Automating threat operations and threat hunting with the Recorded Future App for Splunk

What is Autonomous Threat Operations?

Autonomous Threat Operations is a capability that helps you transform your security investment from manual processes to automated risk mitigation.

With the Recorded Future App for Splunk, you can automatically launch hunts from Recorded Future when new threats emerge, while continuously monitoring for known threats to provide targeted and comprehensive threat detection without manual intervention.

From the Recorded Future platform, users can:

• Launch autonomous threat hunts based on IOCs, TTPs, and pre-built hunting packages
• Ingest third-party feeds
• Deploy intelligence to security controls (SIEM, EDR, Firewall)
• Report on intelligence operations (such as detections, preventions, or threat hunts)

This helps to:

• Reduce reliance on manual threat hunting
• Enable end-to-end automation and measurement, improving the overall Mean Time to Detect (MTTD)
• Maintain active defense across the security stack, with a reduction in false positives through up-to-date intelligence

Deploying threat hunts with the Recorded Future App for Splunk

The Recorded Future platform enables you to operationalize Autonomous Threat Operations with the Recorded Future App for Splunk. From the app, you can launch repeatable, intelligence-driven threat hunts that target high-priority threat actors, malware, and TTPs:

Start from pre-defined hunt templates, as shown in the screenshot below. Then, you can refine how they run using granular filters, such as indicator type, risk score, and risk rules, to ensure only the most relevant intelligence is deployed. Scheduled hunts automatically refresh with the latest intelligence on each run, with results from the Splunk platform surfaced in your Recorded Future platform for review. For Splunk Enterprise Security users, there is an additional option to enable hunt results to create notables.

Splunk Enterprise configuration

In order to provide proper visibility and meaningful results, ensure your environment is ingesting telemetry such as:

• DNS
• Proxy
• EDR/EPP
• IDS/IPS
• Firewall & WAF
• Email & web gateway

For Sigma-based hunting and detection, popular sources of telemetry include:

• Windows events
• Sysmon
• EDR

Next steps

The following resources will help you get started with the Recorded Future App for Splunk:

• 30-day free trial of the Recorded Future App for Splunk
• For non-Recorded Future customers, request a demo

Recorded Future is the world's largest intelligence company. Recorded Future's Intelligence Cloud provides complete coverage across adversaries, infrastructure, and targets. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future provides real-time visibility into the vast digital landscape. It empowers countries and organizations to take proactive action to disrupt adversaries and keep their people, systems, and infrastructure safe. Headquartered in Boston with offices and employees around the world, Recorded Future works with more than 1,500 businesses and government organizations across more than 60 countries. Learn more at recordedfuture.com.

The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.