Recorded Future collector
Overview
This collector ingests Recorded Future Threat Intelligence data into Devo as lookup tables to enable the following use cases:
Alerting - detects and alerts on potential security threats through correlation with other data types ingested into Devo, for example, firewall, proxy, or EDR logs.
Alert enrichment - adds contextual data about each entity and enriches security alerts.
The collector is available to all Devo customers with a valid Recorded Future license and API subscription.
Benefits
Reduce dwell time - through the correlation of Recorded Future Threat Intelligence and machine-generated data from systems in the network, your Security team can uncover threats that they would otherwise not know about and therefore reduce the dwell time of potential cyber-attacks.
Reduce mean-time-to-respond (MTTR) - enriched alerts provide your Security team with additional context about detected threats. This context can help to reduce the time required to complete the triage and /or investigation of the alert and inform a suitable response to mitigate the threat.
Integration architecture
Configuration
Recorded Future configuration
The only source configuration required is generating a Recorded Future API key. Recorded Future clients with Advanced or Core licenses, and one or more Connect API subscriptions can create and manage their API tokens directly in the Recorded Future portal.
First, log in to your Recorded Future account and click on the menu in the upper right corner. Select the option User Settings from the menu.
On the User Settings page, select the API Access tab. To create a new API token, click on Generate New API Token.Â
Once you do, you will see the field for Name. The two buttons GENERATE and CANCEL will also appear. Enter a name for the token.
Select Devo from the integration list.
After you have entered a Token Name and chosen an integration, click on the GENERATE NEW API TOKEN button. The new API token appears in the table below. Make a note of the token value as this is required for the ingest configuration.
Devo configuration
The integration is hosted by Devo, enabling cloud-to-cloud ingestion of data. To enable the integration in your Devo domain:
Contact Devo support and provide your Recorded Future API token.
Devo support will then enable the integration on your behalf.
Using the integration
View lookup tables
To view the Devo lookup tables created by the integration:
Log in to your Devo domain.
Open the Data Search menu and click the Lookup Management tab.
You will see the new lookup tables in the Lookup List table, where you can view the number of rows included in the lookup and the time that the lookup table was last updated.
Hover over the right-hand side of a row in the Lookup List table to view summary information and manage the lookup table.
Run some sample correlation queries
With the lookup tables installed, you can use the data to run some sample queries. The examples below are designed to give you a starting point with the new data.
Log in to your Devo domain.
Open the Data Search menu.
In the Explore Your Data tab, click the Free Text Query sub-tab.
Copy and paste one of the queries from the table below to view the results:
Lookup Query description Query IPv4 Address Threat List
Browse the data included in the IPv4 Threat List
from my.lookuplist.Recorded_Future_IPv4_Address_Threat_List
View the srcIP address of devices attempting to connect to malicious IP addresses
from firewall.all.traffic select `lu/Recorded_Future_IPv4_Address_Threat_List/Risk`(dstIp) as RecordedFutureRiskScore select `lu/Recorded_Future_IPv4_Address_Threat_List/RiskString`(dstIp) as RecordedFutureRiskString select `lu/Recorded_Future_IPv4_Address_Threat_List/EvidenceDetails`(dstIp) as RecordedFutureEvidence where isnotnull(RecordedFutureRiskScore) group dstIp, srcIp select count(srcIp) as Count
View the users attempting to connect to malicious IP addresses
from proxy.all.access select `lu/Recorded_Future_IPv4_Address_Threat_List/Risk`(dstIp) as RecordedFutureRiskScore select `lu/Recorded_Future_IPv4_Address_Threat_List/RiskString`(dstIp) as RecordedFutureRiskString select `lu/Recorded_Future_IPv4_Address_Threat_List/EvidenceDetails`(dstIp) as RecordedFutureEvidence where isnotnull(RecordedFutureRiskScore) group dstIp, dstHost, user select count(user) as Count
Domain Threat List
Browse the data included in the domain threat list
from my.lookuplist.Recorded_Future_Domain_Threat_List
View the users attempting to connect to potentially malicious domains and how many times
from proxy.all.access select `lu/Recorded_Future_Domain_Threat_List/Risk`(dstHost) as RecordedFutureRiskScore where isnotnull(RecordedFutureRiskScore) group dstHost, user select count(user) as Count
File Hash Threat List
Browse the data included in the file hash threat list
from my.lookuplist.Recorded_Future_File_Hash_Threat_List
Correlates Recorded Future File Hash intelligence with the sha256hash field in the
edr.all.threats
union tablefrom edr.all.threats select `lu/Recorded_Future_File_Hash_Threat_List/Risk`(sha256hash) as RecordedFutureRiskScore select `lu/Recorded_Future_File_Hash_Threat_List/RiskString`(sha256hash) as RecordedFutureRiskString select `lu/Recorded_Future_File_Hash_Threat_List/EvidenceDetails`(sha256hash) as RecordedFutureEvidence where isnotnull(RecordedFutureRiskScore)
Install some sample alerts
A primary use case for ingesting threat intelligence into Devo is to drive alerting to detect potential threats in your environment. The examples below are designed to give you a starting point to create alerts based on Recorded Future Threat Intelligence.
Connection to potentially malicious IPv4 Address (Firewall)
This alert requires the
firewall.all.traffic
table in your Devo domain.Log in to your Devo domain.
Open the Data Search menu.
In the Explore Your Data tab, click the Free Text Query sub-tab.
Copy and paste the query below and click the Run button.
from firewall.all.traffic select `lu/Recorded_Future_IPv4_Address_Threat_List/Risk`(dstIp) as RecordedFutureRiskScore select `lu/Recorded_Future_IPv4_Address_Threat_List/RiskString`(dstIp) as RecordedFutureRiskString select `lu/Recorded_Future_IPv4_Address_Threat_List/EvidenceDetails`(dstIp) as RecordedFutureEvidence where isnotnull(RecordedFutureRiskScore) group every 1m by source, fwname, action, srcIp, srcZone, dstIp, dstZone, RecordedFutureRiskScore, RecordedFutureRiskString, RecordedFutureEvidence
- From the search window, click the Alert definition button.
Complete the New Alert Definition form using the values in the table below and click Create.
Summary
Connection to potentially malicious IPv4 Address from $srcIp
Description
A connection to a potentially malicious IP address was detected on $eventdate from $srcIp to $dstIp using the $source firewall.
Log Source: $source
Firewall: $fwname
Action: $action
Source: $srcIp ($srcZone)
Destination: $dstIp ($dstZone)
Recorded Future Risk Score: $RecordedFutureRiskScore
Recorded Future Risk Rules: $RecordedFutureRiskString
Recorded Future Evidence: $RecordedFutureEvidence
Alert Name
Connection to potentially malicious IPv4 Address - Firewall
Sub-category
Recorded Future Intel
Recommended Priority
Medium
Alert Type
Each
The new alert is created and can be viewed in the Administration → Alert Configuration menu.
Connection to a potentially malicious domain
This alert requires the proxy.all.access
table in your Devo domain.
Log in to your Devo domain.
Open the Data Search menu.
In the Explore Your Data tab, click the Free Text Query sub-tab.
Copy and paste the query below and click the Run button.
from proxy.all.access select `lu/Recorded_Future_Domain_Threat_List/Risk`(dstHost) as RecordedFutureRiskScore select `lu/Recorded_Future_Domain_Threat_List/RiskString`(dstHost) as RecordedFutureRiskString select `lu/Recorded_Future_Domain_Threat_List/EvidenceDetails`(dstHost) as RecordedFutureEvidence where isnotnull(RecordedFutureRiskScore) group every 1m by source, user, location, srcIp, srcHost, dstIp, dstHost, hitMiss_requestStat, RecordedFutureRiskScore, RecordedFutureRiskString, RecordedFutureEvidence
From the search window, click the Alert definition button.
Complete the New Alert Definition form using the values in the table below and click Create.
Summary
A connection to a potentially malicious domain was detected by $user
Description
A connection to a potentially malicious domain ($dstHost) was detected on $eventdate by $user using the $source proxy.
Source: $source
User: $user
Source: $srcIp (Host: $srcHost, Location: $location)
Destination: $dstIp ($dstHost)
Action: $hitMiss_requestStat
Recorded Future Risk Score: $RecordedFutureRiskScore
Recorded Future Risk Rules: $RecordedFutureRiskString
Recorded Future Evidence: $RecordedFutureEvidence
Alert Name
Connection to a potentially malicious domain
Sub-category
Recorded Future Intel
Recommended Priority
Medium
Alert Type
Each
The new alert is created and can be viewed in the Administration → Alert Configuration menu.
Install the Activeboard
Name -Â Recorded Future - Threat Intelligence Description -Â Provides an overview of active Recorded Future Threat Intelligence and sample correlations with Devo Union tables. Source data -Â The Activeboard requires data to be ingested into the following tables:
The Activeboard also leverages the following Devo union tables:
|
To install the Activeboard:
Copy the Activeboard config from here.
Open the config in your favorite text editor.
Using find and replace, replace the string <--INSERT CUSTOMER DOMAIN NAME HERE--> with the name of your Devo domain. This can be found at the top of the menu in the Devo web application.
Save the file.
Login to your Devo domain.
Open the Activeboards menu and create a new Activeboard.
Provide a name and a description for the new Activeboard and click Apply.
From the Activeboard menu, click Edit raw configuration. The JSON editor appears at the bottom of the screen.
Copy and paste the Activeboard config and click Save Changes.
The Activeboard has been successfully installed.