The correlation use case involves scheduled downloads of Recorded Future Risk List data for comparison with other client data, such as log files from a network appliance or results from a vulnerability scanner. A data analysis tool or SIEM is often used to generate alerts and dashboards. There is also increasing interest in having risk list data integrated directly into security controls such as firewalls and DNS servers. As a general rule of thumb, Recorded Future risk list data is largely "detect" quality and using it to block network traffic without careful consideration may result in unintended limitations on legitimate traffic.
Note
Risk Lists do not populate automatically. See this article for more information on Recorded Future risk lists.
Above: example correlation dashboard from Recorded Future's Splunk Enterprise integration application. The IP address on the left column is pulled from a log file; the remaining columns are information from the Recorded Future risk list.
More on risk lists: Similar to "threat feeds," Recorded Future risk lists are comprised of risky indicators identified through our unique collection and analysis methods. The risk lists are much richer than standard threat feeds in that a great deal of context is also included in the data file, and we encourage developers using our risk lists to make as much use of this additional context as possible. Much more information about risk lists is available on this support page. For further information about Recorded Future's Risk Scoring approach, more information is available here.
Note that Recorded Future Risk lists can be downloaded via the Connect API. They are also available via STIX/TAXII server, as described on this support page.
See this support page for recommendations on risk list download frequencies.