Introduction
Recorded Future's Collective Insights is a new type of Recorded Future analytics, providing clients with a complete view of what threats matter to an organization. Collective Insights enables Recorded Future’s clients to analyze detected incidents to create an intelligence resource for use in two ways:
- Collective Insights provides clients with a comprehensive view of detections across their infrastructure and controls
- Anonymized data can be used to create visualizations and analytics comparing threat vectors and the entire threat landscape for your enterprise anonymously compared to specific industries and geographies
For more information on Recorded Future’s Collective Insights, please see the Getting Started with Collective Insights page for more information.
Overview
For ThreatConnect we have two available apps for Collective Insight
- Organization App: Runs in the background, queries for groups and associated indicators to send to Collective Insights API
- Playbook App: “Action” to send indicator(s) to Collective Insights API, used within a playbook
Organization App
The app is designed to run as a scheduled job making it easier to configure and deploy, write back data using TQL, and write back detections in bulk.
Requirements
App Inputs
|
Name |
Required |
Description |
|---|---|---|
|
Recorded Future API Token |
Yes |
Recorded Future API Token used to access the Collective Insights API. |
|
ThreatConnect Owners |
Yes* |
The Owners to filter Groups and associated Indicators on. |
|
Group Types |
Yes* |
The Groups to filter associated Indicators on. |
|
Tag Filter |
No |
The Tags to filter Groups on. |
|
Last Run |
Yes* |
Data modified since this date will be included on first run. Thereafter, the date will be automatically updated each time the job successfully completes. |
|
TQL |
No* |
A custom TQL query for Groups. When using TQL, other filter fields will be ignored. For details on writing TQL see |
|
Debug |
No |
Collective Insights API debug mode. |
|
Logging Level |
No |
Logging Level. Default: info. |
* When using TQL, other filter fields will be ignored. If not using TQL then all fields marked “Yes*” are required.
Instructions
- Install the Recorded Future Collective Insights app from TcExchange.
- Once installed, navigate to Settings → Org Settings → Apps.
- Select the plus button to add and configure a new job.
- Enter a name for the job
- Suggested name: “Recorded Future Collective Insights“
- Select “Recorded Future Collective Insights (1.0.0)” as the program to run. Click Next.
- Configure the job parameters specified in the table above (App Inputs). Click Next.
- Configure the schedule for how often to run the job. Click Next.
- If needed, configure job output notifications. Click Save.
- Click the Active toggle on the Collective Insights App to enable the job.
- The job is now scheduled to run based on the schedule supplied as an input.
- If needed, manually run the job by clicking the Play button on the Collective Insights App listed in the table.
Usage Acknowledgement
This org app is provided for demonstration purposes only, and should not be used without independent verification. Recorded Future makes no representations or warranties, express, implied, statutory, or otherwise, regarding this org app, and provides it strictly "as-is". Recorded Future shall not be liable for, and you assume all risk of using the foregoing.
Troubleshooting
The Collective Insights Org App logs information at different levels. To access debug log information such as the Collective Insights raw payload or other app variables, set logging level to debug when configuring the App parameters. This setting will include helpful information to troubleshoot any errors causing the app to fail.
Playbook App
The app is designed to integrate seamlessly into existing ThreatConnect playbooks, utilizing built-in data types which eliminates the need to format input.
Requirements
- Recorded Future API Key for Collective Insights integration
- Recorded Future Collective Insights (.tcx)
- Recorded Future Collective Insights Playbook.pbxz
App Inputs
|
Name |
Data Type |
Required |
Description |
|---|---|---|---|
|
Token |
String |
Yes |
Recorded Future API Key. |
|
Indicators |
TCEntityArray |
Yes |
IOCs to send to Collective Insights. |
|
Incident |
TCEntity |
No |
Associated ThreatConnect Group used to uniquely tie the IOC to a client- or partner-specific incident. |
|
Groups |
TCEntityArray |
No |
Malware, MITRE ATT&CK, and/or CVE associations to send to Recorded Future Collective Insights. |
|
Advanced |
String, StringArray |
No |
Advanced options for writing data to the Collective Insights API. Detailed information on the available parameters can be found below in the “Advanced Input” section. Further information can be found on the Collective Insights API Support Page. |
Instructions
1. Navigate to Playbooks → App Builder and click on Import Project to import the “Recorded Future Collective Insights App 1.0.0” file. You should now see the Recorded Future Collective Insights app.
- It is recommended to use either a User Action or Group trigger when using the Recorded Future Collective Insights playbook due to the trigger output variables and ability to query associations when gathering input parameters for the Collective Insights app.
4. When configuration for the playbook inputs and trigger method is complete, set the playbook to Active.
5. Once active, the playbook executions will be available from the Playbooks → Activity screen or by viewing the executions directly through the Recorded Future Collective Insights Playbook → Executions. The playbook is executing successfully if the status is showing ok or green from the execution details and if the Logger Utility app displays the summary output information.
Usage Acknowledgement
This playbook is provided for demonstration purposes only, and should not be used without independent verification. Recorded Future makes no representations or warranties, express, implied, statutory, or otherwise, regarding this playbook, and provides it strictly "as-is". Recorded Future shall not be liable for, and you assume all risk of using the foregoing.
Troubleshooting
The Collective Insights Playbook App logs information at different levels. To access debug log information such as the Collective Insights raw payload or other app variables, set either the Playbook App or the Collective Insights Playbook logging level to debug. This setting will include helpful information to troubleshoot any errors causing the app to fail.
Advanced Input
|
Field Name |
Field Type |
Description |
|---|---|---|
|
debug |
Boolean |
If set to "true", then data sent via this API will NOT be saved to the Recorded Future Intelligence Cloud. This is useful when developing and debugging code that uses this API. Once the submission of data is in production, this flag should be changed to "false". If omitted, the "debug" value is by default set to "false". |
|
detection_id |
String |
|
|
detection_name |
String |
The name of the detection. |
|
detection_subtype |
String |
Additional data related to the "type" field; currently it is only required for the type: "detection_rule" and the "sub_types" can be sigma, yara, or snort. |
|
detection_type |
String |
Value describing how the IOC was detected and must correspond to one of the available enumerated values (correlation, playbook, or detection_rule). |
|
log_field |
String |
The field in a log where the detection was made. |
|
organization_ids |
String, StringArray |
Organization IDs associated with the IOC(s).
|
|
source_type |
String |
The type of log source from which the detection was made. |
|
timestamp |
String |
Timestamp in ISO 8601 format, corresponding to the day and time when the IOC was observed or detected. If this is not included in the API call, the timestamp of the API call itself will be associated with the IOC. |