequery.py altered to handle API query changes to enrichment dashboards

- v3.0 now rf_threatfeed used as a lookup and for correlation

- Risk Score metric added to IP Enrichment dashboard

- Font size change of metrics in summary panel on enrichment dashboards

- Name changed from 'Add-on' to 'App'

### Added

- IP monitoring dashboard includes input field for IP address

- /appserver/static/rf_enrich_kpi.css to over-ride default font sizes in summary panels

- Sample threat feed included in lookups directory

## [1.11.11] - 2015-11-1

### Changed

- Added |localop to dashboards to address. Note: in some distributed environment cases, having just the localop keyword is not enough. A pipe (|) is needed before.

## [1.10.29] - 2015-10-29

### Changed

- Added localop keyword to search string in IP Enrichment dashboard.

## [1.10.16] - 2015-10-16

### Changed

- Removed 'Threatfeed URL' requirement from installation setup screen.

- Code altered to download Recorded Future's threatfeed using API token only (for added security).

- Splunk add-on documentation updated to reflect changes.

- Disabled drilldown feature - which re-directed to Splunk search - on the following dashboards:

Current Threat Trends

IP Enrichment

Domain Enrichment

Hash Enrichment

### Added

- Heatmap color-coding has been added to table panels in the following dashboards:

Log Correlations

IP Monitoring

Domain Monitoring

Current Threat Trends

## [1.10.09] - 2015-10-09

### Fixed

- Corrected rf_hits macro syntax within macros.conf file

## [1.08.17] - 2015-08-17

### Added

- Addition of rf_threatfeed.csv threatfeed lookup to evaluate risk of IP addresses.

### Changed

- Altered dashboards to use rf_threatfeed.csv lookup.

To add, remove, or otherwise modify access to individual users of a Recorded Future account, please contact your account representative or reach out to our support staff at [email protected].

The following updates to the Maltego transforms are available as of September 24, 2018.

Besides a few bug fixes, the major changes with this update include:

Analyst Notes Support - transforms now permit expansion to and from analyst notes

Revised API Credit model - calls to the Recorded Future API for Maltego transforms are now discounted; a single transform that hits the Recorded Future API 0.20 credits/call

Riskier Hashes Returned - only malicious (or worse) hashes, with a risk score >= 65, are included in transforms that return hashes.

Analyst Notes support

Added transforms that fetch Analyst Notes for the following entity types:

(note: only notes written by the Insikt Group are available in these transforms).

IP

Domain

Hash

Vulnerability

Malware

NS Server

MX Server

URL

Transforms have also been added that fetches the following entity types from an Analyst Note:

Attack Vector

Domain

Email

Filename

Hash

IP

Malware Signature

Malware

Malware Category

Registry Key

URL

Vulnerability

Revised API crediting model

Because transforms can result in an unexpectedly large number of Connect/RAW API requests, we are pleased to introduce a reduced cost API crediting model. In particular, every successful API only costs 0.2 credits per API request. Some transforms are composed of several requests and may cost up to a credit.

Return only risky hashes

Transforms that return hashes filter the resulting hashes to those with a risk score greater than or equal to 65; this reduces noise.

Minor changes

Added Malware to Email transform

The type for hashes has been changed from malformity.Hash to maltego.Hash

Added edge weight based on risk score for for entities with risk score

Add NVD info to Vulnerabilities

Return triggered risk rules

Major transform speed ups

Bug fixes

Fix media type filters for Malware/Vulnerability Technical reporting

Add missing details to IP to Location transform

Fix broken IP to Organization transform

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Adapt macros

A macro is defined in a configuration file called macros.conf, usually bundled with a Splunk Application. Most of the macros that come predefined by Recorded Future are made to handle the JSON objects that we get back from the Recorded Future Connect API. However there is one macro called 'rf_hits' that might need some configuration by the user for the correlation dashboards to work correctly.

[rf_hits(1)]

args = infield

definition = dedup $infield$ \

| lookup rf_ip_threatfeed Name as $infield$ OUTPUT Name as RF_Hit, Risk, RiskString, EvidenceDetails \

| search RF_Hit=* \

| eval Rule = spath(EvidenceDetails,"EvidenceDetails{}.Rule") \

| eval EvidenceString = spath(EvidenceDetails,"EvidenceDetails{}.EvidenceString")

iseval = 0

It is the fourth row that might need some customisation to use the correct threat list.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact [email protected].

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Adapt searches

Correlation searches

Recorded Future has a compilation of common log formats and how to correlate these with our risklists on our support web: Common Splunk Search Strings for Recorded Future Risk Lists

There is also a feature in Splunk called "Workflow actions" which allows for context dependent menu entries for search results.

It's easy to add more such actions for fields not covered in the default set of actions: Pivoting to Recorded Future Enrichment Data in Splunk.

Base search

The base search for the correlation dashboards look almost the same. This is the default base search for the IP Log Correlation Dashboard:

index=main sourcetype="netscreen:firewall" earliest=-24h

| eval Name=dst

| join [|inputlookup rf_ip_risklist.csv | table * ]

| search Risk != ""

| sort -Risk

The base search is used, as the name suggests, as a base for more specific searches and is used to be able to both optimise but also to make it easier to write queries since you only have to write the first part of the search once. This also lowers the risk of copy-paste errors.

The first row selects the index 'main', sourcetype 'netscreen:firewall' and time scope 'last 24 hours' for the search.

The second row we rename the field 'dst' in the logs to 'Name' by using the eval statement.

In the third row we join the results from the prior search with a table containing all fields available in the ip_risklist.csv lookup file. In older versions of this dashboard we used the lookup command instead. Lookup if, for our purposes, much slower and will not remove any non-matching events from the result, which is why we moved to use join and a subsearch with inputlookup instead.

In the forth row we remove all results that does not have a Risk assigned to them, thus removing any results with no matches in the risk list, by search ing for results there the field 'Risk' is not empty.

In the last row we sort the results descending, by adding a '-' before the field name, with regards to the Risk, thus making sure that the high risk results end up at the top.

Typical changes here would be to use another list to match the data with, such as a custom risk list. In the Recorded Future risk lists, the main element to match on is called Name, for example the domain in a domain risk list and the CVE in a vulnerability risk list. If a custom risk list is used, make sure to change the second row to match the field names of both the data in Splunk and the risk list.

Sub searches

This is the search that determins the amount of unique rows in the base search. The first statement does a statistical distinct count, thus only counting the unique values in the field 'Name' and saves the result in the field 'count'. This value is then colored by using the rangemap statement.

| stats dc(Name) as count

| rangemap field=count low=0-0 evelated=1-1 default=severe

In this subsearch, which is the last table in the Correlation Dashboards, we start by counting the occurrances of each value in the field 'Name'. The difference between stats and eventstats is that with eventstats a new field is added to each row in the results. In this case the field 'Count'. We then remove all duplicate rows in regards to 'Name'. 'format_evidence' is a macro created by Recorded Future to parse the JSON object in the field 'EvidenceDetails', thus populating new fields with the data contained there. We then sort, descending, by and remove all decimals from Risk before creating a table showing the final information.

| eventstats Count BY Name

| dedup Name

| `format_evidence`

| sort -Risk

| eval Risk = round(Risk,0)

| table Risk, Name, Count, RiskString, Rule, Evidence

Enrichment searches

The enrichment dashboard uses a REST endpoint to get information from the Recorded Future Connect API to get more information about the entered entity. Please note that this REST endpoint, and thus the enrichment dashboards uses API credits.

Base search

The base search for each of the enrichment dashboards contains a REST call to get the information about the entity entered. Here it is possible to customise which kind of information you want to get back from the API. In our case we have selected to get all available fields to be able to present as much data as possible to the user. The available fields can be found at the Recoded Future API page. The reason for the CDATA encapsulation, in other words<![CDATA[before and]]>after the search, is due to Splunks handling of the characters in the regular expression in this search. The spath statement is used to parse JSON objects to be able to use the information in searches. The last two statements are to convert the timestamps to a much more readable format for humans.

<![CDATA[

| rest /services/TA_recordedfuture-cyber/lookup_ip/$name$ fields="counts,risk,analystNotes,location,sightings,entity,timestamps,metrics,relatedEntities,riskyCIDRIPs,intelCard,threatLists" output_mode=json

| `unpack_metrics`

| rex field=risk.riskString ".*/(?<rulesMax>.+)"

| rename rulesMax TO risk.rulesMax

| spath input=timestamps

| eval FirstSeen=strftime(strptime('timestamps.firstSeen', "%Y-%m-%dT%H:%M:%S.%NZ"), "%b %d, %Y")

| eval LastSeen=strftime(strptime('timestamps.lastSeen', "%Y-%m-%dT%H:%M:%S.%NZ"), "%b %d, %Y")

]]>

Sub searches

A lot of the sub searches in the enrichment dashboards are quite similar, especially when it comes to the related entities tables. One example is the one below for related domains:

| `unpack_relatedEntities(RelatedInternetDomainName)`

| sort -count, name

| rename name as Domain

| rename count as References

| table Domain, References

The first thing we do is to call the macro 'unpack_relatedEntities' which parses the JSON object in the field sent to the macro. We use a macro here to not have to write the same code over and over and it also makes sure that we do it in the same way for all the related entity tables. Then we sort and rename some fields to get the headers and order we want. The last last row creates the table that we see in the dashboard, showing the fields 'Domain' and 'References'.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact [email protected].

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Adapt dashboards

Some dashboard, such as the correlation dashboards, can easily be modified to suit your needs. We recommend that you clone an existing dashboard before editing the source code.

Cloning a dashboard

Cloning an existing dashboard can be done by clicking the triple dots in the upper right corner and select clone.

Enter the new title and name of the dashboard and click on "Clone Dashboard", and then "Edit". The difference between Private and Clone permissions is if the dashboard should only be accessable by the current user or all users.

You have now entered the edit view on the new dashboard.

Customising

The most common task is to change which data to correlate. This is done by clicking on the "Source" button to show the source XML for the dashboard. The three most important fields in a correlation dashboard are the ones highlighted in the image below:

The first one selects the sourcetype of the logs on the Splunk Enterprise server. The second one is the name of the field containing the information we are matching on. In this image we are matching on the 'dst' field, usually containing the destination IP Address in the log. The third one is the name of the lookup table to correlate the data against and usually corresponds to a threat list configured in in the inputs section of this Splunk App. An easy way to find good ways to correlate Splunk data with risk lists is by using the Splunk Explorer Dashboard.

Data structure

This is the format of our IP Address Threat Lists:

Name,Risk,RiskString,EvidenceDetails

46.18.32.101,66.0,2/47,"{""EvidenceDetails"":[{""Timestamp"":""2016-11-02T16:26:00.000Z"",""Criticality"":1,""Rule"":""Historical Multicategory Blacklist"",""CriticalityLabel"":""Unusual"",""EvidenceString"":""1 sighting on 1 source: hpHosts Latest Additions. Most recent link (Nov 2, 2016): hxxp://hosts-file.net/?s=doggytalk.be"",""MitigationString"":""""},{""Timestamp"":""2018-04-15T12:34:28.869Z"",""Criticality"":3,""Rule"":""Phishing Host"",""CriticalityLabel"":""Malicious"",""EvidenceString"":""1 sighting on 1 source: PhishTank: Phishing Reports (verified phish). IP Address reported as host of 1 active phishing URL: hxxp://letiz.be/uploads/bnz.html."",""MitigationString"":""""}]}"

The format is a standard CSV where the column we match on is 'Name'. This is the same for all default Recorded Future Risk Lists. There are two possibilities here, either your sourcetype has a different name for the field such as 'dest' instead of 'dst'. Then just change ' eval Name=dst' to ' eval Name=dest'. If your custom correlation list has another field name to match on, such as 'IP', then more changes are needed such as changing all the subsearches in the dashboard to use the new field name.

Disappearing dashboards

If you, for some reason, accidentally loose your newly cloned dashboard, you can access it by going to Other -> Dashboards. This will show all dashboards for all add-ons in Splunk, but you can click on the 'This App's' button to only show dashboards related to the Recorded Future Splunk app.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact [email protected].

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".

[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]

Install and Configure Reports

The easiest way to adapt or add new reports is to go to Other -> Reports.

Then click on 'Open in Search' on the report you want to adapt.

This will send you to a search page with the current reports search populated.

Here you can add or remove parts of the search. For example we might want to have a report that only looks at logs with the log level 'ERROR' instead of all logs. One way to do this is to click on the field 'loglevel' on the left column and, if 'ERROR' is available as a value click that, otherwise click on INFO and the search row will automatically add a 'loglevel=INFO'.

Just change 'INFO' to 'ERROR' and click search to view the result that would create the report.

Depending on if there has been any error logs thus far, the result might be empty, but it will still find any future error logs.

When you are happy with the search, click on the 'Save As' menu in the upper right corcer, and then click on 'Report' to save the new search as a new report. Fill out the information and click on save and you're done.

Further help

Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact [email protected].

Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".