--- title: "Threat Intelligence Engine for Recorded Future Integration User Guide" slug: "threat-intelligence-engine-for-recorded-future-integration-user-guide" description: "This article is a user guide for the Threat Intelligence Engine for Recorded Future app in ThreatConnect." updated: 2026-05-08T17:36:06Z published: 2026-05-08T17:36:06Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Threat Intelligence Engine for Recorded Future Integration User Guide NoteThis guide applies to the **Threat Intelligence Engine for Recorded Future** app version 2.0.12. Click [here](https://knowledge.threatconnect.com/docs/recorded-future-intelligence-engine-integration-user-guide-version-1) to view *Recorded Future Intelligence Engine Integration Guide* for version 1.0.*x*. ## Overview The **Threat Intelligence Engine for Recorded Future** [feed API service](https://knowledge.threatconnect.com/docs/feed-api-services) app ingests Recorded Future® Risk List entities (Domain, Hash, IP, URL, and Vulnerability), Threat Map entities (Malware and Actor), Alert (Standard and Playbook) entities, and Analyst Notes and creates corresponding objects in ThreatConnect® with select Recorded Future metadata: - Domains are created as Host Indicators in ThreatConnect. - Hashes are created as File Indicators in ThreatConnect. - IPs are created as Address Indicators in ThreatConnect. - URLs are created as URL Indicators in ThreatConnect. - Vulnerabilities are created as Vulnerability Groups in ThreatConnect. - Malware is created as Malware Groups in ThreatConnect. - Actors are created as Intrusion Set Groups in ThreatConnect. - Standards Alerts are created as Event Groups in ThreatConnect. - Playbook Alerts are created as Event Groups in ThreatConnect. - Analyst Notes added to Risk List entities are created as Report Groups in ThreatConnect and associated to the ThreatConnect object corresponding to the Risk List entity. Daily Analyst Notes are created as Report Groups in ThreatConnect and associated to existing Indicators and Groups in ThreatConnect that were ingested from Recorded Future. Note Entities for Analyst Notes are created as attributes and other data for the corresponding Report Group created for the Analyst Note in ThreatConnect. - Note Entities are created as Report Groups in ThreatConnect. ## Dependencies ### ThreatConnect Dependencies - Active ThreatConnect API key - ThreatConnect instance with version 7.6.2 or newer installedNoteAll ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the **Account Settings** screen within their ThreatConnect instance. ### Recorded Future Dependencies - Active Recorded Future API tokenImportantFollow the instructions in [*Recorded Future API Overview*](https://docs.recordedfuture.com/reference/get-started) to generate a Recorded Future API token. You must be an Enterprise Admin in Recorded Future to generate a Recorded Future API token. Refer to [*API Entitlements*](https://docs.recordedfuture.com/reference/api-entitlements) for information on the entitlements assigned to the API token, based on the modules included in your Recorded Future subscription. - Active Recorded Future [module subscriptions](https://docs.recordedfuture.com/reference/api-entitlements): - **Risk List**: **SecOps Intelligence**, **Threat Intelligence**, and/or **Vulnerability Intelligence** (see the “Risk List Types” row in Table 1 for more information) - **Threat Map**: Threat Intelligence module - **Standard Alerts**: The required subscription varies by module. Please refer to the Recorded Future support documentation for more information. - **Playbook Alerts**: The required subscription varies by module. Please refer to the Recorded Future support documentation for more information. ## Application Setup and Configuration Follow these steps to install the **ThreatConnect Intelligence Engine for Recorded Future** app: 1. [Identify the version of the ThreatConnect feed API service app for Recorded Future you have deployed to a service on your ThreatConnect instance.](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#step-1-identify-deployed-app-version) 2. [If version 1 is deployed to a service, turn off and delete that service.](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#step-2-turn-off-and-delete-the-service-for-version-1) 3. [Install and deploy version 2.](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#step-3-install-and-deploy-version-2) ### Step 1: Identify Deployed App Version There are two versions of the ThreatConnect feed API service app for Recorded Future: - **Version 1**: **Recorded Future Intelligence Engine** 1.0.*x* (deprecated) - **Version 2**: **Threat Intelligence Engine for Recorded Future** 2.0.*x* (formerly **Recorded Future Intelligence Engine** 2.0.*x*) Follow these steps to identify the version of the app deployed to a service on your ThreatConnect instance: ImportantThe service’s name does not always correspond to the version number. Services whose name starts with **Threat Intelligence Engine for Recorded Future** are always deployed from version 2 of the app, but services whose name starts with **Recorded Future Intelligence Engine** may be deployed from version 1 or the first release of version 2. Use the procedure that follows to determine the version of the app deployed to a given service. 1. Log into ThreatConnect with a System Administrator account. 2. From the **Automation & Feeds** menu on the top navigation bar, select **Services**. 3. Enter `recorded future` in the search bar at the top of the **Services** screen. In the **Name** column for a returned result, the first number after `| V ` shows the app’s version number.HintSelect **Feed Service** from the **Service Type** dropdown at the upper right to filter the screen to show only feed API services. If there are multiple services for the app, you can identify the one configured for a particular Organization by clicking the row for a service to view its **Details** drawer, which includes an **Organization** field showing the Organization that owns the Source for that service. Also, if the **Name** column in the table on the **Services** screen is not wide enough to display the version number, the service’s **Details** drawer displays the version number at the upper left, under the service’s name. ### Step 2: Turn Off and Delete the Service for Version 1 ImportantPerform this step only if version 1 of the app is [deployed to a service on your ThreatConnect instance](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#step-1-identify-deployed-app-version). Otherwise, proceed to [Step 3](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#step-3-install-and-deploy-version-2). Follow these steps to turn off and delete a service for version 1 of the app: 1. Log into ThreatConnect with a System Administrator account. 2. From the **Automation & Feeds** dropdown on the top navigation bar, select **Services**. 3. Locate the row for the service.HintSelect **Feed Service** from the **Service Type** dropdown at the upper right to filter the screen to show only feed API services. If there are multiple services for the app, you can identify the one configured for your Organization by clicking the row for a service to view its **Details** drawer, which includes an **Organization** field showing the Organization that owns the Source for that service. 4. Turn off the toggle in the **Enable** column. 5. Select **Delete** from the **Options** **⋯** menu for the service. 6. Click **Delete** in the **Delete Service?** window. ### Step 3: Install and Deploy Version 2 The **Threat Intelligence Engine for Recorded Future** (version 2) app leverages the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) to create a [Source](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) for data ingestion from Recorded Future in an Organization and to configure the corresponding [service](https://knowledge.threatconnect.com/docs/playbook-services)’s ingestion and authentication parameters. After you install the **Threat Intelligence Engine for Recorded Future** app on your ThreatConnect instance, you can deploy it to any Organization. It must be deployed separately for each Organization in which you want to create a Source for data ingestion and a corresponding service. #### Install the Threat Intelligence Engine for Recorded Future App Follow these steps to install the **Threat Intelligence Engine for Recorded Future** app on your ThreatConnect instance: 1. Log into ThreatConnect with a System Administrator account. 2. From the **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)menu on the top navigation bar, select **TC Exchange Settings**. 3. Select the **Catalog** tab on the **TC Exchange™ Settings** screen. 4. Locate the **Threat Intelligence Engine for Recorded Future** app on the **Catalog** tab. 5. Click **Install**![Plus icon_Dark blue](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Plus%20icon_Dark%20blue.png)in the **Options** column for the app. 6. Click **INSTALL** in the app’s **Release Notes** window. 7. After you install the **Threat Intelligence Engine for Recorded Future** app, the [Feed Deployer](https://knowledge.threatconnect.com/docs/the-feed-deployer) opens automatically. Follow the procedure in the [“Deploy the Threat Intelligence Engine for Recorded Future App to an Organization”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#deploy-the-threat-intelligence-engine-for-recorded-future-app-to-an-organization) section to deploy the **Threat Intelligence Engine for Recorded Future** app to a Source in an Organization and configure the corresponding service. #### Deploy the Threat Intelligence Engine for Recorded Future App to an Organization Follow these steps to deploy the **Threat Intelligence Engine for Recorded Future** app to an Organization: WarningFollow the steps in this section only if you do not have, or [you have deleted](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#step-2-turn-off-and-delete-the-service-for-version-1), an existing service for version 1 of the app deployed to the Organization.NoteSkip to the fourth step in the procedure if you just [installed the **Threat Intelligence Engine for Recorded Future** app](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#install-the-threat-intelligence-engine-for-recorded-future-app) and are already viewing the **Feed Deployer** window. 1. Log into ThreatConnect with a System Administrator account. 2. From the **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)menu on the top navigation bar, select **TC Exchange Settings**. 3. Locate the **Threat Intelligence Engine for Recorded Future** app on the **Installed** tab. Then select **Deploy** from the **Options** **⋮** dropdown. 4. Follow the instructions in Table 1 to fill out the fields in the **Feed Deployer** window for a deployment of the **Threat Intelligence Engine for Recorded Future**app. | Name | Description | Required? | | --- | --- | --- | | **Source** Tab | | Sources to Create | Enter the name of the Source for the feed.ImportantIf you [turned off and deleted an existing service for version 1 of the app](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#step-2-turn-off-and-delete-the-service-for-version-1) and want version 2 to ingest data into the Source version 1 was using, enter the name of that Source. If you enter a different name, a new Source will be created for data ingestion from version 2. If you are not redeploying the feed to the existing Source, then the name of the Source must be unique on your ThreatConnect instance. It is recommended to add the Organization’s name to the end of the default Source name (e.g., **Threat Intelligence Engine for Recorded Future - Demo Organization**) for easy identification of the Source’s owner. | Required | | Owner | Select the Organization in which the Source will be created. | Required | | Activate Deprecation | Select this checkbox to allow [confidence deprecation](https://knowledge.threatconnect.com/docs/indicator-confidence-deprecation) rules to be created and applied to Indicators in the Source. | Optional | | Create Attributes | Select this checkbox to allow [custom attribute types](https://knowledge.threatconnect.com/docs/creating-custom-attribute-types) for the **Threat Intelligence Engine for Recorded Future**app to be created on the System level of your ThreatConnect instance.ImportantIt is recommended that you keep this checkbox selected. If you deselect it, data from the **Threat Intelligence Engine for Recorded Future** app mapped to those attribute types will not be ingested. | Optional | | **Parameters** Tab | | Launch Server | Select **tc-job** as the launch server for the feed API service. | Required | | Minimum Risk Score for items being collected.* | Select the minimum risk score that Risk List entities must have to be ingested into ThreatConnect. For example, if you select **80** from the dropdown, the App will ignore all Risk List entities with a risk score less than 80. The default value is **65**. | Required | | Risk List Types | Select one or more Recorded Future Risk List entity types to ingest.NoteThe Domain, Hash, IP, and URL Risk List types are included in the **SecOps Intelligence** and **Threat Intelligence** modules available in the Recorded Future subscription. Because these modules are the most common, these Risk List types are selected by default. The Vulnerability Risk List type is not selected by default because it is included in the **Vulnerability Intelligence** module, which must be purchased separately from your Recorded Future subscription. For assistance with managing your Recorded Future module subscriptions, please contact your Recorded Future Customer Success Representative.NoteEach option available for the **Risk List Types** parameter (Domain, Hash, IP, URL, and Vulnerability) determines how links are followed during the app’s operational processes, as the app will attempt to follow links for only the selected types. For example, if you select only **IP** and **Hash** from the **Risk List Types** dropdown and the app sees an Address Indicator with links to an IP, a Hash, and a URL, the app will follow only the IP and Hash links for the Address Indicator. | Optional | | Collect Indicators Linked in Recorded Future Less Than the Minimum Risk Score | Select this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the **Minimum Risk Score** parameter) for entities linked to Risk List types. If this checkbox is cleared, the app will ignore all associated objects whose risk score is less than the minimum risk score. | Optional | | Threat Map Types | Select one or more Recorded Future Threat Map entity types to ingest. | Optional | | Collect Threat Map Links in Recorded Future Less Than the Minimum Risk Score | Select this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the **Minimum Risk Score** parameter) for entities linked to Threat Map types. If this checkbox is cleared, the app will ignore all associated objects whose risk score is less than the minimum risk score. | Optional | | Alert Types | Select one or more Recorded Future Alert entity types to ingest. | Optional | | Playbook Alert Priority Levels | Select one or more Recorded Future Playbook Alert priority levels. Only Playbook Alerts with the selected priority levels will be ingested. | Optional | | Collect Standard Alert Entities in Recorded Future Less Than the Minimum Risk Score | Select this checkbox to ingest associated Indicators with a risk score less than the minimum risk score (i.e., the value for the **Minimum Risk Score** parameter) for entities linked to Standard Alert types. If this checkbox is cleared, the App will ignore all associated objects whose risk score is less than the minimum risk score. | Optional | | Standard Alert Assignee (one email address only) | Enter the assignee’s email address to use for filtering Standard Alerts. If you enter an email address in this field, only Standard Alerts assigned to that email address will be ingested.NoteYou can enter only one email address in this field. If you enter an email address in this field *and* a Standard Alert Rule ID in the **Standard Alert Rule (ID)** field, then only Standard Alerts for that Alert Rule that are assigned to the email address will be ingested. | Optional | | Standard Alert Rule (ID) | Enter the Alert Rule ID to use for filtering Standard Alerts. If you enter an Alert Rule ID in this field, only Standard Alerts for that Alert Rule will be ingested.NoteYou can enter only one Alert Rule ID in this field. If you enter an Alert Rule ID in this field *and* an email address in the **Standard Alert Assignee (one email address only)** field, then only Standard Alerts for that Alert Rule that are assigned to the email address will be ingested. | Optional | | Playbook Alert Assignees (one or more uhash) | Enter one or more uhash values for assignees to use for filtering Playbook Alerts. If you enter uhash values in this field, only Playbook Alerts assigned to those uhash values will be ingested. | Optional | | Advanced Settings | WarningConfigure this field with caution and only when necessary. In ThreatConnect, an Indicator’s [confidence rating](https://knowledge.threatconnect.com/docs/setting-indicator-threat-and-confidence-ratings) is one of the factors used to calculate the Indicator’s [ThreatAssess score](https://knowledge.threatconnect.com/docs/threatassess-and-cal). If you are an existing user of any version of this app and you have never configured this field—which was introduced in version 2.0.7—before, then all Indicators in the Source configured for the app were ingested with a confidence rating of 0 (Unassessed). Configuring newly ingested Indicators to have a different confidence rating will cause discrepancies in the way the ThreatAssess score is calculated for new Indicators versus the way it is calculated for existing Indicators. It is recommended that existing users assign confidence rating to Indicators individually after examination rather than configure a default confidence rating in the **Advanced Settings** field. If you have not previously ingested data from either version of the app, then it is recommended to set the default confidence rating to `risk_score`.The **Advanced Settings** field allows you to specify a default [confidence rating](https://knowledge.threatconnect.com/docs/best-practices-indicator-threat-and-confidence-ratings)for all Indicators ingested from Recorded Future. Configure this field in one of the following three ways: - **(Recommended for existing app installations)** Leave the field blank. All ingested Indicators will have a confidence rating of 0 (Unassessed). - **(Recommended for new app installations)** Enter `default_confidence=risk_score`. Each ingested Indicator will have a confidence rating that matches its [risk score in Recorded Future](https://support.recordedfuture.com/hc/en-us/articles/115000897208-Risk-Scoring-in-Recorded-Future). - Enter `default_confidence=<number>`, where `<number> `is a whole number from 0 to 100. All ingested Indicators will have a confidence rating of the provided number.Example`default_confidence=37` NoteThe value entered in the **Advanced Settings** field will also be used in ad hoc job requests. | Optional | | **Variables** Tab | | Recorded Future API Token | Enter the Recorded Future API token. | Required | | **Confirm** Tab | | Run Feeds after deployment | Select this checkbox to run the **Threat Intelligence Engine for Recorded Future** service immediately after you click **DEPLOY** on the **Feed Deployer** window. | Optional | | Confirm Deployment Over Existing Source | This checkbox and a warning message are displayed on the **Confirm** tab if the Source name entered on the **Source** tab is already used by a Source owned by the selected Organization. To confirm redeploying the app to the existing Source, select the checkbox. This will activate the **DEPLOY** button. Otherwise, you must return to the **Source**tab and either change the Source name or select a different Organization.WarningWhen you redeploy a feed API service to a Source, existing data in the Source may be overwritten. Redeployment will also create a new service for the feed API service app. It is recommended that you delete the previous service for the feed API service app after the new one is created. | Optional | 5. Click **DEPLOY** on the **Confirm** tab of the **Feed Deployer** window to deploy the **Threat Intelligence Engine for Recorded Future** app in the Organization, which will create a Source for the feed in the Organization and a corresponding feed API service. ## Threat Intelligence Engine for Recorded Future UI After [installing](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#install-the-threat-intelligence-engine-for-recorded-future-app) the **Threat Intelligence Engine for Recorded Future** app and [deploying it to an Organization](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#deploy-the-threat-intelligence-engine-for-recorded-future-app-to-an-organization), you can access the **Threat Intelligence Engine for Recorded Future** UI, where you can manage data ingestion from Recorded Future into the Source created in the Organization. Follow these steps to access the **Threat Intelligence Engine for Recorded Future** UI: 1. Log into ThreatConnect with a System Administrator account or a user account in the Organization with an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Organization Administrator. 2. From the **Automation & Feeds** dropdown on the top navigation bar, select **Services**. 3. Locate the row for the **Threat Intelligence Engine for Recorded Future**feed API service.HintSelect **Feed Service** from the **Service Type** dropdown at the upper right to filter the screen to show only feed API services. If there are multiple services for the **Threat Intelligence Engine for Recorded Future** app, you can identify the one configured for your Organization by clicking the row for a service to view its **Details** drawer, which includes an **Organization** field showing the Organization that owns the Source for that service. 4. Turn on the toggle in the **Enable** column if the service is not already enabled. 5. Click the link in the service’s **API Path** field to open the **Threat Intelligence Engine for Recorded Future** UI. The following screens are available in the **Threat Intelligence Engine for Recorded Future** UI: - [**Dashboard**](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#dashboard) - [**Jobs**](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#jobs) - [**Tasks**](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#tasks) - [**Download**](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#download) - [**Batch Errors**](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#batch-errors) - [**Notifications**](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#notifications) - [**Attachment Status**](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#attachment-status) ### Dashboard The **Dashboard** screen provides an overview of the total number of Risk List entities (Domain, Hash, IP, URL, and Vulnerability), Threat Map entities (Malware and Intrusion Set), Alert entities (Event and Document) and Analyst Notes (Report, Email Address, Domain, Hash, IP, URL, Vulnerability, Malware, and Intrusion Set) retrieved from Recorded Future. Depending on the available data, cards representing all or a subset of these object types will be displayed on the **Dashboard** screen. Note**Address** on the **Dashboard** screen corresponds to the **IP** Risk List entity type, and **Intrusion Set** corresponds to the **Actor** Threat Map entity type. ### Jobs The **Jobs** screen breaks down the ingestion of Recorded Future data into manageable job-like tasks, displaying all processes that are pending, in progress, complete, and failed. The **⋯** menu in a job’s row provides the following options: - **Details**: View details for the job, such as counts of downloaded and batched Groups and start and end times for Alert monitoring, download, and upload. - **Download Files**: Download metadata files for all jobs and data (convert, download, and upload) files for completed Jobs. - **Batch Errors**: View errors that have occurred for the job on the [**Batch Errors**](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#batch-errors) screen. You can filter **Threat Intelligence Engine for Recorded Future** service jobs by the following elements: - **Job ID:** Enter text into this box to search for a job by its job ID. - **Job Type:** Select job types to display on the **Jobs** screen. - **Status:** Select job statuses to display on the **Jobs** screen. - **Pipeline**: Select the pipeline types to display on the **Jobs**screen: - **alerts**: Alert entities - **analyst_note**: Analyst Note entities - **threat_intel**: Risk List and Threat Map entities #### Add a Job You can add ad hoc Jobs on the **Jobs** screen. Follow these steps to create a request for an ad hoc job for the **Threat Intelligence Engine for Recorded Future** service: 1. Click **Add Job**. 2. Fill out the fields on the **Add Job**drawer as follows: - **Risklist Types**: (Optional) Select the Risk List entity types to include. - **Threat Map Types**: (Optional) Select the Threat Map entity types to include. - **Alert Types**: (Optional) Select the Alert entity types to include. - **Alert Start Time**: (Optional) Enter the time at which monitoring for triggered Alerts should start.Note**Alert Start Time** applies only to Alert entities. If no value is specified, the 1000 most recent Alerts will be downloaded. - **Alert End Time**: (Optional) Enter the time at which monitoring for triggered Alerts should end.Note**Alert End Time** applies only to Alert entities. If no value is specified, the 1000 most recent Alerts will be downloaded. - **Download Analyst Notes**: (Optional) Select **Yes** to download Analyst Notes for the selected **Risklist Types**. - **Analyst Note Timeframe**: (Optional) Enter the timeframe for which Analyst Notes should be downloaded, using one of the following formats:NoteIf you do not enter a value, then the default value of `-1d` will be used. - **Absolute date**: Enter a date in **YYYYMMDD**format. Analyst Notes published on or after that date will be downloaded.ExampleThe following format variations provide valid input: - `20250908` - `2025-09-08` - `2025-9-8` - **Relative date**: Enter a lookback time window. Analyst Notes published on or after the date and time at which the lookback window begins will be downloaded. The lookback window must start with a minus sign (`-`) to indicate that the window is historic.ExampleThe following format variations provide valid input: - `-3d` - `-2d 50m` - `-0d 50m 30s` 3. Click **Submit**. ### Tasks The **Tasks** screen displays all tasks that may be part of a job, including each step of the download, convert, and upload processes, as well as tasks for the **Threat Intelligence Engine for Recorded Future** service, such as monitor, scheduler, and cleaner. The current status (**Idle**, **Paused**, or **Running**), name, description, and heartbeat timeout length, in minutes, are displayed for each task. The **⋯** menu in a task’s row provides the following options, depending on the task’s status: - **Run** (idle and paused tasks only) - **Pause** (idle and running tasks only) - **Resume** (paused tasks only) - **Kill** (running tasks only) Under the table is a dashboard where you can view runtime analytics. ### Download The **Download** screen lets you download JavaScript® Object Notation (JSON) data for Recorded Future entities and then upload the data into ThreatConnect. Follow these steps to download JSON data for a Recorded Future entity on the **Download** screen and then upload the data into ThreatConnect: 1. **Recorded Future Type**: Select a Recorded Future entity type from the following options: **IPAddress** (IP), **URL**, **Hash**, **InternetDomainName** (Domain), **CyberVulnerability** (Vulnerability), **Analyst Note**, **Malware**, **Actor**, **StandardAlert**, **Playbook Alert: Domain Abuse**, **Playbook Alert: Vulnerability**, **Playbook Alert: Third Party Risk**, **Playbook Alert: Data Leak On Code Repo**, **Playbook Alert: Malware Report**, **Playbook Alert: Geopolitics Facility**, and **Playbook Alert: Identity Novel Exposures**. 2. **External ID**: Enter the ID for the Recorded Future entity of the selected type. For IP, URL, Hash, and Domain Risk List entities, prepend `ip:`, `url:`, `hash:`, and `idn:`, respectively, to the entity’s ID. For Vulnerability Risk List entities, use the CVE ID or Recorded Future ID. The following examples demonstrate the ID format for each Recorded Future entity type: - **IPAddress**: `ip:124.71.84.65` - **URL**: `url:https://send.exploit.in/` - **Hash**: `hash:092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875` - **InternetDomainName**: `idn:efavengh.com` - **CyberVulnerability**: `CVE-2019-0841` *or* `ZgFn9x` - **Analyst Note**: `4gSsx8` - **Malware**: `l3moPJ` - **Actor**: `eTMnra` - **StandardAlert**: `-QfHWt` - **Playbook Alerts**: `task:09e6c192-0f88-4f3e-813c-f6b73bbc95a4`NoteAll Playbook Alert types have the same ID format. 3. Click **Download**. The JSON data will be displayed in two columns: **Results** (raw JSON data) and **Converted** (JSON data in ThreatConnect batch format). 4. Click **Upload** to submit the converted threat intelligence data via the [ThreatConnect Batch API](https://docs.threatconnect.com/en/latest/rest_api/v2/batch_api/batch_api.html). ### Batch Errors The **Batch Errors** screen displays an overview of the batch error types that have occurred for Job requests. You can enter keywords to filter by Job ID. Select an error type to open a drawer with details on all batch errors of that type. ### Notifications The **Notifications** screen displays a table with details on notifications regarding app functionality and job failure outcomes for the **Threat Intelligence Engine for Recorded Future** service. ### Attachment Status The **Attachment Status** screen displays a table with details on ThreatConnect’s attempts to download Report attachments from Recorded Future. You can enter keywords to filter the table by the Recorded Future Group ID, which can be useful if you do not see a Recorded Future attachment in ThreatConnect as expected, or by status. ## Data Mappings The data mappings in Table 2 through Table 18 illustrate how data are mapped from Recorded Future Intelligence API endpoints into the [ThreatConnect data model](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model). ### Domain ThreatConnect object type: Host Indicator | Recorded Future API Field | ThreatConnect Field | | --- | --- | | entity/id | Attribute: "External ID" | | entity/name | Name/Summary | | entity/note_entities | See the [“Note Entity”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#note-entity) section for more information. | | analystNotes/attributes/validated_on | Host-to-Report association (see the [“Analyst Note”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#analyst-note) section for more information on how data are mapped to the associated Report Group) | | analystNotes/attributes/published | | analystNotes/attributes/text | | analystNotes/attributes/topic/name | | analystNotes/attributes/validation_urls/name | | analystNotes/attributes/title | | analystNotes/attributes/note_entities/name | | analystNotes/source/name | | analystNotes/id | | links/hits/sections/lists/entities/id | Tag | | links/hits/sections/lists/entities/type | [ATT&CK® Tag](https://knowledge.threatconnect.com/docs/attack-tags) (if type = MitreAttackIdentifier) | | timestamps/firstSeen | Attribute: "First Seen" | | timestamps/lastSeen | Attribute: "Last Seen" | | intelCard | Source | | risk/score | - Threat Rating - Attribute: "Risk Score" See the [“Frequently Asked Questions (FAQ)”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#frequently-asked-questions-faq) section for more information on how Recorded Future risk score is mapped to ThreatConnect threat rating. | | risk/evidenceDetails/rule | Attribute: "Evidence"NoteEach risk rule serves as evidence that explains the Indicator’s level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability. | | risk/evidenceDetails/evidenceString | | risk/evidenceDetails/criticality | | risk/evidenceDetails/timestamp | ### Hash ThreatConnect object type: File Indicator | Recorded Future API Field | ThreatConnect Field | | --- | --- | | entity/id | Attribute: "External ID" | | entity/name | Name/Summary | | entity/note_entities | See the [“Note Entity”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#note-entity) section for more information. | | analystNotes/attributes/validated_on | File-to-Report association (see the [“Analyst Note”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#analyst-note) section for more information on how data are mapped to the associated Report Group) | | analystNotes/attributes/published | | analystNotes/attributes/text | | analystNotes/attributes/topic/name | | analystNotes/attributes/validation_urls/name | | analystNotes/attributes/title | | analystNotes/attributes/note_entities/name | | analystNotes/source/name | | analystNotes/id | | links/hits/sections/lists/entities/id | Tag | | links/hits/sections/lists/entities/type | [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) (if type = MitreAttackIdentifier) | | timestamps/firstSeen | Attribute: "First Seen" | | timestamps/lastSeen | Attribute: "Last Seen" | | intelCard | Source | | risk/score | - Threat Rating - Attribute: "Risk Score" See the [“Frequently Asked Questions (FAQ)”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#frequently-asked-questions-faq) section for more information on how Recorded Future risk score is mapped to ThreatConnect threat rating. | | risk/evidenceDetails/rule | Attribute: "Evidence"NoteEach risk rule serves as evidence that explains the Indicator’s level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability. | | risk/evidenceDetails/evidenceString | | risk/evidenceDetails/criticality | | risk/evidenceDetails/timestamp | ### IP ThreatConnect object type: Address Indicator | Recorded Future API Field | ThreatConnect Field | | --- | --- | | entity/id | Attribute: "External ID" | | entity/name | Name/Summary | | entity/note_entities | See the [“Note Entity”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#note-entity) section for more information. | | analystNotes/attributes/validated_on | Address-to-Report association (see the [“Analyst Note”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#analyst-note) section for more information on how data are mapped to the associated Report Group) | | analystNotes/attributes/published | | analystNotes/attributes/text | | analystNotes/attributes/topic/name | | analystNotes/attributes/validation_urls/name | | analystNotes/attributes/title | | analystNotes/attributes/note_entities/name | | analystNotes/source/name | | analystNotes/id | | links/hits/sections/lists/entities/id | Tag | | location/asn | | location/cidr/name | | links/hits/sections/lists/entities/type | [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) (if type = MitreAttackIdentifier) | | timestamps/firstSeen | Attribute: "First Seen" | | timestamps/lastSeen | Attribute: "Last Seen" | | intelCard | Source | | risk/score | - Threat Rating - Attribute: "Risk Score" See the [“Frequently Asked Questions (FAQ)”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#frequently-asked-questions-faq) section for more information on how Recorded Future risk score is mapped to ThreatConnect threat rating. | | risk/evidenceDetails/rule | Attribute: "Evidence"NoteEach risk rule serves as evidence that explains the Indicator’s level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability. | | risk/evidenceDetails/evidenceString | | risk/evidenceDetails/criticality | | risk/evidenceDetails/timestamp | | location/location/country | Attribute: "IP Geo Country" | | location/location/city | Attribute: "IP Geo City" | ### URL ThreatConnect object type: URL Indicator | Recorded Future API Field | ThreatConnect Field | | --- | --- | | entity/id | Attribute: "External ID" | | entity/name | Name/Summary | | entity/note_entities | See the [“Note Entity”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#note-entity) section for more information. | | analystNotes/attributes/validated_on | URL-to-Report association (see the [“Analyst Note”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#analyst-note) section for more information on how data are mapped to the associated Report Group) | | analystNotes/attributes/published | | analystNotes/attributes/text | | analystNotes/attributes/topic/name | | analystNotes/attributes/validation_urls/name | | analystNotes/attributes/title | | analystNotes/attributes/note_entities/name | | analystNotes/source/name | | analystNotes/id | | links/hits/sections/lists/entities/id | Tag | | links/hits/sections/lists/entities/type | [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) (if type = MitreAttackIdentifier) | | timestamps/firstSeen | Attribute: "First Seen" | | timestamps/lastSeen | Attribute: "Last Seen" | | intelCard | Source | | risk/score | - Threat Rating - Attribute: "Risk Score" See the [“Frequently Asked Questions (FAQ)”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#frequently-asked-questions-faq) section for more information on how Recorded Future risk score is mapped to ThreatConnect threat rating. | | risk/evidenceDetails/rule | Attribute: "Evidence"NoteEach risk rule serves as evidence that explains the Indicator’s level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability. | | risk/evidenceDetails/evidenceString | | risk/evidenceDetails/criticality | | risk/evidenceDetails/timestamp | ### Vulnerability ThreatConnect object type: Vulnerability Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | entity/id | Attribute: "External ID" | | entity/name | Name/Summary | | entity/note_entities | See the [“Note Entity”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#note-entity) section for more information. | | analystNotes/attributes/validated_on | Vulnerability-to-Report association (see the [“Analyst Note”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#analyst-note) section for more information on how data are mapped to the associated Report Group) | | analystNotes/attributes/published | | analystNotes/attributes/text | | analystNotes/attributes/topic/name | | analystNotes/attributes/validation_urls/name | | analystNotes/attributes/title | | analystNotes/attributes/note_entities/name | | analystNotes/source/name | | analystNotes/id | | links/hits/sections/lists/entities/id | Tag | | links/hits/sections/lists/entities/type | [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) (if type = MitreAttackIdentifier) | | timestamps/firstSeen | Attribute: "First Seen" | | timestamps/lastSeen | Attribute: "Last Seen" | | intelCard | Source | | risk/score | Attribute: "Risk Score" | | risk/criticalityLabel | Attribute: "Criticality" | | risk/evidenceDetails/rule | Attribute: "Evidence"NoteEach risk rule serves as evidence that explains the Group’s level of risk. Because there are often many risk rules associated with a Recorded Future Risk List entity, the risk rules are presented in a tabular format for better readability. | | risk/evidenceDetails/evidenceString | | risk/evidenceDetails/criticality | | risk/evidenceDetails/timestamp | | cvssv3/scope | Attribute: "CVSS v3 Scope" | | cvssv3/exploitabilityScore | Attribute: "CVSS v3 Exploitability Score" | | cvssv3/modified | Attribute: "CVSS v3 Modified" | | cvssv3/baseSeverity | Attribute: "CVSS v3 Base Severity" | | cvssv3/baseScore | Attribute: "CVSS v3 Score" | | cvssv3/privilegesRequired | Attribute: "CVSS v3 Privileges Required" | | cvssv3/userInteraction | Attribute: "CVSS v3 User Interaction" | | cvssv3/impactScore | Attribute: "CVSS v3 Impact Score" | | cvssv3/attackVector | Attribute: "CVSS v3 Attack Vector" | | cvssv3/integrityImpact | Attribute: "CVSS v3 Integrity Impact" | | cvssv3/confidentialityImpact | Attribute: "CVSS v3 Confidentiality Impact" | | cvssv3/vectorString | Attribute: "CVSS v3 Vector String" | | cvssv3/attackComplexity | Attribute: "CVSS v3 Attack Complexity" | | cvssv3/created | Attribute: "CVSS v3 Created" | | cvssv3/availabilityImpact | Attribute: "CVSS v3 Availability Impact" | | cvss/accessVector | Attribute: "CVSS v2 Access Vector" | | cvss/lastModified | Attribute: "CVSS v2 Last Modified" | | cvss/published | Attribute: "CVSS v2 Published" | | cvss/score | Attribute: "CVSS v2 CVSS Score" | | cvss/availability | Attribute: "CVSS v2 Availability" | | cvss/authentication | Attribute: "CVSS v2 Authentication" | | cvss/accessComplexity | Attribute: "CVSS v2 Access Complexity" | | cvss/integrity | Attribute: "CVSS v2 Integrity" | | cvss/confidentiality | Attribute: "CVSS v2 Confidentiality" | | cpe | Attribute: "CPE" | ### Analyst Note NoteFor each Analyst Note added to a Risk List entity, a Report Group will be created and [associated](https://knowledge.threatconnect.com/docs/associations) to the ThreatConnect object that corresponds to the Risk List entity. For daily Analyst Notes, Report Groups will be created and associated to existing Indicators and Groups in ThreatConnect that were ingested from Recorded Future. ThreatConnect object type: Report Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | analystNotes/attributes/validated_on | - Last Modified - Attribute: "External Date Last Modified" | | analystNotes/attributes/published | Attribute: "Publish Date" | | analystNotes/attributes/text | Attribute: "Report Text" | | analystNotes/attributes/topic/name | Attribute: "Report Type" | | analystNotes/attributes/validation_urls/name | Attribute: "External References" | | analystNotes/attributes/title | Name/Summary | | analystNotes/attributes/note_entities/name | See the [“Note Entity”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#note-entity) section for more information. | | analystNotes/source/name | Source | | analystNotes/id | Attribute: "External ID" | ### Note Entity ThreatConnect object type: Report Group | Recorded Future Note Entity Type | ThreatConnect Field | | --- | --- | | ASNumber | Attribute: "Autonomous System Number" | | AWSAccessKey | Attribute: "AWS Access Key" | | Aircraft | Attribute: "Aircraft" | | Airport | Attribute: "Airport" | | AnalystNote | Association to Report Group | | Anniversary | Attribute: "Anniversary" | | AttackVector | Attribute: "Attack Vector" | | BankIdentificationNumber | Attribute: "Bank Identification Number" | | BitcoinAddress | Attribute: "Bitcoin Address" | | BusinessIdentifierCode | Attribute: "Business Identifier Code" | | Case | Attribute: "Case" | | Category | Attribute: "Category" | | City | Attribute: "City" | | CodeIdentifier | Attribute: "Code Identifier" | | Commodity | Attribute: "Commodity" | | Company | Attribute: "Company" | | ContentType | Attribute: "Content Type" | | Continent | Attribute: "Continent" | | Country | Attribute: "Country" | | Currency | Attribute: "Currency" | | CurrencyPair | Attribute: "Currency Pair" | | CyberExploitTargetCategory | Attribute: "Cyber Exploit Target Category" | | CyberSecurityCategory | Attribute: "Cyber Security Category" | | CyberThreatActorCategory | Attribute: "Cyber Threat Actor Category" | | CyberVulnerability | Association to Vulnerability Group | | DEANumber | Attribute: "DEA Number" | | Dataset | Attribute: "Dataset" | | DetectionRule | Attribute: "Detection Rule" | | Document | Attribute: "Document" | | EconomicIndicator | Attribute: "Economic Indicator" | | EmailAddress | Association to Email Address Indicator | | Embassy | Attribute: "Embassy" | | Emoji | Attribute: "Emoji" | | EntertainmentAwardEvent | Attribute: "Entertainment Award Event" | | Entity | Attribute: "Entity" | | EntityAlias | Attribute: "Alias" | | EntityList | Attribute: "Entity List" | | EntityRange | Attribute: "Entity Range" | | EntityRelation | Attribute: "Entity Relation" | | ExternalIdentifier | Attribute: "External ID" | | Facility | Attribute: "Facility" | | FaxNumber | Attribute: "Fax Number" | | Feature | Attribute: "Feature" | | FileContent | Attribute: "File Content" | | FileName | Attribute: "File Name" | | FileNameExtension | Attribute: "File Extension" | | FileType | Attribute: "File Type" | | GeoBoundingBox | Attribute: "Geo Bounding Box" | | GeoEntity | Attribute: "Geo Entity" | | Hash | Association to File Indicator | | HashAlgorithm | One of the following algorithms: - MD5 - SHA1 - SHA256 | | Hashtag | Attribute: "Hashtag" | | Holiday | Attribute: "Holiday" | | IRCNetwork | Attribute: "IRC Network" | | Identifier | Attribute: "Identifier" | | Image | Attribute: "Image" | | IncidentImpactCategory | Attribute: "Incident Impact Category" | | Industry | Attribute: "Industry" | | IndustryTerm | Attribute: "Industry Term" | | IntegrationApplication | Attribute: "Integration Application" | | IntegrationUser | Attribute: "Integration User" | | InternetDomainName | Association to Host Indicator | | IpAddress | Association to Address Indicator | | Keyword | Attribute: "Keyword" | | Language | Attribute: "Language" | | LinkReport | Attribute: "Link Report" | | Logotype | Attribute: "Logotype" | | MICR | Attribute: "Magnetic Ink Character Recognition" | | Malware | Attribute: "Malware" | | MalwareCategory | Attribute: "Malware Family" | | MalwareMutex | Attribute: "Mutex" | | MalwareSignature | Attribute: "Malware Signature" | | MarketIndex | Attribute: "Market Index" | | MedicalCondition | Attribute: "Medical Condition" | | MedicalTreatment | Attribute: "Medical Treatment" | | MetaAttribute | Attribute: "Meta Attribute" | | MetaType | Attribute: "Meta Type" | | MilitaryBase | Attribute: "Military Base" | | MilitaryExercise | Attribute: "Military Exercise" | | MitreAttackIdentifier | [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) | | Movie | Attribute: "Movie" | | MusicAlbum | Attribute: "Music Album" | | MusicGroup | Attribute: "Music Group" | | Nationality | Attribute: "Nationality" | | NaturalFeature | Attribute: "Natural Feature" | | Neighborhood | Attribute: "Neighborhood" | | NetworkPort | Attribute: "Network Port" | | NetworkProtocol | Attribute: "Network Protocol" | | NumericIdentifier | Attribute: "Numeric Identifier" | | OperatingSystem | Attribute: "Operating System" | | Operation | Attribute: "Operation" | | OrgEntity | Attribute: "Org Entity" | | Organization | Attribute: "Organization" | | PaymentCardNumber | Attribute: "Payment Card Number" | | Person | Attribute: "Person" | | PhoneNumber | Attribute: "Phone" | | Port | Attribute: "Port" | | Position | Attribute: "Position" | | Identifier | Attribute: "Product Identifier" | | Module | Attribute: "Product Module" | | ModuleAddon | Attribute: "Product Module Addon" | | Version | Attribute: "Product Version" | | ProgrammingLanguage | Attribute: "Programming Language" | | ProvinceOrState | Attribute: "Province or State" | | PublishedMedium | Attribute: "Published Medium" | | RadioProgram | Attribute: "Radio Program" | | RadioStation | Attribute: "Radio Station" | | Region | Attribute: "Region" | | Religion | Attribute: "Religion" | | ReportEntity | Attribute: "Report Entity" | | ReportingEntity | Attribute: "Reporting Entity" | | RiskContext | Attribute: "Risk Context" | | RiskRule | Attribute: "Risk Rule" | | Sector | Attribute: "Sector" | | SnortDetectionRule | Attribute: "Snort Detection Rule" | | SocialSecurityNumber | Attribute: "Social Security Number" | | Source | Attribute: "Source" | | SourceMediaType | Attribute: "Source Media Type" | | SportsEvent | Attribute: "Sports Event" | | SportsGame | Attribute: "Sports Game" | | SportsLeague | Attribute: "Sports League" | | TVShow | Attribute: "TV Show" | | TVStation | Attribute: "TV Station" | | Task | Attribute: "Task" | | Technology | Attribute: "Technology" | | TechnologyArea | Attribute: "Technology Area" | | Thread | Attribute: "Thread" | | Threat Actor | Attribute: "Threat Actor" | | Topic | Attribute: "Report Type" | | UPSTrackingNumber | Attribute: "UPS Tracking Number" | | URL | Association to URL Indicator | | USPSTrackingNumber | Attribute: "USPS Tracking Number" | | UUID | Attribute: "UUID" | | UseCaseConfiguration | Attribute: "Use Case Configuration" | | UseCaseReport | Attribute: "Use Case Report" | | User | Attribute: "User" | | UserEnterprise | Attribute: "User Enterprise" | | UserEntity | Attribute: "User Entity" | | UserGroup | Attribute: "User Group" | | UserLabel | Attribute: "User Label" | | UserModuleGroup | Attribute: "User Module Group" | | UserModuleRoleGroup | Attribute: "User Module Role Group" | | UserOrganization | Attribute: "User Organization" | | UserRole | Attribute: "User Role" | | Username | Attribute: "Username" | | Vessel | Attribute: "Vessel" | | WebMoneyID | Attribute: "WebMoney ID" | | WinRegKey | Attribute: "Registry Key" | | YaraDetectionRule | Attribute: "Yara Detection Rule" | ### Actor ThreatConnect object type: Intrusion Set Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | threat_map/id | xid | | threat_map/name | Name/Summary | | threat_map/alias | Tag: "Intrusion Set: " | | threat_map/intent | Attribute: "Threat Map Intent" | | threat_map/opportunity | Attribute: "Threat Map Opportunity" | | threat_map/categories | Tag: "Category: " | ### Malware ThreatConnect object type: Malware Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | threat_map/id | xid | | threat_map/name | Name/Summary | | threat_map/alias | Tag: "Intrusion Set: " | | threat_map/prevalence | Attribute: "Threat Map Prevalence" | | threat_map/opportunity | Attribute: "Threat Map Opportunity" | | threat_map/categories | Tag: "Category: " | | relatedEntities/entities/name | See the [“Note Entity”](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#note-entity) section for more information. | | timestamps/firstSeen | Attribute: "First Seen" | | timestamps/lastSeen | Attribute: "Last Seen" | ### Standard Alerts ThreatConnect object type: Event Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | hits/entities/name | - Tag: "Vulnerability: " (if type = CyberVulnerability) - Tag: "Malware: " (if type = Malware) - [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) (if type = MitreAttackIdentifier) | | hits/document/title | Attribute: "Reference" | | hits/document/source/name | | hits/document/url | | fragment | | entities | | id | xid | | hits/entities/type | Attribute: "Entity List" | | review/status | Status | | rule/id | - Attribute: "Alert Rule ID" - Tag | | rule/name | Attribute: "Alert Rule" | | title | Name/Summary | | triggered_by/entity_path/entity | Attribute: "Triggered By" | | triggered_by/entity_paths/entity/name | - Tag: "Vulnerability: " (if type = CyberVulnerability) - Tag: "Malware: " (if type = Malware) - [ATT&CK Tag](https://knowledge.threatconnect.com/docs/attack-tags) (if type = MitreAttackIdentifier) | | url/api | Attribute: "Source" | | owner_organisation_details.organisations/organisation_name | Attribute: "Description" | | id | | title | | review/status_in_portal | | review/assignee | | review/note | | url/portal | | ai_insights/text | | review/status_in_portal | - Tag - Attribute: "Portal Status" | ### Playbook Alerts: Domain Abuse ThreatConnect object type: Event Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | playbook_alert_id | - Attribute: "Description" - Attribute: "External ID" - Attribute: "Source" - xid | | panel_status.case_rule_label | Name/Summary | | panel_status.entity_name | | panel_status.case_rule_label | Attribute: "Alert Rule" | | panel_evidence_dns.ip_list[] | Attribute: "DNS Record" | | panel_evidence_dns.mx_list[] | | panel_evidence_dns.ns_list[] | | panel_evidence_summary.phishing_malicious_behavior.threatTypes[] | Attribute: "Threat Type" | | panel_evidence_summary.reregistration.expiration | Attribute: "Registration Expiration Date" | | panel_evidence_summary.reregistration.registrar_name | Attribute: "Registration Name" | | panel_evidence_summary.resolved_record_list[] | Attribute: "Risk Rule" | | panel_evidence_summary.screenshot_mentions[].mentioned_custom_keywords[] | Attribute: "Reference" | | panel_evidence_summary.screenshot_mentions[] | | panel_evidence_summary.screenshots[] | | panel_evidence_summary.screenshots[].tag | Tag | | tags[] | | panel_evidence_whois.body | Attribute: "Whois Record" | | panel_status.actions_taken[] | Attribute: "Course of Action Taken" | | panel_status.created | - Event Date - External Date Added | | panel_status.priority | Attribute: "Priority" | | panel_status.risk_score | Attribute: "Risk Score" | | panel_status.status | - Status - Attribute: "Portal Status" | | panel_status.updated | External Last Modified | ### Playbook Alerts: Vulnerability ThreatConnect object type: Event Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | playbook_alert_id | - Attribute: "Description" - Attribute: "External ID" - Attribute: "Source" - xid | | panel_status.case_rule_label | Name/Summary | | panel_status.entity_name | | panel_status.case_rule_label | Attribute: "Alert Rule" | | panel_evidence_summary | Attribute: "Vulnerable Products" | | panel_evidence_summary.summary.lifecycle_stage | Tag | | panel_evidence_summary.summary.targets[].name | | panel_status.entity_name | | tags[] | | panel_evidence_summary.summary.risk_rules[].rule | - Description - Attribute: "Risk Rule" | | panel_status.actions_taken[] | Attribute: "Course of Action Taken" | | panel_status.created | - Event Date - External Date Added | | panel_status.priority | Attribute: "Priority" | | panel_status.risk_score | Attribute: "Risk Score" | | panel_status.status | - Status - Attribute: "Portal Status" | | panel_status.updated | External Last Modified | ### Playbook Alerts: Third Party Risk ThreatConnect object type: Event Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | playbook_alert_id | - Attribute: "Description" - Attribute: "External ID" - Attribute: "Source" - xid | | panel_status.case_rule_label | Name/Summary | | panel_status.entity_name | | panel_status.case_rule_label | Attribute: "Alert Rule" | | panel_evidence_summary.assessments[] | Attribute: "Risk Rule" | | panel_status.actions_taken | Attribute: "Course of Action Taken" | | panel_status.created | - Event Date - External Date Added | | panel_status.entity_criticality | Attribute: "Criticality" | | panel_status.priority | Attribute: "Priority" | | panel_status.risk_score | Attribute: "Risk Score" | | panel_status.status | - Status - Attribute: "Portal Status" | | panel_status.updated | External Last Modified | | tags[] | Tag | ### Playbook Alerts: Data Leak on Code Repo ThreatConnect object type: Event Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | playbook_alert_id | - Attribute: "Description" - Attribute: "External ID" - Attribute: "Source" - xid | | panel_status.case_rule_label | Name/Summary | | panel_status.entity_name | | panel_status.case_rule_label | Attribute: "Alert Rule" | | panel_evidence_summary.assessments[] | Attribute: "Risk Rule" | | panel_status.actions_taken | Attribute: "Course of Action Taken" | | panel_status.created | - Event Date - External Date Added | | panel_status.entity_criticality | Attribute: "Criticality" | | panel_status.priority | Attribute: "Priority" | | panel_status.risk_score | Attribute: "Risk Score" | | panel_status.status | - Status - Attribute: "Portal Status" | | panel_status.updated | External Last Modified | | tags[] | Tag | ### Playbook Alerts: Malware Report ThreatConnect object type: Event Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | playbook_alert_id | - Attribute: "Description" - Attribute: "External ID" - Attribute: "Source" - xid | | panel_status.case_rule_label | Name/Summary | | panel_status.entity_name | | panel_status.case_rule_label | Attribute: "Alert Rule" | | panel_evidence_summary.assessments[] | Attribute: "Risk Rule" | | panel_status.actions_taken | Attribute: "Course of Action Taken" | | panel_status.created | - Event Date - External Date Added | | panel_status.entity_criticality | Attribute: "Criticality" | | panel_status.priority | Attribute: "Priority" | | panel_status.risk_score | Attribute: "Risk Score" | | panel_status.status | - Status - Attribute: "Portal Status" | | panel_status.updated | External Last Modified | | tags[] | Tag | ### Playbook Alerts: Geopolitics Facility ThreatConnect object type: Event Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | playbook_alert_id | - Attribute: "Description" - Attribute: "External ID" - Attribute: "Source" - xid | | panel_status.case_rule_label | Name/Summary | | panel_status.entity_name | | panel_status.case_rule_label | Attribute: "Alert Rule" | | panel_evidence_summary.assessments[] | Attribute: "Risk Rule" | | panel_status.actions_taken | Attribute: "Course of Action Taken" | | panel_status.created | - Event Date - External Date Added | | panel_status.entity_criticality | Attribute: "Criticality" | | panel_status.priority | Attribute: "Priority" | | panel_status.risk_score | Attribute: "Risk Score" | | panel_status.status | - Status - Attribute: "Portal Status" | | panel_status.updated | External Last Modified | | tags[] | Tag | ### Playbook Alerts: Identity Novel Exposures ThreatConnect object type: Event Group | Recorded Future API Field | ThreatConnect Field | | --- | --- | | playbook_alert_id | - Attribute: "Description" - Attribute: "External ID" - Attribute: "Source" - xid | | panel_status.case_rule_label | Name/Summary | | panel_status.entity_name | | panel_status.case_rule_label | Attribute: "Alert Rule" | | panel_evidence_summary.assessments[] | Attribute: "Risk Rule" | | panel_status.actions_taken | Attribute: "Course of Action Taken" | | panel_status.created | - Event Date - External Date Added | | panel_status.entity_criticality | Attribute: "Criticality" | | panel_status.priority | Attribute: "Priority" | | panel_status.risk_score | Attribute: "Risk Score" | | panel_status.status | - Status - Attribute: "Portal Status" | | panel_status.updated | External Last Modified | | tags[] | Tag | ## Risk Score Mappings ThreatConnect follows the [Criticality mapping in Recorded Future](https://support.recordedfuture.com/hc/en-us/articles/115000897208-Risk-Scoring-in-Recorded-Future) when assigning a [threat rating](https://knowledge.threatconnect.com/docs/setting-indicator-threat-and-confidence-ratings) to data ingested from Recorded Future; however, because the Recorded Future Criticality rating goes only from 0–4, it has been augmented by 1 in ThreatConnect to fit the 0–5 scale for threat rating. Table 19 shows how the Recorded Future risk scores are mapped to threat rating in ThreatConnect. | Recorded Future Risk Score | ThreatConnect Threat Rating | | --- | --- | | 90–99 | 5 | | 65–89 | 4 | | 25–64 | 3 | | 5–24 | 2 | | 1–4 | 1 | | 0 or Unknown | 0 or Unknown | ## Frequently Asked Questions (FAQ) **Why are there several URL errors in the batch errors report? (e.g., `[xyz.com] could not be processed as a valid URL due to missing or invalid data (summary is invalid for the given type)`)** URL errors occur when URL objects coming from Recorded Future use an invalid URL format. Some examples of this behavior include the following: - `ww3.xyz.com`: This URL is missing the protocol, such as `http://`. - `http:ww2.xyz.com/page#`: This URL is terminated with a special character. URL objects with an invalid URL format will not be imported into ThreatConnect. Note that this issue occurs rarely. --- **Why are Indicators with a risk score less than the minimum risk score being ingested into ThreatConnect?** Indicators with a risk score less than the minimum risk score are ingested because they exist as links from other Risk List entities. To prevent Indicators with a risk score less than the minimum risk score (i.e., the value for the app’s **Minimum Risk Score** parameter) from being ingested, clear the **Collect Indicators Linked in Recorded Future Less Than the Minimum Risk Score** checkbox in the Feed Deployer when [configuring and deploying the App](/v1/docs/threat-intelligence-engine-for-recorded-future-integration-user-guide#step-3-install-and-deploy-version-2). --- **How does the**Threat Intelligence Engine for Recorded Future**app differ from the**Recorded Future Risk List**app?** The **Recorded Future Risk List** app is a job app. It does the following: - collects data from Risk List entities - creates Indicators with evidence details - maps evidence details to a Description attribute and risk rules to Tags The **Threat Intelligence Engine for Recorded Future** app is a [feed API service](https://knowledge.threatconnect.com/docs/feed-api-services) app. It collects data in the following ways: - ingests Risk List entities with several of their Attributes - ingests all of the Analyst Notes and attached PDFs associated with Risk List entities - ingests associated Risk List entities and allows you to view the first-level associations created between the entities and Analyst Notes (i.e., the actual link) - obtains a link to each Risk List entity’s Recorded Future Intelligence Card - ingests Analyst Notes that have been published in the last 24 hours daily --- **How long does a**Threat Intelligence Engine for Recorded Future**service take to ingest a complete set of data on its initial run?** In most cases, a **Threat Intelligence Engine for Recorded Future** service takes 2–4 days to complete the initial data ingestion, depending on how you configure risk score and which Risk List entity types you select to ingest in the Feed Deployer. --- **In which order are Risk List entities ingested on the initial run?** On the initial run of a **Threat Intelligence Engine for Recorded Future** service, Risk List entities are ingested in the following order: 1. Domain 2. Hash 3. IP 4. URL 5. Vulnerability You will likely see Risk List entities ingested in chunks along with the associated or linked entities. Note that there may be delays between the creation of the Risk List source entities and the Risk List link entities in ThreatConnect. --- **How often does a**Threat Intelligence Engine for Recorded Future**service ingest each Risk List entity type after the initial run?** See Table 20 for each Risk List entity type’s download frequency. Analyst Notes are downloaded daily. | Recorded Future Risk List | Download Frequency (Hours) | | --- | --- | | Domain | 2 | | Hash | 24 | | IP | 1 | | URL | 2 | | Vulnerability | 24 | --- **How can I identify the Recorded Future source from which a**Threat Intelligence Engine for Recorded Future**service collected Indicators and Groups?** The following “**Source:**” Tags, which are applied to Indicators and Groups in ThreatConnect that were ingested from Recorded Future, indicate where the integration collected them from in Recorded Future: - **Source: Risk List**: The entity was ingested from a Risk List. - **Source: Risk List Link**: The entity was ingested as a linked entity from a Risk List entity. - **Source: Analyst Note**: The entity was ingested from an Analyst Note. - **Source: Analyst Note Link**: The entity was ingested as a linked entity from an Analyst Note. - **Source: RF Alert**: The entity was ingested from a Standard Alert. - **Source: RF Alert Link**: The entity was ingested as a linked entity from a Standard Alert. - **Source: RF Threat Map**: The entity was ingested from a Threat Map entity. - **Source: RF Threat Map Link**: The entity was ingested as a linked entity from a Threat Map entity. - **Source: RF PB Alert**: The entity was ingested from a Playbook Alert. - **Source: RF PB Alert Link**: The entity was ingested as a linked entity from Playbook Alert. Note that an Indicator or Group may have more than one of these Tags applied to them, as the corresponding entities could be associated to one another. --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc. JavaScript® is a registered trademark of Oracle Corporation. Recorded Future® is a registered trademark of Recorded Future, Inc. MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.* 30083-05 EN Rev. A