Skip to main content

Cyware Threat Intelligence eXchange

Recorded Future

Connector Category: Enrichment Tool

About Integration

CTIX integrates with Recorded Future to enrich IPs, URLs, domains, hashes, and vulnerabilities. This integration adds contextual information to seemingly isolated threat data, gives you visibility into the threats, and makes threat investigation faster.

Use Cases 

  • Get up-to-date information on known threat actors, their tactics, techniques, and procedures (TTPs), and the latest cyber threats.

  • Correlate threat data objects to get insightful threat intelligence.

  • Identify vulnerabilities in your systems and prioritize patching.

Benefits 

  • Import the relationships of indicators and vulnerabilities as threat data objects for investigation.

  • Enrich indicators and vulnerabilities in real time.

  • Get actionable intelligence to improve security strategies.

Configure Recorded Future as Enrichment Tool

Configure Recorded Future to enrich IP addresses, domains, URLs, hashes, and vulnerabilities.

Before you Start 

  • You must have the view, create, and update permissions for Enrichment Management in CTIX.

  • You must have the base URL and access key of your Recorded Future account.

    Note

    Ensure that the access key includes the permissions to retrieve the details of IP addresses, domains, URLs, hashes, and vulnerabilities.

Steps 

To configure Recorded Future as an enrichment tool in CTIX, do the following:

  1. Sign in to CTIX and go to Administration > Enrichment Management > Enrichment Tools.

  2. Search and select the Recorded Future enrichment tool.

  3. Click Add Account.

  4. Enter a unique account name to identify the instance. For example, Prod_RF.

  5. Enter the base URL of your Recorded Future instance. The default base URL is https://api.recordedfuture.com/v2.

  6. Enter the access key of your Recorded Future account to authenticate communication between the CTIX and Recorded Future servers.

  7. Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and Recorded Future servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.

  8. Click Save.

After successfully adding an account, you can view and enable the Recorded Future feed enrichment types to enable users to enrich IP addresses, domains, hashes, URLs, and vulnerabilities. When you enrich using the Recorded Future enrichment tool, the relationships of an indicator are imported into CTIX as threat data objects.

Important

By default, retrieving relationships using the Recorded Future enrichment tool is disabled. Contact Cyware Support to enable it.

You can also configure quota to define a limit to the number of enrichment requests a Recorded Future account makes. After the quota expires, you can not make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.

To understand the number of API calls and quota units consumed by the Recorded Future enrichment tool per polling, refer to the following table.

Enrichment Tool

Feed Enrichment Type

No. of API calls

Quota Consumed

Recorded Future

Domain

1

1

Vulnerability

1

1

Hash

1

1

IP

1

1

URL

1

1

You can configure an enrichment policy to automatically enrich threat data objects using the Recorded Future enrichment tool. For more information, see Configure Enrichment Policy.Configure Enrichment Policy

Note

Enrichment through policy occurs only if the source is Recorded Future API Feed, not Recorded Future Enrichment.