Recorded Future Collective Insights for ThreatConnect

Introduction

Recorded Future's Collective Insights is a new type of Recorded Future analytics, providing clients with a complete view of what threats matter to an organization. Collective Insights enables Recorded Future’s clients to analyze detected incidents to create an intelligence resource for use in two ways:

  • Collective Insights provides clients with a comprehensive view of detections across their infrastructure and controls
  • Anonymized data can be used to create visualizations and analytics comparing threat vectors and the entire threat landscape for your enterprise anonymously compared to specific industries and geographies

For more information on Recorded Future’s Collective Insights, please see the Getting Started with Collective Insights page for more information.

 

Overview

For ThreatConnect we have two available apps for Collective Insight

  • Organization App: Runs in the background, queries for groups and associated indicators to send to Collective Insights API
  • Playbook App: “Action” to send indicator(s) to Collective Insights API, used within a playbook

 

Organization App

The app is designed to run as a scheduled job making it easier to configure and deploy, write back data using TQL, and write back detections in bulk.

 

Requirements

 

App Inputs

Name

Required

Description

Recorded Future API Token

Yes

Recorded Future API Token used to access the Collective Insights API.

ThreatConnect Owners

Yes*

The Owners to filter Groups and associated Indicators on.

Group Types

Yes*

The Groups to filter associated Indicators on.

Tag Filter

No

The Tags to filter Groups on.

Last Run

Yes*

Data modified since this date will be included on first run. Thereafter, the date will be automatically updated each time the job successfully completes.

TQL

No*

A custom TQL query for Groups. When using TQL, other filter fields will be ignored. For details on writing TQL see

Debug

No

Collective Insights API debug mode.

Logging Level

No

Logging Level. Default: info.

* When using TQL, other filter fields will be ignored. If not using TQL then all fields marked “Yes*” are required.

 

Instructions

  1. Install the Recorded Future Collective Insights app from TcExchange.
  2. Once installed, navigate to Settings → Org Settings → Apps.
  3. Select the plus button to add and configure a new job.
  4. Enter a name for the job
  5. Suggested name: “Recorded Future Collective Insights“
  6. Select “Recorded Future Collective Insights (1.0.0)” as the program to run. Click Next.
  7. Configure the job parameters specified in the table above (App Inputs). Click Next.
  8. Configure the schedule for how often to run the job. Click Next.
  9. If needed, configure job output notifications. Click Save.
  10. Click the Active toggle on the Collective Insights App to enable the job.
  11. The job is now scheduled to run based on the schedule supplied as an input.
  12. If needed, manually run the job by clicking the Play button on the Collective Insights App listed in the table.

 

Usage Acknowledgement

This org app is provided for demonstration purposes only, and should not be used without independent verification. Recorded Future makes no representations or warranties, express, implied, statutory, or otherwise, regarding this org app, and provides it strictly "as-is". Recorded Future shall not be liable for, and you assume all risk of using the foregoing.

 

Troubleshooting

The Collective Insights Org App logs information at different levels. To access debug log information such as the Collective Insights raw payload or other app variables, set logging level to debug when configuring the App parameters. This setting will include helpful information to troubleshoot any errors causing the app to fail.

 

Playbook App

The app is designed to integrate seamlessly into existing ThreatConnect playbooks, utilizing built-in data types which eliminates the need to format input.

 

Requirements

 

App Inputs

Name

Data Type

Required

Description

Token

String

Yes

Recorded Future API Key.

Indicators

TCEntityArray

Yes

IOCs to send to Collective Insights.

Incident

TCEntity

No

Associated ThreatConnect Group used to uniquely tie the IOC to a client- or partner-specific incident.

Groups

TCEntityArray

No

Malware, MITRE ATT&CK, and/or CVE associations to send to Recorded Future Collective Insights.

Advanced

String, StringArray

No

Advanced options for writing data to the Collective Insights API. Detailed information on the available parameters can be found below in the “Advanced Input” section. Further information can be found on the Collective Insights API Support Page.



Instructions

1. Navigate to Playbooks → App Builder and click on Import Project to import the “Recorded Future Collective Insights App 1.0.0” file.  You should now see the Recorded Future Collective Insights app.

2. After importing the Playbook App, navigate to the Playbooks tab to import the “Recorded Future Collective Insights Playbook.pbxz” file. From this page, click on the NEW dropdown menu and select Import Playbook to upload the .pbxz file. You should now see the Recorded Future Collective Insights playbook.
 
3. Open the Recorded Future Collective Insights playbook. You will now need to input your Recorded Future API Key, Indicators, and, if applicable, any associated Incident, groups, or advanced fields. Once the inputs are ready click save.
  a. Advanced inputs are used to enhance the Recorded Future Collective Insights detection and provide more context to the submitted indicator. You can include information such as debugging parameters and detection details. Detailed information on the available parameters can be found below in the “Advanced Input” section.
After filling out the desired configuration, you now have the option of running the playbook manually on an indicator via the User Action Trigger or automatically via a Group Trigger.
  1. It is recommended to use either a User Action or Group trigger when using the Recorded Future Collective Insights playbook due to the trigger output variables and ability to query associations when gathering input parameters for the Collective Insights app.

4. When configuration for the playbook inputs and trigger method is complete, set the playbook to Active.

5. Once active, the playbook executions will be available from the Playbooks → Activity screen or by viewing the executions directly through the Recorded Future Collective Insights Playbook → Executions. The playbook is executing successfully if the status is showing ok or green from the execution details and if the Logger Utility app displays the summary output information.


After filling out the desired configuration, you now have the option of running the playbook manually on an indicator via theUser Action Trigger or automatically via a Group TriggerIt is recommended to use either a User Action or Group trigger when using the Recorded Future Collective Insights playbook due to the trigger output variables and ability to query associations when gathering input parameters for the Collective Insights appWhen configuration for the playbook inputs and trigger method is complete, set the playbook to Active.

Usage Acknowledgement

This playbook is provided for demonstration purposes only, and should not be used without independent verification. Recorded Future makes no representations or warranties, express, implied, statutory, or otherwise, regarding this playbook, and provides it strictly "as-is". Recorded Future shall not be liable for, and you assume all risk of using the foregoing.

 

Troubleshooting

The Collective Insights Playbook App logs information at different levels. To access debug log information such as the Collective Insights raw payload or other app variables, set either the Playbook App or the Collective Insights Playbook logging level to debug. This setting will include helpful information to troubleshoot any errors causing the app to fail.

 

Advanced Input

Field Name

Field Type

Description

debug

Boolean

If set to "true", then data sent via this API will NOT be saved to the Recorded Future Intelligence Cloud. This is useful when developing and debugging code that uses this API. Once the submission of data is in production, this flag should be changed to "false". If omitted, the "debug" value is by default set to "false".

detection_id

String

  • In the type=correlation case, this will be the id of the Correlation Use Case. Ex: p_default_ip_risklist. The p_ prefix indicates that it is a public use case available to all, a h_ prefix indicates that it is client specific use case.

  • In the case of type=detection_rule, it will be the id of the Analyst note where the Detection rule was attached, for example doc:XYZ.

  • In the case of a type=playbook, this field is the id of a playbook.

detection_name

String

The name of the detection.

detection_subtype

String

Additional data related to the "type" field; currently it is only required for the type: "detection_rule" and the "sub_types" can be sigma, yara, or snort.

detection_type

String

Value describing how the IOC was detected and must correspond to one of the available enumerated values (correlation, playbook, or detection_rule).

log_field

String

The field in a log where the detection was made.

organization_ids

String, StringArray

Organization IDs associated with the IOC(s).

 

source_type

String

The type of log source from which the detection was made.

timestamp

String

Timestamp in ISO 8601 format, corresponding to the day and time when the IOC was observed or detected. If this is not included in the API call, the timestamp of the API call itself will be associated with the IOC.

 

 

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more