Introduction
This document describes the setup procedures to integrate Recorded Future threat intelligence with EclecticIQ.
The integration covers two primary use cases:
- Bulk download of risky indicators from Recorded Future's STIX/TAXII server, and
- On-demand enrichment lookup information
Each of these are described in further detail below.
Before you begin, make sure Recorded Future subscription includes Connect API access. Furthermore, you will need a valid API Token to enable the integrations. If you are using the bulk download of risky indicators, you may wish to look at the support pages on Recorded Future's risk scoring and TAXII server.
Bulk download of risky indicators
- Log in to the EclecticIQ platform
- Go to “Data Configuration”, “Incoming Feeds”
- Click on the + icon to add a new incoming feed
- Please edit the fields seen in the above screenshot accordingly: Feed name – Organization – Source reliability – Transport type – content type
- Please edit the necessary fields in the above screenshot from the incoming feed configuration: Transport Configuration – Polling service url – collection name – Ingest messages starting from
- Authentication needs to be set up accordingly, based on authentication methods, basic, SSL, etc (as seen in the above screenshot)
- The same incoming feed can be also given a scheduling within the feed configuration, and other options are available, but not mandatory
- When the configuration is completed, the feed can be saved and run, and intelligence should start flowing in.
Setting up the Recorded Future Enricher
Full documentation on how to configure the Recorded Future enricher within the EclecticIQ Platform is available at:
https://[IP]/help/_ug/enrichers_recorded_future.html
where [IP] should be replaced with the correct IP address of your EclecticIQ instance; below are the same instructions, copy and pasted from the EIQ help page:
| Enricher name | Recorded Future |
| API endpoint | https://app.recordedfuture.com/live/sc/entity/{} |
| Input | domain, hash-md5, hash-sha1, hash-sha256, hash-sha256, ipv4, ipv6 |
| Output | Enriches supported observable types with pattern matching search results produced by the Recorded Future Temporal Analytics Engine. |
| Description | The enricher returns additional data such as IPs, domains, email addresses, and hashes related to the submitted observables in the specified types, as well as maliciousness confidence levels based on the retrieved risk scores. |
To configure the Recorded Future enricher, please browse to https://[IP]/main/configuration/enrichment/ , click on the “Recorded Future” box,
and you will be presented with “Edit” button on the right hand side.
Configure the Recorded Future enricher parameters
Input fields marked with an asterisk are required.
- Observable types: select one or more observable types you want to enrich with data retrieved through the Recorded Future enricher.
- Supported observable types:
- domain
- hash-md5
- hash-sha1
- hash-sha256
- ipv4
- ipv6
Under Parameters, define the specific configuration options for the Recorded Future enricher:
- API key: contact Recorded Future to receive an API key, and then enter it in the corresponding input field.
Maliciousness confidence rating is based on the Recorded Future risk scoring, where 0 means no current evidence of risk, whereas 99 means very malicious:
- Low maliciousness threshold: analyzed supported observables with a higher Recorded Future risk score than the value defined here are flagged as Malicious - Low confidence.
- After completing the analysis, enriched observables with a higher risk score than the low maliciousness threshold and lower than the medium and high maliciousness thresholds are flagged as Malicious - Low confidence.
- Enter a value between 0 and 99.
- Default value: 5.
- Medium maliciousness threshold: analyzed supported observables with a higher Recorded Future risk score than the value defined here are flagged as Malicious - Medium confidence.
- After completing the analysis, enriched observables with a higher risk score than the medium maliciousness threshold and lower than the high maliciousness threshold are flagged as Malicious - Medium confidence.
- Enter a value between 0 and 99.
- Default value: 24.
- High maliciousness threshold: analyzed supported observables with a higher Recorded Future risk score than the value defined here are flagged as Malicious - High confidence.
- After completing the analysis, enriched observables with a higher risk score than the high maliciousness threshold are flagged as Malicious - High confidence.
- Enter a value between 0 and 99.
- Default value: 65.
- Click Save to store your changes, or Cancel to discard them.