Recorded Future Intelligence Engine Integration User Guide
  • 01 May 2024
  • 15 Minutes to read
  • Dark
    Light

Recorded Future Intelligence Engine Integration User Guide

  • Dark
    Light

Article summary

Software Version
This guide applies to the Recorded Future Intelligence Engine App version 1.0.x.

Overview

The ThreatConnect® integration with Recorded Future® ingests Domain, Hash, IP, URL, and Vulnerability Risk List entities, as well as Analyst Notes, from Recorded Future. After ingesting these data, the integration creates corresponding objects with select Recorded Future metadata in ThreatConnect.

Dependencies

ThreatConnect Dependencies

  • Active ThreatConnect Application Programming Interface (API) key
  • ThreatConnect instance with version 7.4.0 or newer installed
Note
All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Recorded Future Dependencies

  • Active Recorded Future API token
  • Active Recorded Future module subscriptions: SecOps Intelligence, Threat Intelligence, and/or Vulnerability Intelligence (see Table 1 for more information)

Application Setup and Configuration

  1. Log into ThreatConnect with a System Administrator account.
  2. Install the Recorded Future Intelligence Engine App via TC Exchange™.
  3. Use the ThreatConnect Feed Deployer to set up and configure the Recorded Future IntelligenceEngine App.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the App.

 

NameDescriptionRequired?
Sources Tab
Sources to CreateThe name of the Source to be created.Yes
OwnerThe Organization in which the Source will be created.Yes
Parameters Tab
Launch ServerSelect tc-job as the launch server for the Service corresponding to the Feed API Service App.Yes
Risk List TypesSelect one or more Recorded Future Risk List entity types that will be ingested. Available choices include the following:
  • Domain
  • Hash
  • IP
  • URL
  • Vulnerability
Note

The Domain, Hash, IP, and URL Risk Lists are included in the SecOps Intelligence and Threat Intelligence modules available in the Recorded Future subscription. Because these modules are the most common, these Risk List types are selected by default. The Vulnerability Risk List is not selected by default because it is included in the Vulnerability Intelligence module, which must be purchased separately from your Recorded Future subscription.

For assistance with managing your Recorded Future module subscriptions, please contact your Recorded Future Customer Success Representative.

Note

Each option available for the Risk List Types parameter (Domain, Hash, IP, URL, and Vulnerability) determines how links are followed during the integration's operational processes, as the integration will attempt to follow links for only the selected types.

For example, if you selected only IP and Hash from the Risk List Types dropdown and the integration sees an Address Indicator with links to an IP, a Hash, and a URL, the integration will follow only the IP and Hash links for the Address Indicator.
Yes
Minimum Risk ScoreSelect the minimum risk score that Risk List entities must have in order to be ingested into ThreatConnect. For example, if you 80 from the dropdown, then the App will ignore all Risk List entities with a risk score less than 80. The default value is 65, which is the default risk score for Risk List entities collected by ThreatConnect.Yes
Collect Indicators Linked in Recorded Future Less Than the Minimum Risk ScoreSelect this checkbox to ingest associated Indicators with a risk score that is less than the minimum risk score (i.e., the value for the Minimum Risk Score parameter). If this checkbox is cleared, the App will ignore all associated Indicators whose risk score is less than the minimum risk score.

By default, this checkbox is not selected.
No
Variables Tab
Recorded Future API TokenThe Recorded Future API token.Yes

Recorded Future Intelligence Engine

After successfully configuring and activating the Feed API Service, you can access the Recorded Future Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Recorded Future integration.

Follow these steps to access the UI:

  1. Log into ThreatConnect with a System Administrator account.
  2. On the top navigation bar, hover over Playbooks and select Services. The Services tab of the Playbooks screen will be displayed. 
  3. Locate the Recorded Future Intelligence Engine Feed API Service and then click the link in the Service’s API Path field. The DASHBOARD screen of the Recorded Future Intelligence Engine UI will open in a new browser tab.

The following screens are available in the Recorded Future Intelligence Engine UI:

  • DASHBOARD
  • JOBS
  • TASKS
  • DOWNLOAD
  • REPORT

DASHBOARD

The DASHBOARD screen (Figure 1) provides an overview of the total number of Risk List entities (Domain, Hash, IP, URL, and Vulnerability) and Analyst Notes retrieved from Recorded Future. Depending on the data available to you, cards representing all or a subset of these object types will be displayed on the DASHBOARD screen.

 

JOBS

The JOBS screen breaks down the ingestion of Recorded Future data into manageable Job-like tasks. There are two views available for the JOBS screen: Risk Lists and Analyst Notes.

Risk Lists

Hover over the JOBS tab and select Risk Lists to display the Download Risk Lists Jobs screen (Figure 2). This screen breaks down the ingestion of Risk List entities into manageable Job-like tasks.

 

  • Job Type: If desired, select a Job type by which to filter Jobs. Available types include ad-hoc and scheduled
  • Status:If desired, select a Job status by which to filter Jobs. Available statuses include the following:
    1. Convert Risk Lists Complete
    2. Convert Risk Lists In Progress
    3. Download Risk Lists Complete
    4. Download Risk Lists In Progress
    5. Enrich Risk Lists Complete
    6. Enrich Risk Lists In Progress
    7. Failed
    8. Pending
    9. Upload Risk Lists Complete
    10. Upload Risk Lists In Progress
  • Request ID: If desired, enter text into this box to search for a specific Job by its request ID.
  • + Add Request: Click this button to display the ADD REQUEST window (Figure 3). On this window, you can specify the object types for an ad-hoc Job request. After a Job request is added, it will be displayed in the table on the JOBS screen (Figure 2), and its Job type will be listed as ad-hoc.
    Note
    Recorded Future provides a single Risk List file for each entity type that contains the most current data available. Using the + Add Request feature will always download the most recent Risk List data.

     

Analyst Notes

Hover over the JOBS tab and select Analyst Notes to display the Download Analyst Notes Jobs screen (Figure 4). This screen breaks down the ingestion of Analyst Notes into manageable Job-like tasks.

 

  • Status:If desired, select a Job status by which to filter Jobs. Available statuses include the following:
    1. Convert Analyst Notes Complete
    2. Convert Analyst Notes In Progress
    3. Download Analyst Notes Complete
    4. Download Analyst Notes In Progress
    5. Failed
    6. Pending
    7. Upload Analyst Notes Complete
    8. Upload Analyst Notes In Progress
  • Request ID: If desired, enter text into this box to search for a specific Job by its request ID.

TASKS

The TASKS screen (Figure 5) is where you can view and manage the Tasks for each Job. Tasks are divided into separate Analyst Notes and Risk Lists workstreams for the Recorded Future integration.

 

DOWNLOAD

The DOWNLOAD RISK LIST ITEMS screen (Figure 6) is where you can download data for Risk List entities. Data for Analyst Notes cannot be downloaded.

 

  • ID(s): Enter the Recorded Future Risk List ID(s) for the object(s) to download. Data will be retrieved in JavaScript® Object Notation (JSON) format. When entering the IDs for Domain, Hash, IP, and URL Risk List entities, prepend idn:, hash:, ip:, and url:, respectively, to the entity's ID. For Vulnerability Risk List entities, use the CVE ID or Recorded Future ID. The following examples demonstrate the ID format that should be used for each Risk List entity type:
    • Domain: idn:efavengh.com
    • Hash: hash:092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875
    • IP: ip:124.71.84.65
    • URL: url:https://send.exploit.in/
    • Vulnerability: CVE-2019-0841 or ZgFn9x
  • Convert: Select this checkbox to convert the threat intelligence data to ThreatConnect batch format.
  • Enrich: Select this checkbox to submit the threat intelligence data to the ThreatConnect Batch API.

REPORTS

The REPORTS screen provides two views: BATCH ERRORS and REPORT UPLOAD TRACKER. The BATCH ERRORS screen (Figure 7) displays batch errors for each request in a tabular format. Details provided for each error include the error’s code, message, and reason.

 

The PDF TRACKER screen (Figure 8) is where you can view ThreatConnect's attempts to download PDFs from Recorded Future. The table on this screen displays the most recent date on which ThreatConnect attempted to download a PDF, the number of times an attempt to download the PDF was made, and whether the PDF was downloaded successfully. You can also search for PDFs by ID on this screen, which can be useful if you do not see a Recorded Future PDF in ThreatConnect as expected.

 

Data Mappings

The data mappings in Table 2 through Table 8 illustrate how data are mapped from Recorded Future Intelligence API endpoints into the ThreatConnect data model.

Domain

ThreatConnect object type: Host Indicator

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameHost Name
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onHost-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK® Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/score
  • Threat Rating
  • Attribute: "Risk Score"
See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

Hash

ThreatConnect object type: File Indicator

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameHash Value
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onFile-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/score
  • Threat Rating
  • Attribute: "Risk Score"
See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

IP

ThreatConnect object type: Address Indicator

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameIP Address
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onAddress-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/score
  • Threat Rating
  • Attribute: "Risk Score"
See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp
location/cidr/name
Tag
location/location/country
Attribute: "IP Geo Country"
location/location/city
Attribute: "IP Geo City"
location/asn
Tag

URL

ThreatConnect object type: URL Indicator

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameURL
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onURL-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/score
  • Threat Rating
  • Attribute: "Risk Score"
See the “Frequently Asked Questions (FAQ)” section for more information on how Recorded Future risk score is mapped to ThreatConnect Threat Rating.
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Indicator's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp

Vulnerability

ThreatConnect object type: Vulnerability Group

 

Recorded Future API FieldThreatConnect Field
entity/idAttribute: "External ID"
entity/nameName/Summary
entity/note_entitiesSee the “Note Entity” section for more information.
analystNotes/attributes/validated_onVulnerability-to-Report Association (see the “Analyst Note” section for more information on how data are mapped to the associated Report Group)
analystNotes/attributes/published
analystNotes/attributes/text
analystNotes/attributes/topic/name
analystNotes/attributes/validation_urls/name
analystNotes/attributes/title
analystNotes/attributes/note_entities/name
analystNotes/source/name
analystNotes/id
links/hits/sections/lists/entities/idTag
links/hits/sections/lists/entities/typeATT&CK Tag (if type = MitreAttackIdentifier)
timestamps/lastSeenAttribute: "Last Seen"
timestamps/firstSeenAttribute: "First Seen"
intelCardSource
risk/scoreAttribute: "Risk Score" 
risk/criticalityLabelAttribute: “Criticality"
risk/evidenceDetails/ruleAttribute: "Evidence"
Note
Each risk rule serves as evidence that explains the Group's level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability.
risk/evidenceDetails/evidenceString
risk/evidenceDetails/criticality
risk/evidenceDetails/timestamp
cvssv3/scopeAttribute: "CVSS v3 Scope"
cvssv3/exploitabilityScoreAttribute: "CVSS v3 Exploitability Score"
cvssv3/modifiedAttribute: "CVSS v3 Modified"
cvssv3/baseSeverityAttribute: "CVSS v3 Base Severity"
cvssv3/baseScoreAttribute: "CVSS v3 Score"
cvssv3/privilegesRequiredAttribute: "CVSS v3 Privileges Required"
cvssv3/userInteractionAttribute: "CVSS v3 User Interaction"
cvssv3/impactScoreAttribute: "CVSS v3 Impact Score"
cvssv3/attackVectorAttribute: "CVSS v3 Attack Vector"
cvssv3/integrityImpactAttribute: "CVSS v3 Integrity Impact"
cvssv3/confidentialityImpactAttribute: "CVSS v3 Confidentiality Impact"
cvssv3/vectorStringAttribute: "CVSS v3 Vector String"
cvssv3/attackComplexityAttribute: "CVSS v3 Attack Complexity"
cvssv3/createdAttribute: "CVSS v3 Created"
cvssv3/availabilityImpactAttribute: "CVSS v3 Availability Impact"
cvss/accessVectorAttribute: "CVSS v2 Access Vector"
cvss/lastModifiedAttribute: "CVSS v2 Last Modified"
cvss/publishedAttribute: "CVSS v2 Published"
cvss/scoreAttribute: "CVSS v2 CVSS Score"
cvss/availabilityAttribute: "CVSS v2 Availability"
cvss/authenticationAttribute: "CVSS v2 Authentication"
cvss/accessComplexityAttribute: "CVSS v2 Access Complexity"
cvss/integrityAttribute: "CVSS v2 Integrity"
cvss/confidentialityAttribute: "CVSS v2 Confidentiality"
cpeAttribute: "CPE"

Analyst Note

Note
For each Analyst Note added to a Risk List entity, a Report Group will be created and associated to the ThreatConnect object that corresponds to the Risk List entity. For daily Analyst Notes, Report Groups will be created and associated to existing Indicators and Groups in ThreatConnect that were ingested from Recorded Future.

ThreatConnect object type: Report Group

 

Recorded Future API FieldThreatConnect Field
analystNotes/attributes/validated_on
  • Last Modified Date
  • Attribute: "External Date Last Modified"
analystNotes/attributes/publishedAttribute: "Publish Date"
analystNotes/attributes/textAttribute: "Report Text"
analystNotes/attributes/topic/nameAttribute: "Report Type"
analystNotes/attributes/validation_urls/nameAttribute: "External References"
analystNotes/attributes/titleName/Summary
analystNotes/attributes/note_entities/nameSee the “Note Entity” section for more information.
analystNotes/source/nameSource
analystNotes/idAttribute: "External ID"

Note Entity

 

Recorded Future API FieldThreatConnect Field
ASNumberAttribute: "Autonomous System Number"
AWSAccessKeyAttribute: "AWS Access Key"
AircraftAttribute: "Aircraft"
AirportAttribute: "Airport"
AnalystNoteReport Group
AnniversaryAttribute: "Anniversary"
AttackVectorAttribute: "Attack Vector"
BankIdentificationNumberAttribute: "Bank Identification Number"
BitcoinAddressAttribute: "Bitcoin Address"
BusinessIdentifierCodeAttribute: "Business Identifier Code"
CaseAttribute: "Case"
CategoryAttribute: "Category"
CityAttribute: "City"
CodeIdentifierAttribute: "Code Identifier"
CommodityAttribute: "Commodity"
CompanyAttribute: "Company"
ContentTypeAttribute: "Content Type"
ContinentAttribute: "Continent"
CountryAttribute: "Country"
CurrencyAttribute: "Currency"
CurrencyPairAttribute: "Currency Pair"
CyberExploitTargetCategoryAttribute: "Cyber Exploit Target Category"
CyberSecurityCategoryAttribute: "Cyber Security Category"
CyberThreatActorCategoryAttribute: "Cyber Threat Actor Category"
CyberVulnerabilityVulnerability Group
DEANumberAttribute: "DEA Number"
DatasetAttribute: "Dataset"
DetectionRuleAttribute: "Detection Rule"
DocumentAttribute: "Document"
EconomicIndicatorAttribute: "Economic Indicator"
EmailAddressAttribute: "Email Address"
EmbassyAttribute: "Embassy"
EmojiAttribute: "Emoji"
EntertainmentAwardEventAttribute: "Entertainment Award Event"
EntityAttribute: "Entity"
EntityAliasAttribute: "Alias"
EntityListAttribute: "Entity List"
EntityRangeAttribute: "Entity Range"
EntityRelationAttribute: "Entity Relation"
ExternalIdentifierAttribute: "External ID"
FacilityAttribute: "Facility"
FaxNumberAttribute: "Fax Number"
FeatureAttribute: "Feature"
FileContentAttribute: "File Content"
FileNameAttribute: "File Name"
FileNameExtensionAttribute: "File Extension"
FileTypeAttribute: "File Type"
GeoBoundingBoxAttribute: "Geo Bounding Box"
GeoEntityAttribute: "Geo Entity"
HashFile Indicator
HashAlgorithmEvaluated with File Indicator
HashtagAttribute: "Hashtag"
HolidayAttribute: "Holiday"
IRCNetworkAttribute: "IRC Network"
IdentifierAttribute: "Identifier"
ImageAttribute: "Image"
IncidentImpactCategoryAttribute: "Incident Impact Category"
IndustryAttribute: "Industry"
IndustryTermAttribute: "Industry Term"
IntegrationApplicationAttribute: "Integration Application"
IntegrationUserAttribute: "Integration User"
InternetDomainNameHost Indicator
IpAddressAddress Indicator
KeywordAttribute: "Keyword"
LanguageAttribute: "Language"
LinkReportAttribute: "Link Report"
LogotypeAttribute: "Logotype"
MICRAttribute: "Magnetic Ink Character Recognition"
MalwareAttribute: "Malware"
MalwareCategoryAttribute: "Malware Family"
MalwareMutexAttribute: "Mutex"
MalwareSignatureAttribute: "Malware Signature"
MarketIndexAttribute: "Market Index"
MedicalConditionAttribute: "Medical Condition"
MedicalTreatmentAttribute: "Medical Treatment"
MetaAttributeAttribute: "Meta Attribute"
MetaTypeAttribute: "Meta Type"
MilitaryBaseAttribute: "Military Base"
MilitaryExerciseAttribute: "Military Exercise"
MitreAttackIdentifierATT&CK Tag
MovieAttribute: "Movie"
MusicAlbumAttribute: "Music Album"
MusicGroupAttribute: "Music Group"
NationalityAttribute: "Nationality"
NaturalFeatureAttribute: "Natural Feature"
NeighborhoodAttribute: "Neighborhood"
NetworkPortAttribute: "Network Port"
NetworkProtocolAttribute: "Network Protocol"
NumericIdentifierAttribute: "Numeric Identifier"
OperatingSystemAttribute: "Operating System"
OperationAttribute: "Operation"
OrgEntityAttribute: "Org Entity"
OrganizationAttribute: "Organization"
PaymentCardNumberAttribute: "Payment Card Number"
PersonAttribute: "Person"
PhoneNumberAttribute: "Phone"
PortAttribute: "Port"
PositionAttribute: "Position"
IdentifierAttribute: "Product Identifier"
ModuleAttribute: "Product Module"
ModuleAddonAttribute: "Product Module Addon"
VersionAttribute: "Product Version"
ProgrammingLanguageAttribute: "Programming Language"
ProvinceOrStateAttribute: "Province or State"
PublishedMediumAttribute: "Published Medium"
RadioProgramAttribute: "Radio Program"
RadioStationAttribute: "Radio Station"
RegionAttribute: "Region"
ReligionAttribute: "Religion"
ReportEntityAttribute: "Report Entity"
ReportingEntityAttribute: "Reporting Entity"
RiskContextAttribute: "Risk Context"
RiskRuleAttribute: "Risk Rule"
SectorAttribute: "Sector"
SnortDetectionRuleAttribute: "Snort Detection Rule"
SocialSecurityNumberAttribute: "Social Security Number"
SourceAttribute: "Source"
SourceMediaTypeAttribute: "Source Media Type"
SportsEventAttribute: "Sports Event"
SportsGameAttribute: "Sports Game"
SportsLeagueAttribute: "Sports League"
TVShowAttribute: "TV Show"
TVStationAttribute: "TV Station"
TaskAttribute: "Task"
TechnologyAttribute: "Technology"
TechnologyAreaAttribute: "Technology Area"
ThreadAttribute: "Thread"
Threat ActorAttribute: "Threat Actor"
TopicAttribute: "Report Type"
UPSTrackingNumberAttribute: "UPS Tracking Number"
URLURL Indicator
USPSTrackingNumberAttribute: "USPS Tracking Number"
UUIDAttribute: "UUID"
UseCaseConfigurationAttribute: "Use Case Configuration"
UseCaseReportAttribute: "Use Case Report"
UserAttribute: "User"
UserEnterpriseAttribute: "User Enterprise"
UserEntityAttribute: "User Entity"
UserGroupAttribute: "User Group"
UserLabelAttribute: "User Label"
UserModuleGroupAttribute: "User Module Group"
UserModuleRoleGroupAttribute: "User Module Role Group"
UserOrganizationAttribute: "User Organization"
UserRoleAttribute: "User Role"
UsernameAttribute: "Username"
VesselAttribute: "Vessel"
WebMoneyIDAttribute: "WebMoney ID"
WinRegKeyAttribute: "Registry Key"
YaraDetectionRuleAttribute: "Yara Detection Rule"

Risk Score Mappings

ThreatConnect follows the Criticality mapping in Recorded Future when assigning a Threat Rating to data ingested from Recorded Future; however, because the Recorded Future Criticality rating only goes from 0–4, it has been augmented by 1 in ThreatConnect to fit the 0–5 scale for Threat Rating.

 

Recorded Future Risk ScoreThreatConnect Threat Rating
90-995
85-894
25-643
5-242
1-41
0 or Unknown0 or Unknown

Frequently Asked Questions (FAQ)

When configuring the Recorded Future Intelligence Engine App, I do not see Analyst Notes offered as a downloadable data type. How do I ensure my Recorded Future Analyst Notes are imported into ThreatConnect?

Analyst Notes added to the selected Risk List entity type(s), as well as those created in your Recorded Future modules within the last 24 hours, will be imported into ThreatConnect. See the “Analyst Note” section for more information on how Analyst Notes are mapped to the ThreatConnect data model.


Why are there several URL errors in the batch errors report? (e.g., [xyz.com] could not be processed as a valid URL due to missing or invalid data (summary is invalid for the given type))

The ThreatConnect Recorded Future Intelligence Engine App may run into instances where URLs coming from Recorded Future use an invalid URL format. Some examples of this behavior include the following:

  • ww3.xyz.com: This URL is missing the protocol, such as http://.
  • http:ww2.xyz.com/page#: This URL is terminated with a special character.

URL objects with an invalid URL format will not be imported into ThreatConnect. Note that this issue occurs rarely.


Why are Indicators with risk scores that are less than the Minimum Risk Score being ingested into ThreatConnect?

These Indicators are ingested because they exist as links from other Risk List entities. To prevent Indicators with a risk score less than the minimum risk score (i.e., the value for the App's Minimum Risk Score parameter) from being ingested, clear the Collect Indicators Linked in Recorded Future Below the Minimum Risk Score checkbox in the Feed Deployer when configuring and deploying the App.


How does the Recorded Future Intelligence Engine Feed API Service App differ from the Recorded Future Risk List Job App?

The Recorded Future Risk List Job App allows users to do the following:

  • collect data from Risk List entities
  • create Indicators with evidence details
  • map evidence details to a Description Attribute and risk rules to Tags

The Recorded Future Intelligence Engine Feed API Service App collects data in the following ways:

  • ingests Risk List entities with several of their Attributes
  • ingests all of the Analyst Notes and attached PDFs associated with Risk List entities
  • ingests associated Risk List entities and allows users to view the first-level associations created between the entities and Analyst Notes (i.e., the actual link)
  • obtains a link to each Risk List entity's Recorded Future Intelligence Card
  • ingests Analyst Notes that have been published in the last 24 hours on a daily basis

For more information on how Feed API Service Apps function in ThreatConnect, see Feed API Services.


How long does the Recorded Future Intelligence Engine Feed API Service App take to ingest a complete set of data on its initial run?

In most cases, the Recorded Future Intelligence Engine App takes 2–4 days to complete the initial data ingestion, depending on how the customer configured risk score and which Risk List entity types they selected to ingest in the Feed Deployer.


In which order are Risk List entities ingested on the initial run?

On the initial run of the Recorded Future Intelligence Engine App, Risk List entities will be ingested in the following order:

  1. Domain
  2. Hash
  3. IP
  4. URL
  5. Vulnerability

Users will likely see clusters of the Risk List entities ingested in chunks along with the associated or linked entities. Note that there may be delays between the creation of the Risk List source entities and the Risk List link entities in ThreatConnect.


How often does the integration ingest each Risk List entity type after the initial run?

See the following table for each Risk List entity type's download frequency. Analyst Notes are downloaded daily.

Recorded Future Risk ListDownload Frequency (Hours)
Domain2
Hash24
IP1
URL2
Vulnerability24

How can I identify where the integration collected Indicators and Groups from in Recorded Future?

The following Source: Tags, which are applied to Indicators and Groups in ThreatConnect that were ingested from Recorded Future, indicate where the integration collected them from in Recorded Future:

  • Source: Risk List: The entity was ingested from a Risk List.
  • Source: Risk List Link: The entity was ingested as a linked entity from a Risk List entity.
  • Source: Analyst Note: The entity was ingested from an Analyst Note.
  • Source: Analyst Note Link: The entity was ingested as a linked entity from an Analyst Note.

Note that an Indicator or Group may have more than one of these Tags applied to them, as the entities could be associated to one another.


Why are associations to Malware and Adversaries in Recorded Future missing from Indicators and Groups in ThreatConnect?

Currently, Indicators and Groups created by the Recorded Future Intelligence Engine App will have Tags representing associated Malware and Adversaries applied to them, allowing users to pivot on and explore these relationships in ThreatConnect. Support for direct associations to Malware and Adversaries will be available in a future version of the Recorded Future Intelligence Engine App.


ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
JavaScript® is a registered trademark of Oracle Corporation.
Recorded Future® is a registered trademark of Recorded Future, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

30083-01 EN Rev. B


Was this article helpful?