Collective Insights API

Updated

The Collective Insights API is a bidirectional intelligence pipeline designed to bridge the gap between internal security events and external threat intelligence. It transforms siloed detections into a unified, enriched intelligence stream that can be programmatically managed.

By using this API, security teams can move from simply detecting a threat to understanding it within the context of the global threat landscape.

Core Functions and Endpoints

Note that there is a daily volume cap on the number of security events submitted to Collective Insights. This cap is 100,000 events per day per integration per organization; learn more about the volume cap in Collective Insights.

  • Prerequisites
    • Recorded Future module license
    • Recorded Future API token for Collective Insights API

The API operates through two primary functional capabilities: Ingestion and Retrieval.

1. Ingest & Enrich (/detections)

Push telemetry from any security tool (SIEM, EDR, Firewall, or SOAR) into the Recorded Future Intelligence Cloud.

  • Standardize Telemetry: Accept indicators and metadata, immediately mapping them against Recorded Future's global holdings.
  • Enrich Detections: Submitted telemetry is converted into Enriched Events that link to specific Malware families, Threat Actors, and MITRE ATT&CK® techniques.

2. Query & Extract (/search)

Programmatic access to your organization's entire history of enriched detections.

  • Unified Visibility: Aggregate detections from API submissions, built-in Recorded Future integrations, Autonomous Threat Operations, and Sandbox results into a single queryable interface.
  • Granular Intelligence Retrieval: Filter indicator history by malware, actors, or T-codes. Refine results by specific IOCs, integrations, and automations using inclusion or exclusion logic for precise analysis.
  • Automation Foundation: Export enriched events to external platforms like data lakes, custom dashboards, or automated ticketing systems.

Getting Started

To use these endpoints, you must have an active Recorded Future module license and a valid API Token.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
5 out of 5 found this helpful

Articles in this section

See more