Recorded Future Collective Insights for Cortex XSIAM

Updated

Introduction

Recorded Future's Collective Insights is a new type of Recorded Future analytics, providing clients with a complete view of what threats matter to an organization. Collective Insights enables Recorded Future’s clients to analyze detected incidents to create an intelligence resource for use in two ways:

  • Collective Insights provides clients with a comprehensive view of detections across their infrastructure and controls.
  • Anonymized data can be used to create visualizations and analytics comparing threat vectors and the entire threat landscape for your enterprise anonymously compared to specific industries and geographies.

For more information on Recorded Future’s Collective Insights, please see the Getting Started with Collective Insights page for more information.

Setup Collective Insights in Cortex XSIAM

Cortex XSIAM has native support for Collective Insights and this is controlled by a flag in the Configuration page of Recorded Future v2 instance which is turned on by default. With this flag turned on, anonymized data will be automatically ingested from any playbook which uses one of these commands 'intelligence', 'reputation', 'links', 'recordedfuture-collective-insight'.

As part of Collective Insights, the following data will be collected from each playbook ran either manually or auto-configured to run for an incident type (this can be configured by mapping an incident type to a default playbook in the properties to run automatically). 

  • Incident - ID, Type, Name
  • Playbook Name
  • Instance ID
  • Command
  • Indicator - Type, Name
  • Recurrence
  • Schedule

FAQ:

1. I have enabled auto-enrichment feature for indicators in my instance of XSIAM. Will i be able to see those enrichments in the Collective Insights dashboard ?

No. The indicators needs to be enriched from within a playbook in order for them to get reflected in the detections explorer of Collective Insights

2. What are the different commands that needs to be used for enrichment of indicators within playbook to ingest them into Collective Insights ?

The following commands have been tested to work with Collective Insights in XSIAM:

  • reputation (ip, domain, hash, url, cve)
  • intelligence (ip, domain, hash, url, cve)
  • links 
  • recordedfuture-collective-insight 
  • recordedfuture-threat (map, links)
  • alerts (search, update, single)
This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more