Recorded Future Intelligence Engine Integration User Guide

25 Feb 2025
20 Minutes to read

Print
Dark

Light

Recorded Future Intelligence Engine Integration User Guide

Updated on 25 Feb 2025
20 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

Software Version

This guide applies to the Recorded Future Intelligence Engine App version 2.0.x. Click here to view Recorded Future Intelligence Engine Integration Guide for version 1.0.x.

Overview

The ThreatConnect® integration with Recorded Future® ingests Risk List entities (Domain, Hash, IP, URL, and Vulnerability), Threat Map entities (Malware and Actor), Alert entities, and Analyst Notes from Recorded Future. It then creates corresponding objects with select Recorded Future metadata in ThreatConnect.

Dependencies

ThreatConnect Dependencies

Active ThreatConnect Application Programming Interface (API) key
ThreatConnect instance with version 7.6.2 or newer installed

Note

All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Recorded Future Dependencies

Active Recorded Future API token
Active Recorded Future module subscriptions:
- Risk List: SecOps Intelligence, Threat Intelligence, and/or Vulnerability Intelligence (see the “Risk List Types” row in Table 1 for more information)
- Threat Map: Threat Intelligence module
- Standard Alerts: The required subscription varies by module. Please refer to the Recorded Future documentation (requires a login to view) for more information.

Initial Installation and Configuration

Follow these steps to install and configure version 2.0.x of the Recorded Future Intelligence Engine App on your ThreatConnect instance:

Warning

Follow the steps in this section only if you do not have the Recorded Future Intelligence Engine App installed on your ThreatConnect instance. If you already have the Recorded Future Intelligence Engine App installed on your ThreatConnect instance, it is critical that you follow the steps in the “Upgrade Installation and Configuration” section instead.

Log into ThreatConnect with a System Administrator account.
Install version 2.0.x of the Recorded Future Intelligence Engine App via TC Exchange™.
Use the ThreatConnect Feed Deployer to set up and configure the Recorded Future Intelligence Engine App, using the parameter definitions in Table 1 for guidance.

Upgrade Installation and Configuration

Follow these steps to upgrade to and configure version 2.0.x of the Recorded Future Intelligence Engine App on your ThreatConnect instance:

Log into ThreatConnect with a System Administrator account.
On the top navigation bar, hover over Playbooks and select Services.
Locate and turn off version 1.0.x of the Recorded Future Intelligence Engine Feed API Service.
Clickin the Options column and select Delete to delete version 1.0.x of the Recorded Future Intelligence Engine Feed API Service.
Install version 2.0.x of the Recorded Future Intelligence Engine App via TC Exchange™.
Use the ThreatConnect Feed Deployer to set up and configure the Recorded Future IntelligenceEngine App, using the parameter definitions in Table 1 for guidance.

Note

Enter the name of the Source used for the previous version of the Recorded Future Intelligence Engine App in the Sources to Create field on the Source tab of the Feed Deployer window.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.

Name	Description	Required?
Source Tab
Sources to Create	Enter the name of the Source for the feed.	Yes
Owner	Select the Organization in which the Source will be created.	Yes
Activate Deprecation	Select this checkbox to allow confidence deprecation rules to be created and applied to Indicators in the Source.	No
Create Attributes	Select this checkbox to allow custom Attribute types to be created in the Source.	No
Parameters Tab
Launch Server	Select tc-job as the launch server for the Service corresponding to the Feed API Service App.	Yes
Minimum Risk Score for items being collected.*	Select the minimum risk score that Risk List entities must have to be ingested into ThreatConnect. For example, if you select 80 from the dropdown, the App will ignore all Risk List entities with a risk score less than 80. The default value is 65.	Yes
Risk List Types	Select one or more Recorded Future Risk List entity types to ingest. Available choices include the following: Domain Hash IP URL Vulnerability Note The Domain, Hash, IP, and URL Risk List types are included in the SecOps Intelligence and Threat Intelligence modules available in the Recorded Future subscription. Because these modules are the most common, these Risk List types are selected by default. The Vulnerability Risk List type is not selected by default because it is included in the Vulnerability Intelligence module, which must be purchased separately from your Recorded Future subscription. For assistance with managing your Recorded Future module subscriptions, please contact your Recorded Future Customer Success Representative. Note Each option available for the Risk List Types parameter (Domain, Hash, IP, URL, and Vulnerability) determines how links are followed during the integration's operational processes, as the integration will attempt to follow links for only the selected types. For example, if you selected only IP and Hash from the Risk List Types dropdown and the integration sees an Address Indicator with links to an IP, a Hash, and a URL, the integration will follow only the IP and Hash links for the Address Indicator.	Yes
Collect Indicators Linked in Recorded Future Less Than the Minimum Risk Score	Select this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the Minimum Risk Score parameter) for entities linked to Risk List types. If this checkbox is cleared, the App will ignore all associated objects whose risk score is less than the minimum risk score. By default, this checkbox is cleared.	No
Threat Map Types	Select one or more Recorded Future Threat Map entity types to ingest. Available choices include the following: Malware Actor	No
Collect Threat Map Links in Recorded Future Less Than the Minimum Risk Score	Select this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the Minimum Risk Score parameter) for entities linked to Threat Map types. If this checkbox is cleared, the App will ignore all associated objects whose risk score is less than the minimum risk score. By default, this checkbox is cleared.	No
Alert Types	Select one or more Recorded Future Alert entity types to ingest. Available choices include the following: Standard Alert	No
Collect Alert Entities in Recorded Future Less Than the Minimum Risk Score	Select this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the Minimum Risk Score parameter) for entities linked to Alert types. If this checkbox is cleared, the App will ignore all associated objects whose risk score is less than the minimum risk score. By default, this checkbox is cleared.	No
Variables Tab
Recorded Future API Token	The Recorded Future API token.	Yes
Confirm Tab
Run feeds after deployment	Select this checkbox to run the Recorded Future Intelligence Engine App immediately after the deployment configuration is complete (i.e., after you click DEPLOY on the Feed Deployer window).	No
Confirm Deployment Over Existing Source	This checkbox will be displayed if the Source entered in the Sources to Create field has previously been deployed to the Organization selected in the Owner dropdown on the Source tab. Select this checkbox to confirm that you want the Recorded Future Intelligence Engine App to write data to the same Source. This process will create a new Service for the Recorded Future Intelligence Engine App. As such, it is recommended that you delete the old Service associated with the Recorded Future Intelligence Engine App after the new one is created. Important If you do not select this checkbox, the DEPLOY button will be grayed out, and you will not be able to deploy the Service. Return to the Source tab and enter a different Source or select a different Organization and then proceed through the tabs of the Feed Deployer window again.	Yes

Recorded Future Intelligence Engine UI

After successfully configuring and activating the Feed API Service, you can access the Recorded Future Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Recorded Future integration.

Follow these steps to access the UI:

Log into ThreatConnect with a System Administrator account.
On the top navigation bar, hover over Playbooks and select Services.
Locate and turn on the Recorded Future Intelligence Engine Feed API Service.
Click the link in the Service’s API Path field. The Recorded Future Intelligence Engine UI will open in a new browser tab.

The following screens are available in the Recorded Future Intelligence Engine UI:

Dashboard

The Dashboard screen (Figure 1) provides an overview of the total number of Risk List entities (Domain, Hash, IP, URL, and Vulnerability), Threat Map entities (Malware and Intrusion Set), Alert entities (Event and Document) and Analyst Notes (Report, Email Address, Domain, Hash, IP, URL, Vulnerability, Malware, and Intrusion Set) retrieved from Recorded Future. Depending on the available data, cards representing all or a subset of these object types will be displayed on the Dashboard screen.

Note

Address on the Dashboard screen corresponds to the IP Risk List entity type, and Intrusion Set corresponds to the Actor Threat Map entity type.

Figure 1_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

Jobs

The Jobs screen (Figure 2) breaks down the ingestion of Recorded Future data into manageable Job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The ⋯ menu in a Job’s row provides the following options:

Details: View details for the Job, such as counts of downloaded and batched Groups and start and end times for Alert monitoring, download, and upload.
Download Files: Download metadata files for all Jobs and data (convert, download, and upload) files for completed Jobs.
Batch Errors: View errors that have occurred for the Job on the Batch Errors screen.

Figure 2_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

You can filter Recorded Future Intelligence Engine App Jobs by the following elements:

Job ID: Enter text into this box to search for a Job by its Job ID.
Job Type: Select Job types to display on the Jobs screen.
Status: Select Job statuses to display on the Jobs screen.
Pipeline: Select the pipeline types to display on the Jobsscreen:
- alerts: Alert entities
- analyst_note: Analyst Note entities
- threat_intel: Risk List and Threat Map entities

Add a Job

You can add ad-hoc Jobs on the Jobs screen. Follow these steps to create a request for an ad-hoc Job for the Recorded Future Intelligence Engine App:

Note

You cannot add Analyst Note entities to an ad-hoc Job request.

Click the Add Job button at the upper right of the Jobs screen (Figure 2).
Fill out the fields on the Add Job drawer (Figure 3) as follows:
- Risklist Types: (Optional) Select the Risk List entity types to include in the ad-hoc Job.
- Threat Map Types: (Optional) Select the Threat Map entity types to include in the ad-hoc Job.
- Alert Types: (Optional) Select the Alert entity types to include in the ad-hoc Job.
- Alert Start Time: (Optional) Enter the time at which monitoring for triggered Alerts should start.
  Note
  Alert Start Time applies only to Alert entities. If no value is specified, the 1,000 most recent Alerts will be downloaded.
- Alert End Time: (Optional) Enter the time at which monitoring for triggered Alerts should end.
  Note
  Alert End Time applies only to Alert entities. If no value is specified, the 1,000 most recent Alerts will be downloaded.
Click Submit to submit the request for the ad-hoc Job.

Tasks

The Tasks screen (Figure 4) displays all Tasks that may be part of a Job, including each step of the download, convert, and upload processes, as well as Tasks for the Recorded Future Intelligence Engine App, such as Monitor, Scheduler, and Cleaner. The current status (Idle, Paused, or Running), name, description, and heartbeat timeout length, in minutes, are displayed for each Task. The ⋯ menu in a Task’s row provides the following options, depending on the Task’s status:

Run (idle and paused Tasks only)
Pause (idle and running Tasks only)
Resume (paused Tasks only)
Kill (running Tasks only)

Under the table is a dashboard where you can view runtime analytics.

Figure 4_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

Download

The Download screen (Figure 5) lets you download JavaScript® Object Notation (JSON) data for Recorded Future entities and then upload the data into ThreatConnect.

Note

You cannot download data for Analyst Note entries.

Figure 5_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

Follow these steps to download JSON data for a Recorded Future entity on the Download screen and then upload the data into ThreatConnect:

Recorded Future Type: Select a Recorded Future entity type from the following options on the Recorded Future Type dropdown: IPAddress (IP), URL, Hash, InternetDomainName (Domain), CyberVulnerability (Vulnerability), StandardAlert (Alert), Malware, and Actor.
External ID: Enter the ID for the Recorded Future entity of the selected type. For IP, Hash, Domain, and URL Risk List entities, prepend ip:, hash:, idn:, and url:, respectively, to the entity's ID. For Vulnerability Risk List entities, use the CVE ID or Recorded Future ID. The following examples demonstrate the ID format for each Risk List entity type:
- IP: ip:124.71.84.65
- Hash: hash:092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875
- Domain: idn:efavengh.com
- URL: url:https://send.exploit.in/
- Vulnerability: CVE-2019-0841or ZgFn9x
Click Download. The JSON data will be displayed in two columns: Results (raw JSON data) and Converted (JSON data in ThreatConnect batch format) (Figure 6).
Click Upload to submit the converted threat intelligence data via the ThreatConnect Batch API.

Batch Errors

The Batch Errors screen (Figure 7) displays a table with details on batch errors that have occurred for Job requests. You can filter the table by error type or enter keywords to filter by Job ID or reason for error.

Figure 7_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

Attachment Status

The Attachment Status screen (Figure 8) displays a table with details on ThreatConnect's attempts to download Report attachments from Recorded Future. You can enter keywords to filter the table by the Recorded Future Group ID, which can be useful if you do not see a Recorded Future attachment in ThreatConnect as expected, or by status.

Figure 8_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

Data Mappings

The data mappings in Table 2 through Table 11 illustrate how data are mapped from Recorded Future Intelligence API endpoints into the ThreatConnect data model.

Domain

ThreatConnect object type: Host Indicator

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	Host Name
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	Host-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK^® Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Threat Rating Attribute: "Risk Score" See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

Hash

ThreatConnect object type: File Indicator

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	Hash Value
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	File-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Threat Rating Attribute: "Risk Score" See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

IP

ThreatConnect object type: Address Indicator

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	IP Address
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	Address-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Threat Rating Attribute: "Risk Score" See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp
location/cidr/name	Tag
location/location/country	Attribute: "IP Geo Country"
location/location/city	Attribute: "IP Geo City"
location/asn	Tag

URL

ThreatConnect object type: URL Indicator

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	URL
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	URL-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Threat Rating Attribute: "Risk Score" See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

Vulnerability

ThreatConnect object type: Vulnerability Group

Recorded Future API Field	ThreatConnect Field
entity/id	Attribute: "External ID"
entity/name	Name/Summary
entity/note_entities	See the “Note Entity” section for more information.
analystNotes/attributes/validated_on	Vulnerability-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/id	Tag
links/hits/sections/lists/entities/type	ATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeen	Attribute: "Last Seen"
timestamps/firstSeen	Attribute: "First Seen"
intelCard	Source
risk/score	Attribute: "Risk Score"
risk/criticalityLabel	Attribute: “Criticality"
risk/evidenceDetails/rule	Attribute: "Evidence" Note Each risk rule serves as evidence that explains the Group's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp
cvssv3/scope	Attribute: "CVSS v3 Scope"
cvssv3/exploitabilityScore	Attribute: "CVSS v3 Exploitability Score"
cvssv3/modified	Attribute: "CVSS v3 Modified"
cvssv3/baseSeverity	Attribute: "CVSS v3 Base Severity"
cvssv3/baseScore	Attribute: "CVSS v3 Score"
cvssv3/privilegesRequired	Attribute: "CVSS v3 Privileges Required"
cvssv3/userInteraction	Attribute: "CVSS v3 User Interaction"
cvssv3/impactScore	Attribute: "CVSS v3 Impact Score"
cvssv3/attackVector	Attribute: "CVSS v3 Attack Vector"
cvssv3/integrityImpact	Attribute: "CVSS v3 Integrity Impact"
cvssv3/confidentialityImpact	Attribute: "CVSS v3 Confidentiality Impact"
cvssv3/vectorString	Attribute: "CVSS v3 Vector String"
cvssv3/attackComplexity	Attribute: "CVSS v3 Attack Complexity"
cvssv3/created	Attribute: "CVSS v3 Created"
cvssv3/availabilityImpact	Attribute: "CVSS v3 Availability Impact"
cvss/accessVector	Attribute: "CVSS v2 Access Vector"
cvss/lastModified	Attribute: "CVSS v2 Last Modified"
cvss/published	Attribute: "CVSS v2 Published"
cvss/score	Attribute: "CVSS v2 CVSS Score"
cvss/availability	Attribute: "CVSS v2 Availability"
cvss/authentication	Attribute: "CVSS v2 Authentication"
cvss/accessComplexity	Attribute: "CVSS v2 Access Complexity"
cvss/integrity	Attribute: "CVSS v2 Integrity"
cvss/confidentiality	Attribute: "CVSS v2 Confidentiality"
cpe	Attribute: "CPE"

Analyst Note

Note

For each Analyst Note added to a Risk List entity, a Report Group will be created and associated to the ThreatConnect object that corresponds to the Risk List entity. For daily Analyst Notes, Report Groups will be created and associated to existing Indicators and Groups in ThreatConnect that were ingested from Recorded Future.

ThreatConnect object type: Report Group

Recorded Future API Field	ThreatConnect Field
analystNotes/attributes/validated_on	Last Modified Date Attribute: "External Date Last Modified"
analystNotes/attributes/published	Attribute: "Publish Date"
analystNotes/attributes/text	Attribute: "Report Text"
analystNotes/attributes/topic/name	Attribute: "Report Type"
analystNotes/attributes/validation_urls/name	Attribute: "External References"
analystNotes/attributes/title	Name/Summary
analystNotes/attributes/note_entities/name	See the “Note Entity” section for more information.
analystNotes/source/name	Source
analystNotes/id	Attribute: "External ID"

Note Entity

ThreatConnect object type: Report Group

Recorded Future API Field	ThreatConnect Field
ASNumber	Attribute: "Autonomous System Number"
AWSAccessKey	Attribute: "AWS Access Key"
Aircraft	Attribute: "Aircraft"
Airport	Attribute: "Airport"
AnalystNote	Report Group
Anniversary	Attribute: "Anniversary"
AttackVector	Attribute: "Attack Vector"
BankIdentificationNumber	Attribute: "Bank Identification Number"
BitcoinAddress	Attribute: "Bitcoin Address"
BusinessIdentifierCode	Attribute: "Business Identifier Code"
Case	Attribute: "Case"
Category	Attribute: "Category"
City	Attribute: "City"
CodeIdentifier	Attribute: "Code Identifier"
Commodity	Attribute: "Commodity"
Company	Attribute: "Company"
ContentType	Attribute: "Content Type"
Continent	Attribute: "Continent"
Country	Attribute: "Country"
Currency	Attribute: "Currency"
CurrencyPair	Attribute: "Currency Pair"
CyberExploitTargetCategory	Attribute: "Cyber Exploit Target Category"
CyberSecurityCategory	Attribute: "Cyber Security Category"
CyberThreatActorCategory	Attribute: "Cyber Threat Actor Category"
CyberVulnerability	Vulnerability Group
DEANumber	Attribute: "DEA Number"
Dataset	Attribute: "Dataset"
DetectionRule	Attribute: "Detection Rule"
Document	Attribute: "Document"
EconomicIndicator	Attribute: "Economic Indicator"
EmailAddress	Attribute: "Email Address"
Embassy	Email Address Indicator
Emoji	Attribute: "Emoji"
EntertainmentAwardEvent	Attribute: "Entertainment Award Event"
Entity	Attribute: "Entity"
EntityAlias	Attribute: "Alias"
EntityList	Attribute: "Entity List"
EntityRange	Attribute: "Entity Range"
EntityRelation	Attribute: "Entity Relation"
ExternalIdentifier	Attribute: "External ID"
Facility	Attribute: "Facility"
FaxNumber	Attribute: "Fax Number"
Feature	Attribute: "Feature"
FileContent	Attribute: "File Content"
FileName	Attribute: "File Name"
FileNameExtension	Attribute: "File Extension"
FileType	Attribute: "File Type"
GeoBoundingBox	Attribute: "Geo Bounding Box"
GeoEntity	Attribute: "Geo Entity"
Hash	File Indicator
HashAlgorithm	Evaluated with File Indicator
Hashtag	Attribute: "Hashtag"
Holiday	Attribute: "Holiday"
IRCNetwork	Attribute: "IRC Network"
Identifier	Attribute: "Identifier"
Image	Attribute: "Image"
IncidentImpactCategory	Attribute: "Incident Impact Category"
Industry	Attribute: "Industry"
IndustryTerm	Attribute: "Industry Term"
IntegrationApplication	Attribute: "Integration Application"
IntegrationUser	Attribute: "Integration User"
InternetDomainName	Host Indicator
IpAddress	Address Indicator
Keyword	Attribute: "Keyword"
Language	Attribute: "Language"
LinkReport	Attribute: "Link Report"
Logotype	Attribute: "Logotype"
MICR	Attribute: "Magnetic Ink Character Recognition"
Malware	Attribute: "Malware"
MalwareCategory	Attribute: "Malware Family"
MalwareMutex	Attribute: "Mutex"
MalwareSignature	Attribute: "Malware Signature"
MarketIndex	Attribute: "Market Index"
MedicalCondition	Attribute: "Medical Condition"
MedicalTreatment	Attribute: "Medical Treatment"
MetaAttribute	Attribute: "Meta Attribute"
MetaType	Attribute: "Meta Type"
MilitaryBase	Attribute: "Military Base"
MilitaryExercise	Attribute: "Military Exercise"
MitreAttackIdentifier	ATT&CK Tag
Movie	Attribute: "Movie"
MusicAlbum	Attribute: "Music Album"
MusicGroup	Attribute: "Music Group"
Nationality	Attribute: "Nationality"
NaturalFeature	Attribute: "Natural Feature"
Neighborhood	Attribute: "Neighborhood"
NetworkPort	Attribute: "Network Port"
NetworkProtocol	Attribute: "Network Protocol"
NumericIdentifier	Attribute: "Numeric Identifier"
OperatingSystem	Attribute: "Operating System"
Operation	Attribute: "Operation"
OrgEntity	Attribute: "Org Entity"
Organization	Attribute: "Organization"
PaymentCardNumber	Attribute: "Payment Card Number"
Person	Attribute: "Person"
PhoneNumber	Attribute: "Phone"
Port	Attribute: "Port"
Position	Attribute: "Position"
Identifier	Attribute: "Product Identifier"
Module	Attribute: "Product Module"
ModuleAddon	Attribute: "Product Module Addon"
Version	Attribute: "Product Version"
ProgrammingLanguage	Attribute: "Programming Language"
ProvinceOrState	Attribute: "Province or State"
PublishedMedium	Attribute: "Published Medium"
RadioProgram	Attribute: "Radio Program"
RadioStation	Attribute: "Radio Station"
Region	Attribute: "Region"
Religion	Attribute: "Religion"
ReportEntity	Attribute: "Report Entity"
ReportingEntity	Attribute: "Reporting Entity"
RiskContext	Attribute: "Risk Context"
RiskRule	Attribute: "Risk Rule"
Sector	Attribute: "Sector"
SnortDetectionRule	Attribute: "Snort Detection Rule"
SocialSecurityNumber	Attribute: "Social Security Number"
Source	Attribute: "Source"
SourceMediaType	Attribute: "Source Media Type"
SportsEvent	Attribute: "Sports Event"
SportsGame	Attribute: "Sports Game"
SportsLeague	Attribute: "Sports League"
TVShow	Attribute: "TV Show"
TVStation	Attribute: "TV Station"
Task	Attribute: "Task"
Technology	Attribute: "Technology"
TechnologyArea	Attribute: "Technology Area"
Thread	Attribute: "Thread"
Threat Actor	Attribute: "Threat Actor"
Topic	Attribute: "Report Type"
UPSTrackingNumber	Attribute: "UPS Tracking Number"
URL	URL Indicator
USPSTrackingNumber	Attribute: "USPS Tracking Number"
UUID	Attribute: "UUID"
UseCaseConfiguration	Attribute: "Use Case Configuration"
UseCaseReport	Attribute: "Use Case Report"
User	Attribute: "User"
UserEnterprise	Attribute: "User Enterprise"
UserEntity	Attribute: "User Entity"
UserGroup	Attribute: "User Group"
UserLabel	Attribute: "User Label"
UserModuleGroup	Attribute: "User Module Group"
UserModuleRoleGroup	Attribute: "User Module Role Group"
UserOrganization	Attribute: "User Organization"
UserRole	Attribute: "User Role"
Username	Attribute: "Username"
Vessel	Attribute: "Vessel"
WebMoneyID	Attribute: "WebMoney ID"
WinRegKey	Attribute: "Registry Key"
YaraDetectionRule	Attribute: "Yara Detection Rule"

Actor

ThreatConnect object type: Intrusion Set Group

Recorded Future API Field	ThreatConnect Field
threat_map/id	External ID
threat_map/name	Summary
threat_map/alias	Tag: "Intrusion Set: "
threat_map/intent	Attribute: "Threat Map Intent"
threat_map/opportunity	Attribute: "Threat Map Opportunity"
threat_map/categories	Tag: "Category: "

Malware

ThreatConnect object type: Malware Group

Recorded Future API Field	ThreatConnect Field
threat_map/id	External ID
threat_map/name	Summary
threat_map/alias	Tag: "Intrusion Set: "
threat_map/prevalence	Attribute: "Threat Map Prevalence"
threat_map/opportunity	Attribute: "Threat Map Opportunity"
threat_map/categories	Tag: "Category: "
relatedEntities/entities/name	See the “Note Entity” section for more information.
timestamps/firstSeen	Attribute: "First Seen"
timestamps/lastSeen	Attribute: "Last Seen"

Standard Alerts

ThreatConnect object type: Event Group

Recorded Future API Field	ThreatConnect Field
hits/entities/name	Tag: "Vulnerability: " (if type = CyberVulnerability) Tag: "Malware: " (if type = Malware) ATT&CK Tag (if type = MitreAttackIdentifier)
hits/document/title hits/document/source/name hits/document/url fragment entities	Attribute: "Reference"
id	External ID
hits/entities/type	Attribute: "Entity List"
review/status	Status
rule/id	Attribute: "Alert Rule ID" Tag
rule/name	Attribute: "Alert Rule"
title	Summary
triggered_by/entity_path/entity	Attribute: "Triggered By"
triggered_by/entity_paths/entity/name	Tag: "Vulnerability: " (if type = CyberVulnerability) Tag: "Malware: " (if type = Malware) ATT&CK Tag (if type = MitreAttackIdentifier)
url/api	Attribute: "Source"
owner_organisation_details.organisations/organisation_name id title review/status_in_portal review/assignee review/note url/portal ai_insights/text	Attribute: "Description"

Risk Score Mappings

ThreatConnect follows the Criticality mapping in Recorded Future when assigning a Threat Rating to data ingested from Recorded Future; however, because the Recorded Future Criticality rating goes only from 0–4, it has been augmented by 1 in ThreatConnect to fit the 0–5 scale for Threat Rating. Table 12 shows how the Recorded Future risk scores are mapped to Threat Rating in ThreatConnect.

Recorded Future Risk Score	ThreatConnect Threat Rating
90–99	5
85–89	4
25–64	3
5–24	2
1–4	1
0 or Unknown	0 or Unknown

Frequently Asked Questions (FAQ)

When configuring the Recorded Future Intelligence Engine App, I do not see Analyst Notes offered as a downloadable data type. How do I ensure my Recorded Future Analyst Notes are imported into ThreatConnect?

Analyst Notes added to the selected Risk List entity type(s), as well as those created in your Recorded Future modules within the last 24 hours, will be imported into ThreatConnect. See the “Analyst Note” section for more information on how Analyst Notes are mapped to the ThreatConnect data model.

Why are there several URL errors in the batch errors report? (e.g., [xyz.com] could not be processed as a valid URL due to missing or invalid data (summary is invalid for the given type))

URL errors occur when URL objects coming from Recorded Future use an invalid URL format. Some examples of this behavior include the following:

ww3.xyz.com: This URL is missing the protocol, such as http://.
http:ww2.xyz.com/page#: This URL is terminated with a special character.

URL objects with an invalid URL format will not be imported into ThreatConnect. Note that this issue occurs rarely.

Why are Indicators with risk scores that are less than the minimum risk score being ingested into ThreatConnect?

Indicators with risk scores that are less than the minimum risk score are ingested because they exist as links from other Risk List entities. To prevent Indicators with a risk score less than the minimum risk score (i.e., the value for the App's Minimum Risk Score parameter) from being ingested, clear the Collect Indicators Linked in Recorded Future Below the Minimum Risk Score checkbox in the Feed Deployer when configuring and deploying the App.

How does the Recorded Future Intelligence Engine Feed API Service App differ from the Recorded Future Risk List Job App?

The Recorded Future Risk List Job App allows users to do the following:

collect data from Risk List entities
create Indicators with evidence details
map evidence details to a Description Attribute and risk rules to Tags

The Recorded Future Intelligence Engine Feed API Service App collects data in the following ways:

ingests Risk List entities with several of their Attributes
ingests all of the Analyst Notes and attached PDFs associated with Risk List entities
ingests associated Risk List entities and allows users to view the first-level associations created between the entities and Analyst Notes (i.e., the actual link)
obtains a link to each Risk List entity's Recorded Future Intelligence Card
ingests Analyst Notes that have been published in the last 24 hours daily

For more information on how Feed API Service Apps function in ThreatConnect, see Feed API Services.

How long does the Recorded Future Intelligence Engine Feed API Service App take to ingest a complete set of data on its initial run?

In most cases, the Recorded Future Intelligence Engine App takes 2–4 days to complete the initial data ingestion, depending on how you configure risk score and which Risk List entity types you select to ingest in the Feed Deployer.

In which order are Risk List entities ingested on the initial run?

On the initial run of the Recorded Future Intelligence Engine App, Risk List entities will be ingested in the following order:

Domain
Hash
IP
URL
Vulnerability

You will likely see Risk List entities ingested in chunks along with the associated or linked entities. Note that there may be delays between the creation of the Risk List source entities and the Risk List link entities in ThreatConnect.

How often does the Recorded Future Intelligence Engine App ingest each Risk List entity type after the initial run?

See the following table for each Risk List entity type's download frequency. Analyst Notes are downloaded daily.

Recorded Future Risk List	Download Frequency (Hours)
Domain	2
Hash	24
IP	1
URL	2
Vulnerability	24

How can I identify where the Recorded Future Intelligence Engine App collected Indicators and Groups from in Recorded Future?

The following Source: Tags, which are applied to Indicators and Groups in ThreatConnect that were ingested from Recorded Future, indicate where the integration collected them from in Recorded Future:

Source: Risk List: The entity was ingested from a Risk List.
Source: Risk List Link: The entity was ingested as a linked entity from a Risk List entity.
Source: Analyst Note: The entity was ingested from an Analyst Note.
Source: Analyst Note Link: The entity was ingested as a linked entity from an Analyst Note.
Source: RF Alert: The entity was ingested from an Alert.
Source: RF Alert Link: The entity was ingested as a linked entity from an Alert.
Source: RF Threat Map: The entity was ingested from a Threat Map entity.
Source: RF Threat Map Link: The entity was ingested as a linked entity from a Threat Map entity.

Note that an Indicator or Group may have more than one of these Tags applied to them, as the corresponding entities could be associated to one another.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
JavaScript^® is a registered trademark of Oracle Corporation.
Recorded Future^® is a registered trademark of Recorded Future, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

30083-02 EN Rev. A

Was this article helpful?

What's Next

Recorded Future Intelligence Engine Integration User Guide Version 1

Table of contents

Overview
Dependencies
Initial Installation and Configuration
Upgrade Installation and Configuration
Configuration Parameters
Recorded Future Intelligence Engine UI
Data Mappings
Risk Score Mappings
Frequently Asked Questions (FAQ)

Company

Sales and Support