Recorded Future Intelligence Engine Integration User Guide
  • 25 Feb 2025
  • 20 Minutes to read
  • Dark
    Light

Recorded Future Intelligence Engine Integration User Guide

  • Dark
    Light

Article summary

Software Version
This guide applies to the Recorded Future Intelligence Engine App version 2.0.x. Click here to view Recorded Future Intelligence Engine Integration Guide for version 1.0.x.

Overview

The ThreatConnect® integration with Recorded Future® ingests Risk List entities (Domain, Hash, IP, URL, and Vulnerability), Threat Map entities (Malware and Actor), Alert entities, and Analyst Notes from Recorded Future. It then creates corresponding objects with select Recorded Future metadata in ThreatConnect.

Dependencies

ThreatConnect Dependencies

  • Active ThreatConnect Application Programming Interface (API) key
  • ThreatConnect instance with version 7.6.2 or newer installed
Note
All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Recorded Future Dependencies

  • Active Recorded Future API token
  • Active Recorded Future module subscriptions:
    • Risk List: SecOps Intelligence, Threat Intelligence, and/or Vulnerability Intelligence (see the “Risk List Types” row in Table 1 for more information)
    • Threat Map: Threat Intelligence module
    • Standard Alerts: The required subscription varies by module. Please refer to the Recorded Future documentation (requires a login to view) for more information.

Initial Installation and Configuration

Follow these steps to install and configure version 2.0.x of the Recorded Future Intelligence Engine App on your ThreatConnect instance:

Warning
Follow the steps in this section only if you do not have the Recorded Future Intelligence Engine App installed on your ThreatConnect instance. If you already have the Recorded Future Intelligence Engine App installed on your ThreatConnect instance, it is critical that you follow the steps in the “Upgrade Installation and Configuration” section instead.
  1. Log into ThreatConnect with a System Administrator account.
  2. Install version 2.0.x of the Recorded Future Intelligence Engine App via TC Exchange™.
  3. Use the ThreatConnect Feed Deployer to set up and configure the Recorded Future Intelligence Engine App, using the parameter definitions in Table 1 for guidance.

Upgrade Installation and Configuration

Follow these steps to upgrade to and configure version 2.0.x of the Recorded Future Intelligence Engine App on your ThreatConnect instance:

  1. Log into ThreatConnect with a System Administrator account.
  2. On the top navigation bar, hover over Playbooks and select Services.
  3. Locate and turn off version 1.0.x of the Recorded Future Intelligence Engine Feed API Service.
  4. ClickVertical ellipsis_Blackin the Options column and select Delete to delete version 1.0.x of the Recorded Future Intelligence Engine Feed API Service.
  5. Install version 2.0.x of the Recorded Future Intelligence Engine App via TC Exchange™.
  6. Use the ThreatConnect Feed Deployer to set up and configure the Recorded Future IntelligenceEngine App, using the parameter definitions in Table 1 for guidance.
Note
Enter the name of the Source used for the previous version of the Recorded Future Intelligence Engine App in the Sources to Create field on the Source tab of the Feed Deployer window.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.

 

NameDescriptionRequired?
Source Tab
Sources to CreateEnter the name of the Source for the feed.Yes
OwnerSelect the Organization in which the Source will be created.Yes
Activate DeprecationSelect this checkbox to allow confidence deprecation rules to be created and applied to Indicators in the Source.No
Create AttributesSelect this checkbox to allow custom Attribute types to be created in the Source.No
Parameters Tab
Launch ServerSelect tc-job as the launch server for the Service corresponding to the Feed API Service App.Yes
Minimum Risk Score for items being collected.*Select the minimum risk score that Risk List entities must have to be ingested into ThreatConnect. For example, if you select 80 from the dropdown, the App will ignore all Risk List entities with a risk score less than 80. The default value is 65.Yes
Risk List TypesSelect one or more Recorded Future Risk List entity types to ingest. Available choices include the following:
  • Domain
  • Hash
  • IP
  • URL
  • Vulnerability
Note

The Domain, Hash, IP, and URL Risk List types are included in the SecOps Intelligence and Threat Intelligence modules available in the Recorded Future subscription. Because these modules are the most common, these Risk List types are selected by default. The Vulnerability Risk List type is not selected by default because it is included in the Vulnerability Intelligence module, which must be purchased separately from your Recorded Future subscription.

For assistance with managing your Recorded Future module subscriptions, please contact your Recorded Future Customer Success Representative.

Note

Each option available for the Risk List Types parameter (Domain, Hash, IP, URL, and Vulnerability) determines how links are followed during the integration's operational processes, as the integration will attempt to follow links for only the selected types.

For example, if you selected only IP and Hash from the Risk List Types dropdown and the integration sees an Address Indicator with links to an IP, a Hash, and a URL, the integration will follow only the IP and Hash links for the Address Indicator.
Yes
Collect Indicators Linked in Recorded Future Less Than the Minimum Risk ScoreSelect this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the Minimum Risk Score parameter) for entities linked to Risk List types. If this checkbox is cleared, the App will ignore all associated objects whose risk score is less than the minimum risk score. By default, this checkbox is cleared.No
Threat Map TypesSelect one or more Recorded Future Threat Map entity types to ingest. Available choices include the following:
  • Malware
  • Actor
No
Collect Threat Map Links in Recorded Future Less Than the Minimum Risk ScoreSelect this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the Minimum Risk Score parameter) for entities linked to Threat Map types. If this checkbox is cleared, the App will ignore all associated objects whose risk score is less than the minimum risk score. By default, this checkbox is cleared.No
Alert TypesSelect one or more Recorded Future Alert entity types to ingest. Available choices include the following:
  • Standard Alert
No
Collect Alert Entities in Recorded Future Less Than the Minimum Risk ScoreSelect this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the Minimum Risk Score parameter) for entities linked to Alert types. If this checkbox is cleared, the App will ignore all associated objects whose risk score is less than the minimum risk score. By default, this checkbox is cleared.No
Variables Tab
Recorded Future API TokenThe Recorded Future API token.Yes
Confirm Tab
Run feeds after deploymentSelect this checkbox to run the Recorded Future Intelligence Engine App immediately after the deployment configuration is complete (i.e., after you click DEPLOY on the Feed Deployer window).No
Confirm Deployment Over Existing SourceThis checkbox will be displayed if the Source entered in the Sources to Create field has previously been deployed to the Organization selected in the Owner dropdown on the Source tab. Select this checkbox to confirm that you want the Recorded Future Intelligence Engine App to write data to the same Source. This process will create a new Service for the Recorded Future Intelligence Engine App. As such, it is recommended that you delete the old Service associated with the Recorded Future Intelligence Engine App after the new one is created.
Important
If you do not select this checkbox, the DEPLOY button will be grayed out, and you will not be able to deploy the Service. Return to the Source tab and enter a different Source or select a different Organization and then proceed through the tabs of the Feed Deployer window again.
Yes

Recorded Future Intelligence Engine UI

After successfully configuring and activating the Feed API Service, you can access the Recorded Future Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Recorded Future integration.

Follow these steps to access the UI:

  1. Log into ThreatConnect with a System Administrator account.
  2. On the top navigation bar, hover over Playbooks and select Services.
  3. Locate and turn on the Recorded Future Intelligence Engine Feed API Service.
  4. Click the link in the Service’s API Path field. The Recorded Future Intelligence Engine UI will open in a new browser tab.

The following screens are available in the Recorded Future Intelligence Engine UI:

Dashboard

The Dashboard screen (Figure 1) provides an overview of the total number of Risk List entities (Domain, Hash, IP, URL, and Vulnerability), Threat Map entities (Malware and Intrusion Set), Alert entities (Event and Document) and Analyst Notes (Report, Email Address, Domain, Hash, IP, URL, Vulnerability, Malware, and Intrusion Set) retrieved from Recorded Future. Depending on the available data, cards representing all or a subset of these object types will be displayed on the Dashboard screen.

Note
Address on the Dashboard screen corresponds to the IP Risk List entity type, and Intrusion Set corresponds to the Actor Threat Map entity type.

Figure 1_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

 

Jobs

The Jobs screen (Figure 2) breaks down the ingestion of Recorded Future data into manageable Job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The menu in a Job’s row provides the following options:

  • Details: View details for the Job, such as counts of downloaded and batched Groups and start and end times for Alert monitoring, download, and upload.
  • Download Files: Download metadata files for all Jobs and data (convert, download, and upload) files for completed Jobs.
  • Batch Errors: View errors that have occurred for the Job on the Batch Errors screen.

Figure 2_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

 

You can filter Recorded Future Intelligence Engine App Jobs by the following elements:

  • Job ID: Enter text into this box to search for a Job by its Job ID.
  • Job Type: Select Job types to display on the Jobs screen. 
  • Status: Select Job statuses to display on the Jobs screen.
  • Pipeline: Select the pipeline types to display on the Jobsscreen:
    • alerts: Alert entities
    • analyst_note: Analyst Note entities
    • threat_intel: Risk List and Threat Map entities

Add a Job

You can add ad-hoc Jobs on the Jobs screen. Follow these steps to create a request for an ad-hoc Job for the  Recorded Future Intelligence Engine App:

Note
You cannot add Analyst Note entities to an ad-hoc Job request.
  1. Click the Add Job button at the upper right of the Jobs screen (Figure 2).
  2. Fill out the fields on the Add Job drawer (Figure 3) as follows: Figure 3_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

     

    • Risklist Types: (Optional) Select the Risk List entity types to include in the ad-hoc Job.
    • Threat Map Types: (Optional) Select the Threat Map entity types to include in the ad-hoc Job.
    • Alert Types: (Optional) Select the Alert entity types to include in the ad-hoc Job.
    • Alert Start Time: (Optional) Enter the time at which monitoring for triggered Alerts should start.
      Note
      Alert Start Time applies only to Alert entities. If no value is specified, the 1,000 most recent Alerts will be downloaded.
    • Alert End Time: (Optional) Enter the time at which monitoring for triggered Alerts should end.
      Note
      Alert End Time applies only to Alert entities. If no value is specified, the 1,000 most recent Alerts will be downloaded.
  3. Click Submit to submit the request for the ad-hoc Job.

Tasks

The Tasks screen (Figure 4) displays all Tasks that may be part of a Job, including each step of the download, convert, and upload processes, as well as Tasks for the Recorded Future Intelligence Engine App, such as Monitor, Scheduler, and Cleaner. The current status (Idle, Paused, or Running), name, description, and heartbeat timeout length, in minutes, are displayed for each Task. The menu in a Task’s row provides the following options, depending on the Task’s status:

  • Run (idle and paused Tasks only)
  • Pause (idle and running Tasks only)
  • Resume (paused Tasks only)
  • Kill (running Tasks only)

Under the table is a dashboard where you can view runtime analytics.

Figure 4_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

 

Download

The Download screen (Figure 5) lets you download JavaScript® Object Notation (JSON) data for Recorded Future entities and then upload the data into ThreatConnect.

Note
You cannot download data for Analyst Note entries.

Figure 5_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

 

Follow these steps to download JSON data for a Recorded Future entity on the Download screen and then upload the data into ThreatConnect:

  1. Recorded Future Type: Select a Recorded Future entity type from the following options on the Recorded Future Type dropdown: IPAddress (IP), URL, Hash, InternetDomainName (Domain), CyberVulnerability (Vulnerability), StandardAlert (Alert), Malware, and Actor.
  2. External ID: Enter the ID for the Recorded Future entity of the selected type. For IP, Hash, Domain, and URL Risk List entities, prepend ip:, hash:, idn:, and url:, respectively, to the entity's ID. For Vulnerability Risk List entities, use the CVE ID or Recorded Future ID. The following examples demonstrate the ID format for each Risk List entity type:
    • IP: ip:124.71.84.65
    • Hash: hash:092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875
    • Domain: idn:efavengh.com
    • URL: url:https://send.exploit.in/
    • Vulnerability: CVE-2019-0841or ZgFn9x
  3. Click Download. The JSON data will be displayed in two columns: Results (raw JSON data) and Converted (JSON data in ThreatConnect batch format) (Figure 6).Figure 6_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

     

  4. Click Upload to submit the converted threat intelligence data via the ThreatConnect Batch API.

Batch Errors

The Batch Errors screen (Figure 7) displays a table with details on batch errors that have occurred for Job requests. You can filter the table by error type or enter keywords to filter by Job ID or reason for error.

Figure 7_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

 

Attachment Status

The Attachment Status screen (Figure 8) displays a table with details on ThreatConnect's attempts to download Report attachments from Recorded Future.  You can enter keywords to filter the table by the Recorded Future Group ID, which can be useful if you do not see a Recorded Future attachment in ThreatConnect as expected, or by status.

Figure 8_Recorded Future Intelligence Engine Integration User Guide_Software Version 2.0

 

Data Mappings

The data mappings in Table 2 through Table 11 illustrate how data are mapped from Recorded Future Intelligence API endpoints into the ThreatConnect data model.

Domain

ThreatConnect object type: Host Indicator

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameHost Name
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onHost-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK® Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/score
  • Threat Rating
  • Attribute: "Risk Score"
See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

Hash

ThreatConnect object type: File Indicator

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameHash Value
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onFile-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/score
  • Threat Rating
  • Attribute: "Risk Score"
See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

IP

ThreatConnect object type: Address Indicator

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameIP Address
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onAddress-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/score
  • Threat Rating
  • Attribute: "Risk Score"
See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp
location/cidr/nameTag
location/location/countryAttribute: "IP Geo Country"
location/location/cityAttribute: "IP Geo City"
location/asnTag

URL

ThreatConnect object type: URL Indicator

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameURL
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onURL-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/score
  • Threat Rating
  • Attribute: "Risk Score"
See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

Vulnerability

ThreatConnect object type: Vulnerability Group

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameName/Summary
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onVulnerability-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/scoreAttribute: "Risk Score" 
risk/criticalityLabelAttribute: “Criticality"
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Group's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp
cvssv3/scopeAttribute: "CVSS v3 Scope"
cvssv3/exploitabilityScoreAttribute: "CVSS v3 Exploitability Score"
cvssv3/modifiedAttribute: "CVSS v3 Modified"
cvssv3/baseSeverityAttribute: "CVSS v3 Base Severity"
cvssv3/baseScoreAttribute: "CVSS v3 Score"
cvssv3/privilegesRequiredAttribute: "CVSS v3 Privileges Required"
cvssv3/userInteractionAttribute: "CVSS v3 User Interaction"
cvssv3/impactScoreAttribute: "CVSS v3 Impact Score"
cvssv3/attackVectorAttribute: "CVSS v3 Attack Vector"
cvssv3/integrityImpactAttribute: "CVSS v3 Integrity Impact"
cvssv3/confidentialityImpactAttribute: "CVSS v3 Confidentiality Impact"
cvssv3/vectorStringAttribute: "CVSS v3 Vector String"
cvssv3/attackComplexityAttribute: "CVSS v3 Attack Complexity"
cvssv3/createdAttribute: "CVSS v3 Created"
cvssv3/availabilityImpactAttribute: "CVSS v3 Availability Impact"
cvss/accessVectorAttribute: "CVSS v2 Access Vector"
cvss/lastModifiedAttribute: "CVSS v2 Last Modified"
cvss/publishedAttribute: "CVSS v2 Published"
cvss/scoreAttribute: "CVSS v2 CVSS Score"
cvss/availabilityAttribute: "CVSS v2 Availability"
cvss/authenticationAttribute: "CVSS v2 Authentication"
cvss/accessComplexityAttribute: "CVSS v2 Access Complexity"
cvss/integrityAttribute: "CVSS v2 Integrity"
cvss/confidentialityAttribute: "CVSS v2 Confidentiality"
cpeAttribute: "CPE"

Analyst Note

Note
For each Analyst Note added to a Risk List entity, a Report Group will be created and associated to the ThreatConnect object that corresponds to the Risk List entity. For daily Analyst Notes, Report Groups will be created and associated to existing Indicators and Groups in ThreatConnect that were ingested from Recorded Future.

ThreatConnect object type: Report Group

 

Recorded Future API FieldThreatConnect Field
analystNotes/attributes/validated_on
  • Last Modified Date
  • Attribute: "External Date Last Modified"
analystNotes/attributes/publishedAttribute: "Publish Date"
analystNotes/attributes/textAttribute: "Report Text"
analystNotes/attributes/topic/nameAttribute: "Report Type"
analystNotes/attributes/validation_urls/nameAttribute: "External References"
analystNotes/attributes/titleName/Summary
analystNotes/attributes/note_entities/nameSee the “Note Entity” section for more information.
analystNotes/source/nameSource
analystNotes/idAttribute: "External ID"

Note Entity

ThreatConnect object type: Report Group

 

Recorded Future API FieldThreatConnect Field
ASNumberAttribute: "Autonomous System Number"
AWSAccessKeyAttribute: "AWS Access Key"
AircraftAttribute: "Aircraft"
AirportAttribute: "Airport"
AnalystNoteReport Group
AnniversaryAttribute: "Anniversary"
AttackVectorAttribute: "Attack Vector"
BankIdentificationNumberAttribute: "Bank Identification Number"
BitcoinAddressAttribute: "Bitcoin Address"
BusinessIdentifierCodeAttribute: "Business Identifier Code"
CaseAttribute: "Case"
CategoryAttribute: "Category"
CityAttribute: "City"
CodeIdentifierAttribute: "Code Identifier"
CommodityAttribute: "Commodity"
CompanyAttribute: "Company"
ContentTypeAttribute: "Content Type"
ContinentAttribute: "Continent"
CountryAttribute: "Country"
CurrencyAttribute: "Currency"
CurrencyPairAttribute: "Currency Pair"
CyberExploitTargetCategoryAttribute: "Cyber Exploit Target Category"
CyberSecurityCategoryAttribute: "Cyber Security Category"
CyberThreatActorCategoryAttribute: "Cyber Threat Actor Category"
CyberVulnerabilityVulnerability Group
DEANumberAttribute: "DEA Number"
DatasetAttribute: "Dataset"
DetectionRuleAttribute: "Detection Rule"
DocumentAttribute: "Document"
EconomicIndicatorAttribute: "Economic Indicator"
EmailAddressAttribute: "Email Address"
EmbassyEmail Address Indicator
EmojiAttribute: "Emoji"
EntertainmentAwardEventAttribute: "Entertainment Award Event"
EntityAttribute: "Entity"
EntityAliasAttribute: "Alias"
EntityListAttribute: "Entity List"
EntityRangeAttribute: "Entity Range"
EntityRelationAttribute: "Entity Relation"
ExternalIdentifierAttribute: "External ID"
FacilityAttribute: "Facility"
FaxNumberAttribute: "Fax Number"
FeatureAttribute: "Feature"
FileContentAttribute: "File Content"
FileNameAttribute: "File Name"
FileNameExtensionAttribute: "File Extension"
FileTypeAttribute: "File Type"
GeoBoundingBoxAttribute: "Geo Bounding Box"
GeoEntityAttribute: "Geo Entity"
HashFile Indicator
HashAlgorithmEvaluated with File Indicator
HashtagAttribute: "Hashtag"
HolidayAttribute: "Holiday"
IRCNetworkAttribute: "IRC Network"
IdentifierAttribute: "Identifier"
ImageAttribute: "Image"
IncidentImpactCategoryAttribute: "Incident Impact Category"
IndustryAttribute: "Industry"
IndustryTermAttribute: "Industry Term"
IntegrationApplicationAttribute: "Integration Application"
IntegrationUserAttribute: "Integration User"
InternetDomainNameHost Indicator
IpAddressAddress Indicator
KeywordAttribute: "Keyword"
LanguageAttribute: "Language"
LinkReportAttribute: "Link Report"
LogotypeAttribute: "Logotype"
MICRAttribute: "Magnetic Ink Character Recognition"
MalwareAttribute: "Malware"
MalwareCategoryAttribute: "Malware Family"
MalwareMutexAttribute: "Mutex"
MalwareSignatureAttribute: "Malware Signature"
MarketIndexAttribute: "Market Index"
MedicalConditionAttribute: "Medical Condition"
MedicalTreatmentAttribute: "Medical Treatment"
MetaAttributeAttribute: "Meta Attribute"
MetaTypeAttribute: "Meta Type"
MilitaryBaseAttribute: "Military Base"
MilitaryExerciseAttribute: "Military Exercise"
MitreAttackIdentifierATT&CK Tag
MovieAttribute: "Movie"
MusicAlbumAttribute: "Music Album"
MusicGroupAttribute: "Music Group"
NationalityAttribute: "Nationality"
NaturalFeatureAttribute: "Natural Feature"
NeighborhoodAttribute: "Neighborhood"
NetworkPortAttribute: "Network Port"
NetworkProtocolAttribute: "Network Protocol"
NumericIdentifierAttribute: "Numeric Identifier"
OperatingSystemAttribute: "Operating System"
OperationAttribute: "Operation"
OrgEntityAttribute: "Org Entity"
OrganizationAttribute: "Organization"
PaymentCardNumberAttribute: "Payment Card Number"
PersonAttribute: "Person"
PhoneNumberAttribute: "Phone"
PortAttribute: "Port"
PositionAttribute: "Position"
IdentifierAttribute: "Product Identifier"
ModuleAttribute: "Product Module"
ModuleAddonAttribute: "Product Module Addon"
VersionAttribute: "Product Version"
ProgrammingLanguageAttribute: "Programming Language"
ProvinceOrStateAttribute: "Province or State"
PublishedMediumAttribute: "Published Medium"
RadioProgramAttribute: "Radio Program"
RadioStationAttribute: "Radio Station"
RegionAttribute: "Region"
ReligionAttribute: "Religion"
ReportEntityAttribute: "Report Entity"
ReportingEntityAttribute: "Reporting Entity"
RiskContextAttribute: "Risk Context"
RiskRuleAttribute: "Risk Rule"
SectorAttribute: "Sector"
SnortDetectionRuleAttribute: "Snort Detection Rule"
SocialSecurityNumberAttribute: "Social Security Number"
SourceAttribute: "Source"
SourceMediaTypeAttribute: "Source Media Type"
SportsEventAttribute: "Sports Event"
SportsGameAttribute: "Sports Game"
SportsLeagueAttribute: "Sports League"
TVShowAttribute: "TV Show"
TVStationAttribute: "TV Station"
TaskAttribute: "Task"
TechnologyAttribute: "Technology"
TechnologyAreaAttribute: "Technology Area"
ThreadAttribute: "Thread"
Threat ActorAttribute: "Threat Actor"
TopicAttribute: "Report Type"
UPSTrackingNumberAttribute: "UPS Tracking Number"
URLURL Indicator
USPSTrackingNumberAttribute: "USPS Tracking Number"
UUIDAttribute: "UUID"
UseCaseConfigurationAttribute: "Use Case Configuration"
UseCaseReportAttribute: "Use Case Report"
UserAttribute: "User"
UserEnterpriseAttribute: "User Enterprise"
UserEntityAttribute: "User Entity"
UserGroupAttribute: "User Group"
UserLabelAttribute: "User Label"
UserModuleGroupAttribute: "User Module Group"
UserModuleRoleGroupAttribute: "User Module Role Group"
UserOrganizationAttribute: "User Organization"
UserRoleAttribute: "User Role"
UsernameAttribute: "Username"
VesselAttribute: "Vessel"
WebMoneyIDAttribute: "WebMoney ID"
WinRegKeyAttribute: "Registry Key"
YaraDetectionRuleAttribute: "Yara Detection Rule"

Actor

ThreatConnect object type: Intrusion Set Group

 

Recorded Future API FieldThreatConnect Field
threat_map/idExternal ID
threat_map/nameSummary
threat_map/aliasTag: "Intrusion Set: "
threat_map/intentAttribute: "Threat Map Intent"
threat_map/opportunityAttribute: "Threat Map Opportunity"
threat_map/categoriesTag: "Category: "

Malware

ThreatConnect object type: Malware Group

 

Recorded Future API FieldThreatConnect Field
threat_map/idExternal ID
threat_map/nameSummary
threat_map/aliasTag: "Intrusion Set: "
threat_map/prevalenceAttribute: "Threat Map Prevalence"
threat_map/opportunityAttribute: "Threat Map Opportunity"
threat_map/categoriesTag: "Category: "
relatedEntities/entities/nameSee the “Note Entity” section for more information.
timestamps/firstSeenAttribute: "First Seen"
timestamps/lastSeenAttribute: "Last Seen"

Standard Alerts

ThreatConnect object type: Event Group

 

Recorded Future API FieldThreatConnect Field
hits/entities/name
  • Tag: "Vulnerability: " (if type = CyberVulnerability)
  • Tag: "Malware: " (if type = Malware)
  • ATT&CK Tag (if type = MitreAttackIdentifier)

hits/document/title
hits/document/source/name
hits/document/url
fragment
entities

Attribute: "Reference"
idExternal ID
hits/entities/typeAttribute: "Entity List"
review/statusStatus
rule/id
  • Attribute: "Alert Rule ID"
  • Tag
rule/nameAttribute: "Alert Rule"
titleSummary
triggered_by/entity_path/entityAttribute: "Triggered By"
triggered_by/entity_paths/entity/name
  • Tag: "Vulnerability: " (if type = CyberVulnerability)
  • Tag: "Malware: " (if type = Malware)
  • ATT&CK Tag (if type = MitreAttackIdentifier)
url/apiAttribute: "Source"

owner_organisation_details.organisations/organisation_name
id
title
review/status_in_portal
review/assignee
review/note
url/portal
ai_insights/text

Attribute: "Description"

Risk Score Mappings

ThreatConnect follows the Criticality mapping in Recorded Future when assigning a Threat Rating to data ingested from Recorded Future; however, because the Recorded Future Criticality rating goes only from 0–4, it has been augmented by 1 in ThreatConnect to fit the 0–5 scale for Threat Rating. Table 12 shows how the Recorded Future risk scores are mapped to Threat Rating in ThreatConnect.

 

Recorded Future Risk ScoreThreatConnect Threat Rating
90–995
85–894
25–643
5–242
1–41
0 or Unknown0 or Unknown

Frequently Asked Questions (FAQ)

When configuring the Recorded Future Intelligence Engine App, I do not see Analyst Notes offered as a downloadable data type. How do I ensure my Recorded Future Analyst Notes are imported into ThreatConnect?

Analyst Notes added to the selected Risk List entity type(s), as well as those created in your Recorded Future modules within the last 24 hours, will be imported into ThreatConnect. See the “Analyst Note” section for more information on how Analyst Notes are mapped to the ThreatConnect data model.


Why are there several URL errors in the batch errors report? (e.g., [xyz.com] could not be processed as a valid URL due to missing or invalid data (summary is invalid for the given type))

URL errors occur when URL objects coming from Recorded Future use an invalid URL format. Some examples of this behavior include the following:

  • ww3.xyz.com: This URL is missing the protocol, such as http://.
  • http:ww2.xyz.com/page#: This URL is terminated with a special character.

URL objects with an invalid URL format will not be imported into ThreatConnect. Note that this issue occurs rarely.


Why are Indicators with risk scores that are less than the minimum risk score being ingested into ThreatConnect?

Indicators with risk scores that are less than the minimum risk score are ingested because they exist as links from other Risk List entities. To prevent Indicators with a risk score less than the minimum risk score (i.e., the value for the App's Minimum Risk Score parameter) from being ingested, clear the Collect Indicators Linked in Recorded Future Below the Minimum Risk Score checkbox in the Feed Deployer when configuring and deploying the App.


How does the Recorded Future Intelligence Engine Feed API Service App differ from the Recorded Future Risk List Job App?

The Recorded Future Risk List Job App allows users to do the following:

  • collect data from Risk List entities
  • create Indicators with evidence details
  • map evidence details to a Description Attribute and risk rules to Tags

The Recorded Future Intelligence Engine Feed API Service App collects data in the following ways:

  • ingests Risk List entities with several of their Attributes
  • ingests all of the Analyst Notes and attached PDFs associated with Risk List entities
  • ingests associated Risk List entities and allows users to view the first-level associations created between the entities and Analyst Notes (i.e., the actual link)
  • obtains a link to each Risk List entity's Recorded Future Intelligence Card
  • ingests Analyst Notes that have been published in the last 24 hours daily

For more information on how Feed API Service Apps function in ThreatConnect, see Feed API Services.


How long does the Recorded Future Intelligence Engine Feed API Service App take to ingest a complete set of data on its initial run?

In most cases, the Recorded Future Intelligence Engine App takes 2–4 days to complete the initial data ingestion, depending on how you configure risk score and which Risk List entity types you select to ingest in the Feed Deployer.


In which order are Risk List entities ingested on the initial run?

On the initial run of the Recorded Future Intelligence Engine App, Risk List entities will be ingested in the following order:

  1. Domain
  2. Hash
  3. IP
  4. URL
  5. Vulnerability

You will likely see Risk List entities ingested in chunks along with the associated or linked entities. Note that there may be delays between the creation of the Risk List source entities and the Risk List link entities in ThreatConnect.


How often does the Recorded Future Intelligence Engine App ingest each Risk List entity type after the initial run?

See the following table for each Risk List entity type's download frequency. Analyst Notes are downloaded daily.

Recorded Future Risk ListDownload Frequency (Hours)
Domain2
Hash24
IP1
URL2
Vulnerability24

How can I identify where the Recorded Future Intelligence Engine App collected Indicators and Groups from in Recorded Future?

The following Source: Tags, which are applied to Indicators and Groups in ThreatConnect that were ingested from Recorded Future, indicate where the integration collected them from in Recorded Future:

  • Source: Risk List: The entity was ingested from a Risk List.
  • Source: Risk List Link: The entity was ingested as a linked entity from a Risk List entity.
  • Source: Analyst Note: The entity was ingested from an Analyst Note.
  • Source: Analyst Note Link: The entity was ingested as a linked entity from an Analyst Note.
  • Source: RF Alert: The entity was ingested from an Alert.
  • Source: RF Alert Link: The entity was ingested as a linked entity from an Alert.
  • Source: RF Threat Map: The entity was ingested from a Threat Map entity.
  • Source: RF Threat Map Link: The entity was ingested as a linked entity from a Threat Map entity.

Note that an Indicator or Group may have more than one of these Tags applied to them, as the corresponding entities could be associated to one another.


ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
JavaScript® is a registered trademark of Oracle Corporation.
Recorded Future® is a registered trademark of Recorded Future, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

30083-02 EN Rev. A


Was this article helpful?