Recorded Future collector

Overview

This collector ingests Recorded Future Threat Intelligence data into Devo as lookup tables to enable the following use cases:

• Alerting - detects and alerts on potential security threats through correlation with other data types ingested into Devo, for example, firewall, proxy, or EDR logs.

• Alert enrichment - adds contextual data about each entity and enriches security alerts.

The collector is available to all Devo customers with a valid Recorded Future license and API subscription.

Benefits

• Reduce dwell time - through the correlation of Recorded Future Threat Intelligence and machine-generated data from systems in the network, your Security team can uncover threats that they would otherwise not know about and therefore reduce the dwell time of potential cyber-attacks.

• Reduce mean-time-to-respond (MTTR) - enriched alerts provide your Security team with additional context about detected threats. This context can help to reduce the time required to complete the triage and /or investigation of the alert and inform a suitable response to mitigate the threat.

Integration architecture

Configuration

Recorded Future configuration

The only source configuration required is generating a Recorded Future API key. Recorded Future clients with Advanced or Core licenses, and one or more Connect API subscriptions can create and manage their API tokens directly in the Recorded Future portal.

1. First, log in to your Recorded Future account and click on the menu in the upper right corner. Select the option User Settings from the menu.

   

2. On the User Settings page, select the API Access tab. To create a new API token, click on Generate New API Token. 

   

3. Once you do, you will see the field for Name. The two buttons GENERATE and CANCEL will also appear. Enter a name for the token.

4. Select Devo from the integration list.

5. After you have entered a Token Name and chosen an integration, click on the GENERATE NEW API TOKEN button. The new API token appears in the table below. Make a note of the token value as this is required for the ingest configuration.

Devo configuration

The integration is hosted by Devo, enabling cloud-to-cloud ingestion of data. To enable the integration in your Devo domain:

1. Contact Devo support and provide your Recorded Future API token.

2. Devo support will then enable the integration on your behalf.

Using the integration

View lookup tables

To view the Devo lookup tables created by the integration:

1. Log in to your Devo domain.

2. Open the Data Search menu and click the Lookup Management tab.

3. You will see the new lookup tables in the Lookup List table, where you can view the number of rows included in the lookup and the time that the lookup table was last updated.

   

4. Hover over the right-hand side of a row in the Lookup List table to view summary information and manage the lookup table.

Run some sample correlation queries

With the lookup tables installed, you can use the data to run some sample queries. The examples below are designed to give you a starting point with the new data.

1. Log in to your Devo domain.

2. Open the Data Search menu.

3. In the Explore Your Data tab, click the Free Text Query sub-tab.

4. Copy and paste one of the queries from the table below to view the results:

   Lookup	Query description	Query
   IPv4 Address Threat List	Browse the data included in the IPv4 Threat List	from my.lookuplist.Recorded_Future_IPv4_Address_Threat_List
   	View the srcIP address of devices attempting to connect to malicious IP addresses	from firewall.all.traffic select `lu/Recorded_Future_IPv4_Address_Threat_List/Risk`(dstIp) as RecordedFutureRiskScore select `lu/Recorded_Future_IPv4_Address_Threat_List/RiskString`(dstIp) as RecordedFutureRiskString select `lu/Recorded_Future_IPv4_Address_Threat_List/EvidenceDetails`(dstIp) as RecordedFutureEvidence where isnotnull(RecordedFutureRiskScore) group dstIp, srcIp select count(srcIp) as Count
   	View the users attempting to connect to malicious IP addresses	from proxy.all.access select `lu/Recorded_Future_IPv4_Address_Threat_List/Risk`(dstIp) as RecordedFutureRiskScore select `lu/Recorded_Future_IPv4_Address_Threat_List/RiskString`(dstIp) as RecordedFutureRiskString select `lu/Recorded_Future_IPv4_Address_Threat_List/EvidenceDetails`(dstIp) as RecordedFutureEvidence where isnotnull(RecordedFutureRiskScore) group dstIp, dstHost, user select count(user) as Count
   Domain Threat List	Browse the data included in the domain threat list	from my.lookuplist.Recorded_Future_Domain_Threat_List
   	View the users attempting to connect to potentially malicious domains and how many times	from proxy.all.access select `lu/Recorded_Future_Domain_Threat_List/Risk`(dstHost) as RecordedFutureRiskScore where isnotnull(RecordedFutureRiskScore) group dstHost, user select count(user) as Count
   File Hash Threat List	Browse the data included in the file hash threat list	from my.lookuplist.Recorded_Future_File_Hash_Threat_List
   	Correlates Recorded Future File Hash intelligence with the sha256hash field in the edr.all.threats union table	from edr.all.threats select `lu/Recorded_Future_File_Hash_Threat_List/Risk`(sha256hash) as RecordedFutureRiskScore select `lu/Recorded_Future_File_Hash_Threat_List/RiskString`(sha256hash) as RecordedFutureRiskString select `lu/Recorded_Future_File_Hash_Threat_List/EvidenceDetails`(sha256hash) as RecordedFutureEvidence where isnotnull(RecordedFutureRiskScore)

   Install some sample alerts

   A primary use case for ingesting threat intelligence into Devo is to drive alerting to detect potential threats in your environment. The examples below are designed to give you a starting point to create alerts based on Recorded Future Threat Intelligence.

   Connection to potentially malicious IPv4 Address (Firewall)

   This alert requires the firewall.all.traffic table in your Devo domain.

   1. Log in to your Devo domain.

   2. Open the Data Search menu.

   3. In the Explore Your Data tab, click the Free Text Query sub-tab.

   4. Copy and paste the query below and click the Run button.

      from firewall.all.traffic
      select `lu/Recorded_Future_IPv4_Address_Threat_List/Risk`(dstIp) as RecordedFutureRiskScore
      select `lu/Recorded_Future_IPv4_Address_Threat_List/RiskString`(dstIp) as RecordedFutureRiskString
      select `lu/Recorded_Future_IPv4_Address_Threat_List/EvidenceDetails`(dstIp) as RecordedFutureEvidence
      where isnotnull(RecordedFutureRiskScore)
      group every 1m by source, fwname, action, srcIp, srcZone, dstIp, dstZone, RecordedFutureRiskScore, RecordedFutureRiskString, RecordedFutureEvidence

   5. From the search window, click the Alert definition button.

   6. Complete the New Alert Definition form using the values in the table below and click Create.

      Summary	Connection to potentially malicious IPv4 Address from $srcIp
      Description	A connection to a potentially malicious IP address was detected on $eventdate from $srcIp to $dstIp using the $source firewall. Log Source: $source Firewall: $fwname Action: $action Source: $srcIp ($srcZone) Destination: $dstIp ($dstZone) Recorded Future Risk Score: $RecordedFutureRiskScore Recorded Future Risk Rules: $RecordedFutureRiskString Recorded Future Evidence: $RecordedFutureEvidence
      Alert Name	Connection to potentially malicious IPv4 Address - Firewall
      Sub-category	Recorded Future Intel
      Recommended Priority	Medium
      Alert Type	Each

The new alert is created and can be viewed in the Administration → Alert Configuration menu.

Connection to a potentially malicious domain

1. Log in to your Devo domain.

2. Open the Data Search menu.

3. In the Explore Your Data tab, click the Free Text Query sub-tab.

4. Copy and paste the query below and click the Run button.

   from proxy.all.access
   select `lu/Recorded_Future_Domain_Threat_List/Risk`(dstHost) as RecordedFutureRiskScore
   select `lu/Recorded_Future_Domain_Threat_List/RiskString`(dstHost) as RecordedFutureRiskString
   select `lu/Recorded_Future_Domain_Threat_List/EvidenceDetails`(dstHost) as RecordedFutureEvidence
   where isnotnull(RecordedFutureRiskScore)
   group every 1m by source, user, location, srcIp, srcHost, dstIp, dstHost, hitMiss_requestStat, RecordedFutureRiskScore, RecordedFutureRiskString, RecordedFutureEvidence

5. From the search window, click the Alert definition button.

6. Complete the New Alert Definition form using the values in the table below and click Create.

   Summary	A connection to a potentially malicious domain was detected by $user
   Description	A connection to a potentially malicious domain ($dstHost) was detected on $eventdate by $user using the $source proxy. Source: $source User: $user Source: $srcIp (Host: $srcHost, Location: $location) Destination: $dstIp ($dstHost) Action: $hitMiss_requestStat Recorded Future Risk Score: $RecordedFutureRiskScore Recorded Future Risk Rules: $RecordedFutureRiskString Recorded Future Evidence: $RecordedFutureEvidence
   Alert Name	Connection to a potentially malicious domain
   Sub-category	Recorded Future Intel
   Recommended Priority	Medium
   Alert Type	Each

The new alert is created and can be viewed in the Administration → Alert Configuration menu.

Install the Activeboard

To install the Activeboard:

1. Copy the Activeboard config from here.

2. Open the config in your favorite text editor.

3. Using find and replace, replace the string <--INSERT CUSTOMER DOMAIN NAME HERE--> with the name of your Devo domain. This can be found at the top of the menu in the Devo web application.

4. Save the file.

5. Login to your Devo domain.

6. Open the Activeboards menu and create a new Activeboard.

7. Provide a name and a description for the new Activeboard and click Apply.

8. From the Activeboard menu, click Edit raw configuration. The JSON editor appears at the bottom of the screen.

9. Copy and paste the Activeboard config and click Save Changes.

10. The Activeboard has been successfully installed.