Recorded Future Intelligence Engine Integration User Guide

01 May 2024
15 Minutes to read

Print
Dark

Light

Recorded Future Intelligence Engine Integration User Guide

Updated on 01 May 2024
15 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

Software Version

This guide applies to the Recorded Future Intelligence Engine App version 1.0.x.

Overview

The ThreatConnect^® integration with Recorded Future^® ingests Domain, Hash, IP, URL, and Vulnerability Risk List entities, as well as Analyst Notes, from Recorded Future. After ingesting these data, the integration creates corresponding objects with select Recorded Future metadata in ThreatConnect.

Dependencies

ThreatConnect Dependencies

Active ThreatConnect Application Programming Interface (API) key
ThreatConnect instance with version 7.4.0 or newer installed

Note

All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Recorded Future Dependencies

Active Recorded Future API token
Active Recorded Future module subscriptions: SecOps Intelligence, Threat Intelligence, and/or Vulnerability Intelligence (see Table 1 for more information)

Application Setup and Configuration

Log into ThreatConnect with a System Administrator account.
Install the Recorded Future Intelligence Engine App via TC Exchange™.
Use the ThreatConnect Feed Deployer to set up and configure the Recorded Future IntelligenceEngine App.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.

Name	Description	Required?
Sources Tab
Sources to Create	The name of the Source to be created.	Yes
Owner	The Organization in which the Source will be created.	Yes
Parameters Tab
Launch Server	Select tc-job as the launch server for the Service corresponding to the Feed API Service App.	Yes
Risk List Types	Select one or more Recorded Future Risk List entity types that will be ingested. Available choices include the following: Domain Hash IP URL Vulnerability Note The Domain, Hash, IP, and URL Risk Lists are included in the SecOps Intelligence and Threat Intelligence modules available in the Recorded Future subscription. Because these modules are the most common, these Risk List types are selected by default. The Vulnerability Risk List is not selected by default because it is included in the Vulnerability Intelligence module, which must be purchased separately from your Recorded Future subscription. For assistance with managing your Recorded Future module subscriptions, please contact your Recorded Future Customer Success Representative. Note Each option available for the Risk List Types parameter (Domain, Hash, IP, URL, and Vulnerability) determines how links are followed during the integration's operational processes, as the integration will attempt to follow links for only the selected types. For example, if you selected only IP and Hash from the Risk List Types dropdown and the integration sees an Address Indicator with links to an IP, a Hash, and a URL, the integration will follow only the IP and Hash links for the Address Indicator.	Yes
Minimum Risk Score	Select the minimum risk score that Risk List entities must have in order to be ingested into ThreatConnect. For example, if you 80 from the dropdown, then the App will ignore all Risk List entities with a risk score less than 80. The default value is 65, which is the default risk score for Risk List entities collected by ThreatConnect.	Yes
Collect Indicators Linked in Recorded Future Less Than the Minimum Risk Score	Select this checkbox to ingest associated Indicators with a risk score that is less than the minimum risk score (i.e., the value for the Minimum Risk Score parameter). If this checkbox is cleared, the App will ignore all associated Indicators whose risk score is less than the minimum risk score. By default, this checkbox is not selected.	No
Variables Tab
Recorded Future API Token	The Recorded Future API token.	Yes

Recorded Future Intelligence Engine

After successfully configuring and activating the Feed API Service, you can access the Recorded Future Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Recorded Future integration.

Follow these steps to access the UI:

Log into ThreatConnect with a System Administrator account.
On the top navigation bar, hover over Playbooks and select Services. The Services tab of the Playbooks screen will be displayed.
Locate the Recorded Future Intelligence Engine Feed API Service and then click the link in the Service’s API Path field. The DASHBOARD screen of the Recorded Future Intelligence Engine UI will open in a new browser tab.

The following screens are available in the Recorded Future Intelligence Engine UI:

DASHBOARD
JOBS
TASKS
DOWNLOAD
REPORT

DASHBOARD

The DASHBOARD screen (Figure 1) provides an overview of the total number of Risk List entities (Domain, Hash, IP, URL, and Vulnerability) and Analyst Notes retrieved from Recorded Future. Depending on the data available to you, cards representing all or a subset of these object types will be displayed on the DASHBOARD screen.

JOBS

The JOBS screen breaks down the ingestion of Recorded Future data into manageable Job-like tasks. There are two views available for the JOBS screen: Risk Lists and Analyst Notes.

Risk Lists

Hover over the JOBS tab and select Risk Lists to display the Download Risk Lists Jobs screen (Figure 2). This screen breaks down the ingestion of Risk List entities into manageable Job-like tasks.

Job Type: If desired, select a Job type by which to filter Jobs. Available types include ad-hoc and scheduled.
Status:If desired, select a Job status by which to filter Jobs. Available statuses include the following:
1. Convert Risk Lists Complete
2. Convert Risk Lists In Progress
3. Download Risk Lists Complete
4. Download Risk Lists In Progress
5. Enrich Risk Lists Complete
6. Enrich Risk Lists In Progress
7. Failed
8. Pending
9. Upload Risk Lists Complete
10. Upload Risk Lists In Progress
Request ID: If desired, enter text into this box to search for a specific Job by its request ID.
+ Add Request: Click this button to display the ADD REQUEST window (Figure 3). On this window, you can specify the object types for an ad-hoc Job request. After a Job request is added, it will be displayed in the table on the JOBS screen (Figure 2), and its Job type will be listed as ad-hoc.
Note
Recorded Future provides a single Risk List file for each entity type that contains the most current data available. Using the + Add Request feature will always download the most recent Risk List data.

Analyst Notes

Hover over the JOBS tab and select Analyst Notes to display the Download Analyst Notes Jobs screen (Figure 4). This screen breaks down the ingestion of Analyst Notes into manageable Job-like tasks.

Status:If desired, select a Job status by which to filter Jobs. Available statuses include the following:
1. Convert Analyst Notes Complete
2. Convert Analyst Notes In Progress
3. Download Analyst Notes Complete
4. Download Analyst Notes In Progress
5. Failed
6. Pending
7. Upload Analyst Notes Complete
8. Upload Analyst Notes In Progress
Request ID: If desired, enter text into this box to search for a specific Job by its request ID.

TASKS

The TASKS screen (Figure 5) is where you can view and manage the Tasks for each Job. Tasks are divided into separate Analyst Notes and Risk Lists workstreams for the Recorded Future integration.

DOWNLOAD

The DOWNLOAD RISK LIST ITEMS screen (Figure 6) is where you can download data for Risk List entities. Data for Analyst Notes cannot be downloaded.

ID(s): Enter the Recorded Future Risk List ID(s) for the object(s) to download. Data will be retrieved in JavaScript^® Object Notation (JSON) format. When entering the IDs for Domain, Hash, IP, and URL Risk List entities, prepend idn:, hash:, ip:, and url:, respectively, to the entity's ID. For Vulnerability Risk List entities, use the CVE ID or Recorded Future ID. The following examples demonstrate the ID format that should be used for each Risk List entity type:
- Domain: idn:efavengh.com
- Hash: hash:092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875
- IP: ip:124.71.84.65
- URL: url:https://send.exploit.in/
- Vulnerability: CVE-2019-0841 or ZgFn9x
Convert: Select this checkbox to convert the threat intelligence data to ThreatConnect batch format.
Enrich: Select this checkbox to submit the threat intelligence data to the ThreatConnect Batch API.

REPORTS

The REPORTS screen provides two views: BATCH ERRORS and REPORT UPLOAD TRACKER. The BATCH ERRORS screen (Figure 7) displays batch errors for each request in a tabular format. Details provided for each error include the error’s code, message, and reason.

The PDF TRACKER screen (Figure 8) is where you can view ThreatConnect's attempts to download PDFs from Recorded Future. The table on this screen displays the most recent date on which ThreatConnect attempted to download a PDF, the number of times an attempt to download the PDF was made, and whether the PDF was downloaded successfully. You can also search for PDFs by ID on this screen, which can be useful if you do not see a Recorded Future PDF in ThreatConnect as expected.

Data Mappings

The data mappings in Table 2 through Table 8 illustrate how data are mapped from Recorded Future Intelligence API endpoints into the ThreatConnect data model.

Domain

ThreatConnect object type: Host Indicator

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	Host Name
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	Host-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK^® Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Threat Rating Attribute: "Risk Score" See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

Hash

ThreatConnect object type: File Indicator

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	Hash Value
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	File-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Threat Rating Attribute: "Risk Score" See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

IP

ThreatConnect object type: Address Indicator

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	IP Address
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	Address-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Threat Rating Attribute: "Risk Score" See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp
location/cidr/name	Tag
location/location/country	Attribute: "IP Geo Country"
location/location/city	Attribute: "IP Geo City"
location/asn	Tag

URL

ThreatConnect object type: URL Indicator

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	URL
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	URL-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Threat Rating Attribute: "Risk Score" See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

Vulnerability

ThreatConnect object type: Vulnerability Group

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	Name/Summary
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	Vulnerability-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Attribute: "Risk Score"
risk/criticalityLabel	Attribute: “Criticality"
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Group's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp
cvssv3/scope	Attribute: "CVSS v3 Scope"
cvssv3/exploitabilityScore	Attribute: "CVSS v3 Exploitability Score"
cvssv3/modified	Attribute: "CVSS v3 Modified"
cvssv3/baseSeverity	Attribute: "CVSS v3 Base Severity"
cvssv3/baseScore	Attribute: "CVSS v3 Score"
cvssv3/privilegesRequired	Attribute: "CVSS v3 Privileges Required"
cvssv3/userInteraction	Attribute: "CVSS v3 User Interaction"
cvssv3/impactScore	Attribute: "CVSS v3 Impact Score"
cvssv3/attackVector	Attribute: "CVSS v3 Attack Vector"
cvssv3/integrityImpact	Attribute: "CVSS v3 Integrity Impact"
cvssv3/confidentialityImpact	Attribute: "CVSS v3 Confidentiality Impact"
cvssv3/vectorString	Attribute: "CVSS v3 Vector String"
cvssv3/attackComplexity	Attribute: "CVSS v3 Attack Complexity"
cvssv3/created	Attribute: "CVSS v3 Created"
cvssv3/availabilityImpact	Attribute: "CVSS v3 Availability Impact"
cvss/accessVector	Attribute: "CVSS v2 Access Vector"
cvss/lastModified	Attribute: "CVSS v2 Last Modified"
cvss/published	Attribute: "CVSS v2 Published"
cvss/score	Attribute: "CVSS v2 CVSS Score"
cvss/availability	Attribute: "CVSS v2 Availability"
cvss/authentication	Attribute: "CVSS v2 Authentication"
cvss/accessComplexity	Attribute: "CVSS v2 Access Complexity"
cvss/integrity	Attribute: "CVSS v2 Integrity"
cvss/confidentiality	Attribute: "CVSS v2 Confidentiality"
cpe	Attribute: "CPE"

Analyst Note

Note

For each Analyst Note added to a Risk List entity, a Report Group will be created and associated to the ThreatConnect object that corresponds to the Risk List entity. For daily Analyst Notes, Report Groups will be created and associated to existing Indicators and Groups in ThreatConnect that were ingested from Recorded Future.

ThreatConnect object type: Report Group

Recorded Future API Field	ThreatConnect Field
analystNotes/attributes/validated_on	Last Modified Date Attribute: "External Date Last Modified"
analystNotes/attributes/published	Attribute: "Publish Date"
analystNotes/attributes/text	Attribute: "Report Text"
analystNotes/attributes/topic/name	Attribute: "Report Type"
analystNotes/attributes/validation_urls/name	Attribute: "External References"
analystNotes/attributes/title	Name/Summary
analystNotes/attributes/note_entities/name	See the “Note Entity” section for more information.
analystNotes/source/name	Source
analystNotes/id	Attribute: "External ID"

Note Entity

Recorded Future API Field	ThreatConnect Field
ASNumber	Attribute: "Autonomous System Number"
AWSAccessKey	Attribute: "AWS Access Key"
Aircraft	Attribute: "Aircraft"
Airport	Attribute: "Airport"
AnalystNote	Report Group
Anniversary	Attribute: "Anniversary"
AttackVector	Attribute: "Attack Vector"
BankIdentificationNumber	Attribute: "Bank Identification Number"
BitcoinAddress	Attribute: "Bitcoin Address"
BusinessIdentifierCode	Attribute: "Business Identifier Code"
Case	Attribute: "Case"
Category	Attribute: "Category"
City	Attribute: "City"
CodeIdentifier	Attribute: "Code Identifier"
Commodity	Attribute: "Commodity"
Company	Attribute: "Company"
ContentType	Attribute: "Content Type"
Continent	Attribute: "Continent"
Country	Attribute: "Country"
Currency	Attribute: "Currency"
CurrencyPair	Attribute: "Currency Pair"
CyberExploitTargetCategory	Attribute: "Cyber Exploit Target Category"
CyberSecurityCategory	Attribute: "Cyber Security Category"
CyberThreatActorCategory	Attribute: "Cyber Threat Actor Category"
CyberVulnerability	Vulnerability Group
DEANumber	Attribute: "DEA Number"
Dataset	Attribute: "Dataset"
DetectionRule	Attribute: "Detection Rule"
Document	Attribute: "Document"
EconomicIndicator	Attribute: "Economic Indicator"
EmailAddress	Attribute: "Email Address"
Embassy	Attribute: "Embassy"
Emoji	Attribute: "Emoji"
EntertainmentAwardEvent	Attribute: "Entertainment Award Event"
Entity	Attribute: "Entity"
EntityAlias	Attribute: "Alias"
EntityList	Attribute: "Entity List"
EntityRange	Attribute: "Entity Range"
EntityRelation	Attribute: "Entity Relation"
ExternalIdentifier	Attribute: "External ID"
Facility	Attribute: "Facility"
FaxNumber	Attribute: "Fax Number"
Feature	Attribute: "Feature"
FileContent	Attribute: "File Content"
FileName	Attribute: "File Name"
FileNameExtension	Attribute: "File Extension"
FileType	Attribute: "File Type"
GeoBoundingBox	Attribute: "Geo Bounding Box"
GeoEntity	Attribute: "Geo Entity"
Hash	File Indicator
HashAlgorithm	Evaluated with File Indicator
Hashtag	Attribute: "Hashtag"
Holiday	Attribute: "Holiday"
IRCNetwork	Attribute: "IRC Network"
Identifier	Attribute: "Identifier"
Image	Attribute: "Image"
IncidentImpactCategory	Attribute: "Incident Impact Category"
Industry	Attribute: "Industry"
IndustryTerm	Attribute: "Industry Term"
IntegrationApplication	Attribute: "Integration Application"
IntegrationUser	Attribute: "Integration User"
InternetDomainName	Host Indicator
IpAddress	Address Indicator
Keyword	Attribute: "Keyword"
Language	Attribute: "Language"
LinkReport	Attribute: "Link Report"
Logotype	Attribute: "Logotype"
MICR	Attribute: "Magnetic Ink Character Recognition"
Malware	Attribute: "Malware"
MalwareCategory	Attribute: "Malware Family"
MalwareMutex	Attribute: "Mutex"
MalwareSignature	Attribute: "Malware Signature"
MarketIndex	Attribute: "Market Index"
MedicalCondition	Attribute: "Medical Condition"
MedicalTreatment	Attribute: "Medical Treatment"
MetaAttribute	Attribute: "Meta Attribute"
MetaType	Attribute: "Meta Type"
MilitaryBase	Attribute: "Military Base"
MilitaryExercise	Attribute: "Military Exercise"
MitreAttackIdentifier	ATT&CK Tag
Movie	Attribute: "Movie"
MusicAlbum	Attribute: "Music Album"
MusicGroup	Attribute: "Music Group"
Nationality	Attribute: "Nationality"
NaturalFeature	Attribute: "Natural Feature"
Neighborhood	Attribute: "Neighborhood"
NetworkPort	Attribute: "Network Port"
NetworkProtocol	Attribute: "Network Protocol"
NumericIdentifier	Attribute: "Numeric Identifier"
OperatingSystem	Attribute: "Operating System"
Operation	Attribute: "Operation"
OrgEntity	Attribute: "Org Entity"
Organization	Attribute: "Organization"
PaymentCardNumber	Attribute: "Payment Card Number"
Person	Attribute: "Person"
PhoneNumber	Attribute: "Phone"
Port	Attribute: "Port"
Position	Attribute: "Position"
Identifier	Attribute: "Product Identifier"
Module	Attribute: "Product Module"
ModuleAddon	Attribute: "Product Module Addon"
Version	Attribute: "Product Version"
ProgrammingLanguage	Attribute: "Programming Language"
ProvinceOrState	Attribute: "Province or State"
PublishedMedium	Attribute: "Published Medium"
RadioProgram	Attribute: "Radio Program"
RadioStation	Attribute: "Radio Station"
Region	Attribute: "Region"
Religion	Attribute: "Religion"
ReportEntity	Attribute: "Report Entity"
ReportingEntity	Attribute: "Reporting Entity"
RiskContext	Attribute: "Risk Context"
RiskRule	Attribute: "Risk Rule"
Sector	Attribute: "Sector"
SnortDetectionRule	Attribute: "Snort Detection Rule"
SocialSecurityNumber	Attribute: "Social Security Number"
Source	Attribute: "Source"
SourceMediaType	Attribute: "Source Media Type"
SportsEvent	Attribute: "Sports Event"
SportsGame	Attribute: "Sports Game"
SportsLeague	Attribute: "Sports League"
TVShow	Attribute: "TV Show"
TVStation	Attribute: "TV Station"
Task	Attribute: "Task"
Technology	Attribute: "Technology"
TechnologyArea	Attribute: "Technology Area"
Thread	Attribute: "Thread"
Threat Actor	Attribute: "Threat Actor"
Topic	Attribute: "Report Type"
UPSTrackingNumber	Attribute: "UPS Tracking Number"
URL	URL Indicator
USPSTrackingNumber	Attribute: "USPS Tracking Number"
UUID	Attribute: "UUID"
UseCaseConfiguration	Attribute: "Use Case Configuration"
UseCaseReport	Attribute: "Use Case Report"
User	Attribute: "User"
UserEnterprise	Attribute: "User Enterprise"
UserEntity	Attribute: "User Entity"
UserGroup	Attribute: "User Group"
UserLabel	Attribute: "User Label"
UserModuleGroup	Attribute: "User Module Group"
UserModuleRoleGroup	Attribute: "User Module Role Group"
UserOrganization	Attribute: "User Organization"
UserRole	Attribute: "User Role"
Username	Attribute: "Username"
Vessel	Attribute: "Vessel"
WebMoneyID	Attribute: "WebMoney ID"
WinRegKey	Attribute: "Registry Key"
YaraDetectionRule	Attribute: "Yara Detection Rule"

Risk Score Mappings

ThreatConnect follows the Criticality mapping in Recorded Future when assigning a Threat Rating to data ingested from Recorded Future; however, because the Recorded Future Criticality rating only goes from 0–4, it has been augmented by 1 in ThreatConnect to fit the 0–5 scale for Threat Rating.

Recorded Future Risk Score	ThreatConnect Threat Rating
90-99	5
85-89	4
25-64	3
5-24	2
1-4	1
0 or Unknown	0 or Unknown

Frequently Asked Questions (FAQ)

When configuring the Recorded Future Intelligence Engine App, I do not see Analyst Notes offered as a downloadable data type. How do I ensure my Recorded Future Analyst Notes are imported into ThreatConnect?

Analyst Notes added to the selected Risk List entity type(s), as well as those created in your Recorded Future modules within the last 24 hours, will be imported into ThreatConnect. See the “Analyst Note” section for more information on how Analyst Notes are mapped to the ThreatConnect data model.

Why are there several URL errors in the batch errors report? (e.g., [xyz.com] could not be processed as a valid URL due to missing or invalid data (summary is invalid for the given type))

The ThreatConnect Recorded Future Intelligence Engine App may run into instances where URLs coming from Recorded Future use an invalid URL format. Some examples of this behavior include the following:

ww3.xyz.com: This URL is missing the protocol, such as http://.
http:ww2.xyz.com/page#: This URL is terminated with a special character.

URL objects with an invalid URL format will not be imported into ThreatConnect. Note that this issue occurs rarely.

Why are Indicators with risk scores that are less than the Minimum Risk Score being ingested into ThreatConnect?

These Indicators are ingested because they exist as links from other Risk List entities. To prevent Indicators with a risk score less than the minimum risk score (i.e., the value for the App's Minimum Risk Score parameter) from being ingested, clear the Collect Indicators Linked in Recorded Future Below the Minimum Risk Score checkbox in the Feed Deployer when configuring and deploying the App.

How does the Recorded Future Intelligence Engine Feed API Service App differ from the Recorded Future Risk List Job App?

The Recorded Future Risk List Job App allows users to do the following:

collect data from Risk List entities
create Indicators with evidence details
map evidence details to a Description Attribute and risk rules to Tags

The Recorded Future Intelligence Engine Feed API Service App collects data in the following ways:

ingests Risk List entities with several of their Attributes
ingests all of the Analyst Notes and attached PDFs associated with Risk List entities
ingests associated Risk List entities and allows users to view the first-level associations created between the entities and Analyst Notes (i.e., the actual link)
obtains a link to each Risk List entity's Recorded Future Intelligence Card
ingests Analyst Notes that have been published in the last 24 hours on a daily basis

For more information on how Feed API Service Apps function in ThreatConnect, see Feed API Services.

How long does the Recorded Future Intelligence Engine Feed API Service App take to ingest a complete set of data on its initial run?

In most cases, the Recorded Future Intelligence Engine App takes 2–4 days to complete the initial data ingestion, depending on how the customer configured risk score and which Risk List entity types they selected to ingest in the Feed Deployer.

In which order are Risk List entities ingested on the initial run?

On the initial run of the Recorded Future Intelligence Engine App, Risk List entities will be ingested in the following order:

Domain
Hash
IP
URL
Vulnerability

Users will likely see clusters of the Risk List entities ingested in chunks along with the associated or linked entities. Note that there may be delays between the creation of the Risk List source entities and the Risk List link entities in ThreatConnect.

How often does the integration ingest each Risk List entity type after the initial run?

See the following table for each Risk List entity type's download frequency. Analyst Notes are downloaded daily.

Recorded Future Risk List	Download Frequency (Hours)
Domain	2
Hash	24
IP	1
URL	2
Vulnerability	24

How can I identify where the integration collected Indicators and Groups from in Recorded Future?

The following Source: Tags, which are applied to Indicators and Groups in ThreatConnect that were ingested from Recorded Future, indicate where the integration collected them from in Recorded Future:

Source: Risk List: The entity was ingested from a Risk List.
Source: Risk List Link: The entity was ingested as a linked entity from a Risk List entity.
Source: Analyst Note: The entity was ingested from an Analyst Note.
Source: Analyst Note Link: The entity was ingested as a linked entity from an Analyst Note.

Note that an Indicator or Group may have more than one of these Tags applied to them, as the entities could be associated to one another.

Why are associations to Malware and Adversaries in Recorded Future missing from Indicators and Groups in ThreatConnect?

Currently, Indicators and Groups created by the Recorded Future Intelligence Engine App will have Tags representing associated Malware and Adversaries applied to them, allowing users to pivot on and explore these relationships in ThreatConnect. Support for direct associations to Malware and Adversaries will be available in a future version of the Recorded Future Intelligence Engine App.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
JavaScript^® is a registered trademark of Oracle Corporation.
Recorded Future^® is a registered trademark of Recorded Future, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

30083-01 EN Rev. B

Was this article helpful?

What's Next

Recorded Future Risk List Integration Installation and Configuration Guide

Table of contents

Overview
Dependencies
Application Setup and Configuration
Parameter Definitions
Recorded Future Intelligence Engine
Data Mappings
Risk Score Mappings
Frequently Asked Questions (FAQ)

Company

Sales and Support