- How are Recorded Future Risk Rules mapped to Anomali iTypes?
- Recorded Future Risk Rules are mapped to Anomali iTypes; however, only one iType may be associated with an indicator. This means that for indicators that trigger multiple risk rules, only one of them is (randomly) represented by a given Anomali iType association.
- How can I see the full list of triggered Recorded Future Risk Rules for an IOC in Anomali?
- At the detail level it is possible to recover the complete set of risk rules triggered, since they are mapped to "Tags"
- How long are indicators from Recorded Future stored in Anomali?
- The indicators ingested into Anomali are stored for historical purposes indefinitely.
- What does the ‘inactive’ and ‘active’ status in Anomali indicate about a Recorded Future IOC?
- If an indicator is re-reported after becoming inactive, it will revert to an active status. In Anomali, the "active" status indicates that the indicator is available for downstream integrations, but it is not tied to the Risk Score. By default, the age-out period for indicators is 30 days, though it can be manually configured to be as short as 3 days.