Document toolboxDocument toolbox

Recorded Future collector

Overview

This collector ingests Recorded Future Threat Intelligence data into Devo as lookup tables to enable the following use cases:

  • Alerting - detects and alerts on potential security threats through correlation with other data types ingested into Devo, for example, firewall, proxy, or EDR logs.

  • Alert enrichment - adds contextual data about each entity and enriches security alerts.

The collector is available to all Devo customers with a valid Recorded Future license and API subscription.

Benefits

  • Reduce dwell time - through the correlation of Recorded Future Threat Intelligence and machine-generated data from systems in the network, your Security team can uncover threats that they would otherwise not know about and therefore reduce the dwell time of potential cyber-attacks.

  • Reduce mean-time-to-respond (MTTR) - enriched alerts provide your Security team with additional context about detected threats. This context can help to reduce the time required to complete the triage and /or investigation of the alert and inform a suitable response to mitigate the threat.

Integration architecture

Configuration

Recorded Future configuration

The only source configuration required is generating a Recorded Future API key. Recorded Future clients with Advanced or Core licenses, and one or more Connect API subscriptions can create and manage their API tokens directly in the Recorded Future portal.

  1. First, log in to your Recorded Future account and click on the menu in the upper right corner. Select the option User Settings from the menu.

  2. On the User Settings page, select the API Access tab. To create a new API token, click on Generate New API Token. 

  3. Once you do, you will see the field for Name. The two buttons GENERATE and CANCEL will also appear. Enter a name for the token.

  4. Select Devo from the integration list.

  5. After you have entered a Token Name and chosen an integration, click on the GENERATE NEW API TOKEN button. The new API token appears in the table below. Make a note of the token value as this is required for the ingest configuration.

Devo configuration

The integration is hosted by Devo, enabling cloud-to-cloud ingestion of data. To enable the integration in your Devo domain:

  1. Contact Devo support and provide your Recorded Future API token.

  2. Devo support will then enable the integration on your behalf.

Using the integration

View lookup tables

To view the Devo lookup tables created by the integration:

  1. Log in to your Devo domain.

  2. Open the Data Search menu and click the Lookup Management tab.

  3. You will see the new lookup tables in the Lookup List table, where you can view the number of rows included in the lookup and the time that the lookup table was last updated.

  4. Hover over the right-hand side of a row in the Lookup List table to view summary information and manage the lookup table.

Run some sample correlation queries

With the lookup tables installed, you can use the data to run some sample queries. The examples below are designed to give you a starting point with the new data.

Install some sample alerts

A primary use case for ingesting threat intelligence into Devo is to drive alerting to detect potential threats in your environment. The examples below are designed to give you a starting point to create alerts based on Recorded Future Threat Intelligence.

Connection to potentially malicious IPv4 Address (Firewall)

This alert requires the firewall.all.traffic table in your Devo domain.

The new alert is created and can be viewed in the Administration → Alert Configuration menu.

Connection to a potentially malicious domain

This alert requires the proxy.all.access table in your Devo domain.

The new alert is created and can be viewed in the Administration → Alert Configuration menu.