Recorded Future for Splunk

(1)

Recorded Future for Splunk

Installation and setup

Installing the Recorded Future for Splunk

The app is available at SplunkBase. It can either be installed directly from SplunkBase or downloaded and installed that way.

WARNING

This app is not compatible with the previous app and add-on from Recorded Future. The following must be removed from the system before installing the app:

• Recorded Future app for Splunk Enterprise (TA_recordedfuture-cyber)

• Recorded Future add-on for Splunk ES (TA-recorded_future)

The app is intended to run on Splunk servers with the search head role. It can be installed on Search Head clusters (see below) and on search heads connected to index clusters.

Once installed the app must be setup.

Installing on a Search Head Cluster

1. Download the package into $SPLUNK_HOME/etc/shcluster/apps on the deployer of the Search Head Cluster.

2. Unpack the package:

Initial Setup of the App

When the app has been installed on the Splunk server, finalise the initial setup under menu:Configuration[Configuration].

NOTE

The app is not compatible with the old integrations from Recorded Future (Recorded Future App for Splunk Enterprise and Add-on for Splunk ES). These must be removed from the Splunk system.

The Configuration view has three panes:

• Setup

• Risk Lists

• Alerting Rules

Configure the API credential with Connect API access and a working API endpoint under the Setup view.

The API credential must be configured in the Setup pane in order for the app to work. A user needs the capability of 'list_storage_passwords' to configure API Credential and Proxy settings in the App.

Setup

(3)

Figure 1. Setup tab of the Configuration view

API Credential

All the settings except for Risk Lists and Alerting Rules are configured under the Setup tab. The minimum possible configuration is setting the API Credential here.

NOTE The minimum required configuration is adding the API Credential.

SSL Verification

If you need to disable certificate validation, for example if a networking device in between the Splunk machine and the internet is modifying the SSL certificate, this can be done by unchecking the "SSL Verification" checkbox.

Proxy

If the splunk server requires a proxy for Internet access, the "Proxy" checkbox should be checked.

This will reveal new fields that need to be filled in. The username and password should only be configured if the proxy requires authentication. Proxy host and port are required settings.

API URL

Recorded Future support may in rare circumstances instruct a user to use a different URL to the Recorded Future API, in which case the "Recorded Future API URL" should be modified.

(4)

Log level

There are five levels of logging: CRITICAL, ERROR, WARNING, INFO and DEBUG.

The recommended log level is INFO. To report an issue with the Recorded Future App, temporarily change it to DEBUG to collect additional logs that can be used for trouble shooting.

The logs generated by the Recorded Future App are located in the default Splunk log directory

$SPLUNK_HOME/var/log/splunk and will be written to the following file:

• ta_recordedfuture_rest.log

The information contained in the log files can be viewed either in the Splunk GUI or as files on the Splunk server.

Example search:

index=_* source="/opt/splunk/var/log/splunk/ta_recordedfuture_rest.log"

More information about troubleshooting is available in <Troubleshooting>

Configure and Manage Risk Lists

Risk Lists can be used to correlate and enrich events. Each element in a Risk List, like an IP number or Domain, contains has a risk score and the information which contributed to its risk score.

Default Risk Lists

The Recorded Future App for Splunk is shipped with the five Recorded Future Risk Lists:

• IP address

• Domain names

• URLs

• Hashes of files

• Vulnerabilities (mainly CVEs)

With Fusion access, it is possible to setup additional customized Risk Lists.

Add Risk Lists

(5)

Figure 2. The Risk Lists tab in the Configuration view

Additional Risk Lists can be downloaded by clicking "Add Risk List".

The following fields appear at the top:

Field Significance Comment

Name Risk List name within the

Splunk instance.

The lookup file will be named

<name>.csv.

Risk List category The type of entity contained in the Risk List.

IP, Domain, Hash, Vulnerability, or URL.

Fusion file The path to the Fusion Risk List. The path must point to a

defined Fusion file stored as an uncompressed CSV file if used as a lookup.

Update Interval The interval used to check for updates.

Default is as soon as an updated version is available.

When done configuring the new Risk List, click on btn:[Save] to save the new configuration.

Manage Risk Lists

All configured Risk Lists are listed under menu:Configuration[Configuration > Risk Lists].

The list of Risk List inputs is sorted to show any custom Risk Lists at the top and the default configuration at the bottom. The default Risk List inputs can not be deleted, only disabled.

(6)

To edit a configured Risk List, just click on btn[Edit] and the fields will unlock. Click btn:[Save]

when done editing the settings.

To remove a Risk List, select the corresponding btn:[Delete Risk List] checkbox and click on btn:[Save].

Figure 3. Risk Lists tab in the Configuration view

Alert Monitoring Setup

There is no default configuration for alert monitoring. Alert monitoring is configured in menu:Configuration[Configuration > Alerting Rules].

When monitoring alerts, the Recorded Future App will poll the Recorded Future API for alerts which match the configured criteria.

By default, the alerts are fetched on the fly when needed by a dashboard.

Add Alert Monitoring

To add alert monitoring, click on btn:[Add Alerting Rule] and select the Alerting Rule to fetch alerts from. The following fields then appear:

Alert Rules tab in the Configuration view

(7)

Field Significance Comment

Name Alerting Rule name Name of the Alerting Rule input.

Alert Status Matches any alert status by default The filter can be configured as needed.

Time Range Filters on the timestamp of the alert. Default is anytime. The notation is the same as in the Recorded Future portal.

Ex:

• "-2d to now"

• "-2h to -1h"

• "yesterday"

There are a few common choices available as a dropdown.

Limit Amount of alerts to fetch Default is 10. This should be adjusted depending on the amount of alerts that trigger for this rule.

Alerting Rule Which alerting rule to fetch This is the rule that you selected when creating the Alerting Rule input.

(8)

Manage Alerting Rules

To edit a configured Alerting Rule, just click on btn:[Edit] and the fields will unlock. Click btn:[Save]

when done editing the settings.

To remove an Alerting Rule, select the corresponding btn:[Delete Alerting Rule] checkbox and click on btn:[Save].

Setup Splunk Enterprise Security

The app has built-in support for Splunk Enterprise Security. The support is available when the app is installed on a search head together with Splunk ES.

Enable Splunk ES support

In the Recorded Future for Splunk menu, select Configure. Ensure that the switch to enable support for Splunk ES is enabled.

Required configuration within Splunk ES

To be able to use the full features of Splunk ES functionality, some configuration has to be done in Splunk Enterprise Security.

• In the Enterprise Security menu bar, click menu:Configure[Incident Management > Incident Review Settings].

• Click the btn:[Add new entry] in the "Incident Review - Event Attributes" section. Add the following Label and Field Combinations:

Label Field

RF Risk Score rf_a_risk

RF Triggered Rules rf_b_rules

RF Very Malicious Evidence rf_evidence_critical

RF Malicious Evidence rf_evidence_malicious

RF Suspicious Evidence rf_evidence_suspicious

RF Unusual Evidence rf_evidence_unusual

• A restart of the Splunk instance will be required once the installation has completed.

• If you haven’t already done so, enable the Enterprise Security correlation search called "Threat Activity Detected"

1. In the Enterprise Security menu bar, click menu:Configure[Content Management]

(9)

Enrichment of detected events

Splunk ES detects suspicious events using it’s built-in Threat Intelligence framework. Recorded Future leverages the framework to perform detection of suspicious events.

Once an event has been detected it is however necessary to enrich it to make triage efficient. This can be done in two ways:

1. Using saved searches which adds data from Recorded Future’s Risk Lists to the events.

2. Using the provided Adaptive Response action. This method makes a query to Recorded Future’s API to fetch up-to-date information.

See below for instructions on how to activate respective method.

Saved Searches to perform Enrichment

By default the app will enable four saved searches that will perform the enrichment of any compatible notable events. See below for the steps needed to switch to Adaptive Response based Enrichment.

Adaptive Response (AR) to perform Enrichment

To activate Adaptive Response (AR) the following steps needs to be performed:

• Turn off the searches that enrich notable events:

1. Go to menu:Configure[Content Management]

2. Disable "RF IP Threatlist Search", "RF Domain Threatlist Search" and "RF Hash Threatlist Search" (easier to find if you use the app filter, but not necessary).

• Click on "Threat Activity Detected" to open the settings.

1. Next to "Adaptive Response Action", click btn:[Add New Response Action]

2. Select Recorded Future’s action 3. Leave default "Automatic" selection.

• Click save

Adaptive Response Ad-hoc invocation

Ad-hoc invocations of Adaptive Response can be made - ex from the Incident Review dashboard.

The user invoking the Adaptive Response in this way must have the list_storage_passwords capability.

Technical description of the App

Functionality

The App provides three major functions:

(10)

1. Threat detection support 2. Alert triage support

3. Makes Alerts from Recorded Future available on the Splunk system

All functionality is implemented with saved searches which in some cases call the App’s custom REST handler.

Threat Detection (Correlation)

Threat Detection is implemented by correlating selected log sources with lookup files available to the Splunk system. The App makes a number of lookup files available, their content corresponds to Recorded Future Risk Lists.

Recorded Future Risk Lists are CSV files (columns are Name, Risk, RiskString and EvidenceString).

For each configured Risk List the App will monitor the API for updates and whenever an update is available this will be downloaded and stored in the lookup folder within the app.

The saved search "Recorded Future - Download Risk Lists" is scheduled to run every 5 minutes.

During each run the following steps are performed:

1. Configuration for the Risk Lists is checked.

2. For each configured Risk List the "Update Interval" is checked to determine if the Risk List can be updated. The default is to always check.

3. If the Risk List is to be checked a call to the Recorded Future API is done using the HTTP HEAD method. The response contains a checksum for Risk List available at the API. This checksum is compared with the checksum of the Risk List stored locally.

4. If the checksum differ the Risk List is updated. The custom REST handler creates and executes a search on the Splunk system:

a. The Risk List is downloaded from Recorded Future’s API using a dedicated endpoint within the handler.

b. The content is fed to an outputlookup command which stores the data as a lookup file.

c. The new checksum for the local copy of the Risk List is calculated and stored as a checkpoint.

Alert Triage (Enrichment)

The Alert Triage is implemented via a number of Enrichment dashboards:

• IP Enrichment

• Domain Enrichment

• Hash Enrichment

(11)

Each dashboard takes an entity and fetches information about it by making a call the App’s custom REST handler. The handler makes a REST call to Recorded Future’s API and adapts the response to make it easier to render. The results are rendered in the dashboard.

Alerts from Recorded Future

Alerts from Recorded Future are shown using a dashboard. From a drop-down menu any of the configured Alerts configurations can be selected.

1. When a configuration has been selected the dashboard makes a REST call to the App’s custom REST handler requesting alerts matching the configuration.

2. The REST handler makes a REST call to Recorded Future’s API and fetches all alerts matching the search criteria. Some adaptations are made to the returned data before it is returned.

3. The dashboard renders the alerts.

If more details is required there is a separate endpoint withing the handler that can fetch all available info for a given alert.

Functionality specific to Enterprise Security

The App will detect if it is running on a search head with Splunk Enterprise Security (ES) installed.

If this is the case an additional configuration setting is activated which enables or disables the ES specific functions. The rest of this section describes what those are.

Threat Intelligence Framework integration

Splunk ES includes the Threat Intelligence framework (TI) which is a very efficient method to do correlation between events and threat information. TI support detection on IPs, domains, URLs and hashes.

If the ES support is activated an additional step is done whenever a Risk List is updated. This step calls an endpoint within the custom REST handler which convert the list into a format optimized for TI. The list in TI is then updated with the contents of the new Risk List (old data is also removed). Only entries added by the App is touched.

Enrichment of Notable Events

If the Splunk ES installation has been configured to promote events detected by the Threat Intelligence framework (TI) to Notable Events these can be viewd in the "Incident review"

dashboard.

TI does not support additional information about why an entity is dangerous. The app provides two methods to add this information to relevant Notable Events.

Saved search to enrich Notable Events

The App offers four saved searches (one per entity type supported by TI) that can enrich Notable events.

(12)

When active the searches will look for any Notable Event created using information from Recorded Future. When one is found a new Notable Event is created which contains the Risk Score, the number of triggered Risk Rules and a list of which Risk Rules that have triggered for the entity.

By updating the displayed fields in the Incident Review configuration panel (which is a setup step during installation of the app on an ES system) these new fields a displayed whenever a Notable event is reviewed.

Adaptive Response to enrich Notable Events

The App offers an Adaptive Response action which can add the same information as the saved searches do above. The main difference is that this method makes a call via an endpoint in the custom REST handler to Recorded Future’s API to fetch up-to-date information (the saved search uses information from the stored Risk List).

Troubleshooting

The types of issues involving the Recorded Future App for Splunk can be divided into three categories. The Recorded Future App contains three reports, one for each category, to assist troubleshooting:

Category Report name Purpose

Credential/Network Validate app deployment This report displays the result of a number of tests and

lookups that is performed when the report is run.

Risk List Download/Frequency Latest updates of all Risk Lists This report show the last 5 Risk List updates.

Other All logs from the App This report displays all the logs

produced by the app in one view.

How to Use the Reports

Check configuration/network connectivity

Run the report "Validate App Deployment" when the Recorded Future App for Splunk has been deployed and configured or as an initial step during troubleshooting. The built-in validator performs a number of tests and collects useful troubleshooting information. "Ok" and "NA"

(13)

Figure 4. Validation Report

Verify that Risk Lists are downloaded correctly

The Recorded Future Risk Lists are available from the Recorded Future API. The report "Latest Update of all Risk Lists" shows all Risk Lists that have been downloaded successfully. We save the timestamps from the last 5 successful downloads. Any Risk Lists not shown in the report have never been downloaded successfully.

The recommended update frequency of the Recorded Future Risk Lists depends on how often they are updated. The current schedule can be found on the Recorded Future Support site.

There are several issues that can impact the download of a Risk List. Follow the following guide to troubleshoot Risk Lists which that are not updated as expected:

1. If all Risk Lists fail to be updated, it is likely that there is an issue with network connectivity or the API Credential used. Run the report "Validate app deployment" described above.

2. Check that the configuration specifies the correct interval for updates on the configuration page.

3. The Fusion path may not exist or it was spelled wrong. This can be verified by performing the following search:

index=_* sourcetype="tarecordedfuture:log" ERROR 404 "File or directory" path=*

4. Check that the path field corresponds to a Fusion file. Note that it is URL encoded which means that the Fusion file path /home/custom.csv will read %2Fhome%2Fcustom.csv.

5. Ensure that the Recorded Future API Credential used by the app belongs to the correct enterprise in Recorded Future’s system. With the exception of public Fusion files (paths starting with /public/), no Fusion files are available outside of the Enterprise that owns them.

6. Ensure that the Fusion Flow responsible for generating the Fusion file was successfully executed.

Other issues

The report "All logs from the App" lists all the events created by the app. The log level can be

(14)

appropriate to increase the level to DEBUG.

A good starting place is to look for errors (loglevel ERROR). The report can be opened in the search view: select menu:Open in Search[] via the btn:[Edit] button.

Raising an issue with Recorded Future

When reporting an issue to Recorded Future, the following procedure will generate a good set of information for further analysis:

1. Short summary of the issue: what is or is not happening? Is it happening all the time or is it intermittent or limited to a subset of entities?

2. Take screenshots showing the results of reports "Validate App Deployment" and "Latest Update of all Risk Lists".

3. Increase the log level to DEBUG 4. Trigger the issue.

5. Note the date and time the issue was triggered. Make sure to include this into the report to Recorded Future.

6. Run the report "All logs from the App" and export the results as a CSV file.

7. Reset the log level.

Recorded Future for Splunk