This article will detail setting up and configuring XSOAR to run automatic threat hunts based on Recorded Future threat map. For more information, see Automated Threat Hunting with Recorded Future.
The Automated Threat Hunting playbook - Recorded Future - Threat Actor Search is part of “Recorded Future Intelligence for XSOAR” content pack v1.7.0
Inputs
- threat_actor - the name of the given threat actor
- create_profile - true/false value to create the threat actor ioc type in XSOAR
- Parent Playbook:
- this sub-playbook can be executed within an incident investigation, if a malicious IOC is found and the analyst wants to determine a threat actor associated with the IOC
- this sub-playbook can be executed for a given list of threat actors i.e. a client’s threat list. The playbook will then iterate through each threat actor
The following commands are leveraged within the Automated Threat Hunting template playbook.
Threat Map (Threat Actors Only)
The threat map action will pull an enterprise’s threat actor map (list of threat actors) in order to build a proactive threat hunting workflow against Threat Actors.
- Action: ‘recordedfuture-threat-map’
- Description: Get the current threat actor map for an organization.
- Inputs: no arguments are mandatory; executing the command will return all threat actors in the enterprise’s threat actor map
- actor_name: actors name for which to get the threat map
- actors: actors IDs for which to get the threat map
- include_links: fetch links to threat actor or not (true/false)
Command execution:
Command output in artifact viewer:
Threat Links Search
The links search action allows the retrieval of detailed Recorded Future Links data using an input as one or more threat actor entities.
- Action: ‘!recordedfuture-threat-links’
- Description: Get Insikt Group Research Links for any threat actor
- Inputs: no mandatory arguments
- entity_type: The type of entity for which to fetch context. Should be provided with its value in entity name argument. Can be "domain", "ip", "file", "url", "cve", or "malware".
- entity_name: Entity name
- entity_id: Entity id
- source_type: Source type
- timeframe: Timeframe
- technical_type: Technical type
Descriptions for arguments
- entity_id - id for the Recorded Future entity
- entity_name - value that describes that actual IOC value itself
- entity _type - value that describes one of an enumerated list of accepted: ip, domain, hash, vulnerability, url
Command execution:
Command output in artifact viewer:
Note: Threat Intelligence module license is required to make use of this template playbook to leverage Threat Map for performing Automated Threat Hunting.