- How come there are different numbers of observables in the description tab and the associations tab?
- In some cases a threat model report might display a certain amount of observables in the Description tab and yet contain less in the Associations tab, this is due to the fact that Anomali TS has a whitelisting mechanism that prevents certain Observables from being ingested. For more information please contact the Anomali Support team.
- What happens when an observable from Recorded Future has a risk score of 0 or does not have any intelligence?
- There might be an Analyst Note where an IOC might have a risk score of 0 but no information in the intelligence card associated with it in the Recorded Future Portal. As expected, we decided to still show those IOCs related to the note for completeness of information. The occurrences of such IOC is expected to be very low.
- How come my integration is not fetching specific alerts?
- The integration only fetches alerts with a status of no-action or as shown in the portal New . Verify that the alerts you wish to fetch have this status set.
- What do I do if I believe my Recorded Future API token is not working?
- Ensure that you are using the API token specifically assigned for Recorded Future Analyst Notes for Anomali ThreatStream. Other Recorded Future API tokens may not have the necessary permissions for the integration to function properly. If you believe you are using the correct token but are still encountering access errors, please reach out to Recorded Future Support for further assistance.