Recorded Future Intelligence Cloud features are only available to clients running Recorded Future Intelligence for XSOAR v2.4+
Collective Insights can be enabled when setting up an instance of the Recorded Future for XSOAR integration. The setting when setting up the Recorded Future for XSOAR integration must be set to 'on'. Any IOC that is enriched using the Recorded Future commands in a playbook will be part of a client's Collective Insights and used to populate the SecOps Dashboard.
Setup Collective Insights in XSOAR
XSOAR is one of the premier integrations from Recorded Future that has native support for Collective Insights and this is controlled by a flag in the Configuration page of Recorded Future v2 instance which is turned on by default.
Recorded Future for XSOAR Data Mappings for Collective Insights
As part of Collective Insights, anonymized data will be collected based on XSOAR enrichments in playbooks either ran manually or auto-configured to run for an incident type (this can be configured by mapping an incident type to a default playbook in the properties to run automatically):
- Incident ID: Unique ID of the Incident
- Incident Type: Type of the Incident
- Incident Name: Name of the Incident
- Playbook Name: Name of the Playbook
- Instance ID: ID of the integration instance
- Command: Command used
- Indicator Name: Name of the Indicator
- Indicator Type: Type of the Indicator
- Recurrence: Recurrence of the Playbook
- Schedule: Schedule of the Playbook
See 'Getting Started with Collective Insights' to learn more about the benefits of Collective Insights.
XSOAR commands with Collective Insights support
Once Collective Insights has been enabled, any observable that is enriched using the Recorded Future enrichment or intelligence commands will appear in Collective Insights. For these commands, it is also possible to specify the collective_insights flag on a per-command basis, in order to override the global setting.
There is also an additional "recordedfuture-collective-insight" command for sending data directly to Collective Insights. This can be useful in some cases when there's not necessarily an incident involved. For example: you could use it to send blocked logs from firewall into Collective Insights or logs from your data lake to create detections in SecOps.