Recorded Future IP List
This document provides a description how to set up and use the Recorded Future IP List with TruSTAR Station. This intel feed enables licensed Recorded Future users to download IP Lists and then correlate those IP addresses to IOCs and reports in a TruSTAR enclave(s) or export them for external searches.
- Time to Install: 10 minutes
- Type of Feed: Automatic updates
- Update Frequency: Two hours
- Source Type: Closed Feed (requires Recorded Future subscription)
- Certified by Recorded Future: Yes
Recorded Future’s real-time automated threat intelligence integrates with TruSTAR to provide:
- Correlation: Match high-scoring RiskFilter IP addresses to IOCs or reports submitted into your private enclave.
- Integration: Export IP addresses from your enclaves using API or separate security applications, such as Demisto, ServiceNow, or Splunk.
- Search: Look for IP addresses in your enclave as part of investigations.
- A subscription to Recorded Future Premium
- Recorded Future API Key
- A daily quota of 60 Recorded Future credits. Each list update requires 5 credits, for a total of 60 credits per day (12 list updates per day).
- Sign into TruSTAR.
- Click the Marketplace icon on the left side icon list.
- Choose Closed Source.
- Click Subscribe on the Recorded Future IP List box.
- Enter your Recorded Future API key and click Save Credentials & Request Subscription.
How It Works
The Recorded Future IP List contains IP addresses scored at 90 and above (on a scale of 0-100) by Recorded Future’s internal team. Every two hours, TruSTAR Station uses the RecordedFuture API to retrieve an updated list of IP addresses, which is then downloaded into your enclave.
The score RiskFilter provides for that IP address, based on independent evidence collected and analyzed by their automated intelligence.
<definition in progress>
The reason this IP address has been prioritized and includes sighting details, such as where it was spotted, the type of attack involved, and other contextual data.
Q. What data is pulled from Recorded Future?
A: The TruSTAR integration currently pulls reports from Recorded Future that have cyber IOC’s, including
- URL (Domains are extracted from URL)
Q. What is the API timeout?
A. 30 seconds
Use THIS LINK to access a PDF file explaining the Recorded Future API.
Use THIS LINK to access documentation for the TruSTAR API.
No reported issues.