Recorded Future

Updated 6 months ago by Elvis Hovor

Introduction

This document provides a description how paying customers of Recorded Future can correlate reports and indicators produced by Recorded Future with intelligence stored in their TruSTAR enclaves. This integration will query Recorded Future and return additional enrichment for associated indicators.

Features

  • Integration with Recorded Future can be activated from the TruSTAR Marketplace
  • Users can enter their Recorded Future API keys in the TruSTAR marketplace to start ingesting Recorded Future Intel.
  • All Recorded Future reports ingested into TruSTAR will have tags corresponding to the criticality label and score of that report in Recorded Future where available

Pre-Requisites

User needs to have a subscription to Recorded Future Premium.

Access to  API key for Recorded Future to enable the integration.

Configure Integration

After you have retrieved your Recorded Future API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on Recorded Future logo and fill in your API key.
  4. Click Submit.
TruSTAR will validate and enable the integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.
After the integration in enabled you should see it reports from Recorded Future being submitted into an enclave you control on TruSTAR.

Troubleshooting & FAQ's

Q: What data do you currently pull from Recorded Future? 

A: Our integration currently only pulls reports from Recorded Future that have cyber IOC’s.

These include:

  • IP
  • MALWARE
  • URL (Domains are extracted from URL)
  • CVE
  • MD5
  • SHA1
  • SHA256
Please contact us if you would like to discuss additional indicators that can be queried from Recorded Future.

Q: How often is the data pulled?

A: Please see this page for Recorded Future polling frequency.

Q: What data is the data mapping from Recorded Future to TruSTAR

A:

  • External ID - encoded value of (DOMAIN<IOC Value>)(e.g DOMAIN example.org)
  • Report Body - json response
  • Time Begun - firstSeen field of response(e.g. 2010-04-27T12:46:51.000Z)
  • Tags - criticalityLabel and score field of response if available(e.g. 24, Unusual). 0 value of score and None value of criticalityLabel  will be ignored.
  • Deeplink - intelCard field value of response if available
Please reach out to support@trustar.co for any additional questions.

How Did We Do?