Collective Insights for Recorded Future for XSOAR

Recorded Future Intelligence Cloud features are only available to clients running Recorded Future Intelligence for XSOAR v2.4+

Collective Insights can be enabled when setting up an instance of the Recorded Future for XSOAR integration. The setting when setting up the Recorded Future for XSOAR integration must be set to 'on'. Any IOC that is enriched using the Recorded Future commands in a playbook will be part of a client's Collective Insights and used to populate the SecOps Dashboard.

Setup Collective Insights in XSOAR

XSOAR is one of the premier integrations from Recorded Future that has native support for Collective Insights and this is controlled by a flag in the Configuration page of Recorded Future v2 instance which is turned on by default.

Screenshot 2023-07-28 at 11.46.20 PM.png

Recorded Future for XSOAR Data Mappings for Collective Insights

As part of Collective Insights, anonymized data will be collected based on XSOAR enrichments in playbooks either ran manually or auto-configured to run for an incident type (this can be configured by mapping an incident type to a default playbook in the properties to run automatically):

  • Incident ID: Unique ID of the Incident
  • Incident Type: Type of the Incident
  • Incident Name: Name of the Incident
  • Playbook Name: Name of the Playbook
  • Instance ID: ID of the integration instance
  • Command: Command used
  • Indicator Name: Name of the Indicator
  • Indicator Type: Type of the Indicator
  • Recurrence: Recurrence of the Playbook
  • Schedule: Schedule of the Playbook

See 'Getting Started with Collective Insights' to learn more about the benefits of Collective Insights.

XSOAR commands with Collective Insights support

Once Collective Insights has been enabled, any observable that is enriched using the Recorded Future enrichment or intelligence commands will appear in Collective Insights. For these commands, it is also possible to specify the collective_insights flag on a per-command basis, in order to override the global setting.

There is also an additional "recordedfuture-collective-insight" command for sending data directly to Collective Insights. This can be useful in some cases when there's not necessarily an incident involved. For example: you could use it to send blocked logs from firewall into Collective Insights or logs from your data lake to create detections in SecOps.

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 1 found this helpful

Articles in this section

See more