Overview
The Recorded Future Analyst Notes for Anomali ThreatStream enables:
- Delivery of Recorded Future Analyst Notes details into Anomali TS as threat models via an Anomali TS Feed
- Delivery of critical detection rules (Yara/Sigma/Snort) with the Ananlyst Notes
- Ease of triage of the report with full context and observables extraction
This integration is available for Recorded Future SecOps and Threat Intelligence users who have purchased the Recorded Future Analyst Notes for Anomali ThreatStream integration.
Application Functionality
Recorded Future Analyst Notes application’s functionality is underpinned by the Recorded Future API, the repository from which Anomali TS retrieves the Recorded Future data. The integration fetches analyst notes details and feeds them to Anomali TS. This makes the Analyst Note context ready for triaging within Anomali TS.
Analyst Note Topics
The table below documents Analyst Note topics supported by the integration and their respective Threat Model types once ingested into Anomali Threatstream:
| Analyst Note Topic | Anomali Threatstream Threat Model |
| Actor Profile | Actor |
| Cyber Threat Analysis | Threat Bulletin |
| Flash Report | Threat Bulletin |
| Hunting Package | Signature and Threat Bulletin Report |
| Indicator | Threat Bulletin |
| Informational | Vulnerability |
| Malware Tool Profile | Malware |
| Source Profile | Threat Bulletin |
| Ransomware Actor Profile | Actor |
| Ransomware Tool Profile | Malware |
| Threat Lead | Threat Bulletin |
| TTP Instance | Threat Bulletin |
| Validated Intelligence Event | Incident |
Analyst Note Details
Ingested Analyst Notes contain:
- Title of the note
- Link to the Recorded Future portal to the specific note
- Source
- Topic
- Validation URLs (if available)
- Any attack vector related to the tool or actor described (if available)
- Any vulnerability used or mentioned in the note along with a description (if available)
- The full content of the note Attachment in the Attachments tab (if available)
- Malware Tools Profile (Malware Threat Model)
- The Malware Types and Execution Platforms fields are included if available. The Malware Family field is always set to “Malware Instance”.
- Observables (See the Observables section for more information, if available)
Observables
Some notes might might contain a domain, hash, IP address or a URL. This will result in the creation of observables along with a Recorded Future Risk Score (if available). Only Very Malicious and Malicious IOCs will be added as Observables. The IType varies based on the most critical Recorded Future Risk Rule associated with the IOC.
Installation
The preferred installation method is through the Anomali TS App Store.
Configuration
Once the application is installed please set the Recorded Future token and click Activate.