Introduction
Recorded Future's Collective Insights is a new type of Recorded Future analytics that provides a complete view of the threats that matter to your organization. Collective Insights allows you to analyze detected incidents and create an intelligence resource for use in two ways:
- Gain a comprehensive view of detections across your infrastructure and controls
- Use anonymized data to create visualizations and analytics that compare the entire threat landscape for your enterprise with specific industries and geographies
For more information on Recorded Future’s Collective Insights, please see the Getting Started with Collective Insights page for more information.
The Collective Insights Connector for Sumo Logic Cloud SIEM forwards the following data fields to Recorded Future:
- Id: Unique ID of the signal
- Name: Name of the signal
- Timestamp: Timestamp of first log record for this signal
- ContentType: Type of content in the signal
- Target: Destination of the signal
- Value: Value of indicator associated with the signal
- ObjectType: Type of object related to value in the signal
- ListId: Unique identifier for list within Cloud SIEM
Prerequisites
The user creating the Access ID and Access Key should have the following permissions:
1. Security
a. Manage Access Keys
b. Create Access Keys
2. Cloud SIEM Enterprise
a. View Cloud SIEM Enterprise
Getting Started
Click the Sumo Logic tile.
You will see additional details and resources for the integration. Click the blue Set up button.
Note: You must be an administrator to see the Set up button.
Enter the requested information in the setup modal that displays and click the Activate button.
- Connector Name: Collective Insights Connector For Sumologic
- Access ID and Access Key: One of the supported authentication mechanisms in Sumologic. Please refer to this article for steps to generate them.
- Region: Region of your the Sumologic Cloud SIEM instance. Please refer to this article to learn more about supported regions.
-
Detection Parameters
- Minimum Severity: Severity levels to be applied to the events before being sent to Collective Insights.
- Pull limit: Number of events to pull from Sumologic Cloud SIEM
- Connector Update Frequency: The frequency with which you want to update the Connector (default: 30 minutes)
-
Custom Parameters
- Custom Filter String: Use the filter string to narrow down the events to be sent to Collective Insights
-
Initial Import
- Detections Created Last: The duration of historical information that Recorded Future will pull based on the initial setup. The default range is 1 day; ranges longer than the previous 24 hours may cause delays in the setup process.
FAQ
1. How to manage event volume if we hit the volume cap on Collective Insights?
The following are some of the recommended steps to manage the event volume from Sumologic:
a. Use a longer polling frequency
With a longer polling frequency, you can control the number of events ingested into Collective Insights knowing that there can only be 10,000 events that can be fetched from Sumologic at any point in time.
Action: In the connector settings page, under "Connector Update Frequency" choose 3 hours or more.
b. Tighten the severity
Change Minimum Severity from 0 to a higher threshold, such as 3 (for medium and above).
Action: In the connector settings page, under "Minimum Severity", choose 3 or above.
c. Pull limit
Cap the number of events pulled per execution of the connector
Action: In the connector settings page, under "Pull limit", choose 10,000 or below.