Anomali Threatstream Feeds

Updated

There are two different ways Recorded Future threat intelligence can be integrated and used within the Anomali ThreatStream platform:

  1. Recorded Future Enrichment Application
    • The enrichment app can be viewed on the detail page for any IP Address, Domain, URL, and file hash.  It shows inside the Anomali Threatstream application the same information one would be able to see on the Recorded Future intelligence card for that same entity.
    • Enrichment1.png
    • This app is available under Settings --> "Integrations" and can be configured directly by a client user.  A valid Recorded Future API Token is required.
    • mceclip2.png
    • mceclip0.png
  2. Recorded Future Data Feeds
    • This integration allows for the bulk upload of indicators into Anomali Threatstream
    • Recorded Future appears as a feed option in the Threatstream APP store:
    • mceclip0.png
    • Joint Customers can directly configure this integration when they click "Request a Trial". They will be asked if they are an existing client. When they click yes, they will be brought to this screen: 
    • Screenshot_2020-07-07_at_16.55.42.png
    •  
    • Once enabled, indicators flow in with "Recorded Future" as the source.
    • mceclip3.png
    • Recorded Future Risk Rules are mapped to Anomali iTypes; however, only one iType may be associated with an indicator.  This means that for indicators that trigger multiple risk rules, only one of them is (randomly) represented by a given Anomali iType association.
    • However, at a detail level it is possible to recover the complete set of risk rules triggered, since they are mapped to "Tags" (along with source URLs):
    • mceclip4.png
    • The indicators ingested into Anomali are stored for historical purposes indefinitely.Indicators are given a static time to live on ingestion into Anomali's ThreatStream. If the indicator is re-reported after it as gone inactive, it will flip back to an active status. The active status in Anomali which correlates to being available for downstream integrations, is not related to Risk Score. The default age out period is 30 days, although it can be manually configured to be as short as 3 days.  
    • The default polling for the different default Risk Lists is as follows: 

      • Hashes - 24h

      • IP - 2h 

      • Domain - 2h 

      • URL - 2h

    • If you need to change the polling frequency or the default age out period, please reach out to support@anomali.com detailing the changes you would like to make. 

Note that both of these integrations are written and maintained by Anomali, and Recorded Future can only offer limited support for issues that may arise.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
2 out of 2 found this helpful

Articles in this section