Recorded Future IP List

Updated 1 day ago by Elvis Hovor

This document provides a description how to set up and use the Recorded Future IP List with TruSTAR Station. This intel feed enables licensed Recorded Future users to download IP Lists and then correlate those IP addresses to IOCs and reports in a TruSTAR enclave(s) or export them for external searches. 

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: Two hours
  • Source Type: Closed Feed (requires Recorded Future subscription)
  • Certified by Recorded Future: Yes


Recorded Future’s real-time automated threat intelligence integrates with TruSTAR to provide:

  • Correlation: Match high-scoring RiskFilter IP addresses to IOCs or reports submitted into your private enclave.
  • Integration: Export IP addresses from your enclaves using API or separate security applications, such as Demisto, ServiceNow, or Splunk. 
  • Search: Look for IP addresses in your enclave as part of investigations. 


  • A subscription to Recorded Future Premium
  • Recorded Future API Key
  • A daily quota of 60 Recorded Future credits. Each list update requires 5 credits, for a total of 60 credits per day (12 list updates per day).

Getting Started

  1. Sign into TruSTAR.
  2. Click the Marketplace icon on the left side icon list.
  3. Choose Closed Source.
  4. Click Subscribe on the Recorded Future IP List box.
  5. Enter your Recorded Future API key and click Save Credentials & Request Subscription.
TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled. Once the integration has been enabled, you will see reports from Recorded Future being submitted into your TruSTAR enclave every two hours.

How It Works

The Recorded Future IP List contains IP addresses scored at 90 and above (on a scale of 0-100) by Recorded Future’s internal team. Every two hours, TruSTAR Station uses the RecordedFuture API to retrieve an updated list of IP addresses, which is then downloaded into your enclave. 

Report Mapping




IP address 


The score RiskFilter provides for that IP address, based on independent evidence collected and analyzed by their automated intelligence.

Risk String

<definition in progress>

Evidence Details

The reason this IP address has been prioritized and includes sighting details, such as where it was spotted, the type of attack involved, and other contextual data. 


Q. What data is pulled from Recorded Future?

A: The TruSTAR integration currently pulls reports from Recorded Future that have cyber IOC’s, including

  • IP
  • URL (Domains are extracted from URL)
  • CVE
  • MD5
  • SHA1
  • SHA256
Contact TruSTAR to discuss additional indicators that can be queried from Recorded Future.

Q. What is the API timeout?

A. 30 seconds


Use THIS LINK to access a PDF file explaining the Recorded Future API. 

Use THIS LINK to access documentation for the TruSTAR API. 

Known Issues

No reported issues.

Please reach out to if you have issues with this integration.

How Did We Do?