What Recorded Future note types are included in this integration?
The following Recorded Future Analyst Note topics are supported by the integration: Actor profile, Cyber Threat Analysis, Flash Report, Hunting Package, Indicator, Informational, Malware Tool Profile, Source Profile, Threat Lead, TTP Instance, and Validated Intelligence Event.
What data points from Recorded Future are included in the Analyst Note presentation?
Ingested Analyst Notes contain: Title of the note, Link to the Recorded Future portal to the specific note, Source, Topic, Validation URLs (if available), any attack vector related to the tool or actor described (if available), any vulnerability used or mentioned in the note along with a description (if available), the full content of the note attachment in the Attachments tab (if available), Malware Tools Profile (Malware Threat Model), the Malware Types and Execution Platforms fields (if available), the Malware Family field (always set to "Malware Instance"), and Observables.
Are Anomali Observables created based on the IOC that are included in Recorded Future Analyst Notes?
Yes, some notes might contain a domain, hash, IP address or a URL. This will result in the creation of observables along with a Recorded Future Risk Score (if available). Only Very Malicious and Malicious IOCs will be added as Observables. The IType varies based on the most critical Recorded Future Risk Rule associated with the IOC.
Why are there different numbers of observables in the description tab and the associations tab?
In some cases a threat model report might display a certain amount of observables in the Description tab and fewer in the Associations tab. This is due to the fact that Anomali TS has a whitelisting mechanism that prevents certain Observables from being ingested. For more information please contact the Anomali Support team.
What happens when an observable from Recorded Future has a risk score of 0 or does not have any intelligence?
There might be an Analyst Note where an IOC might have a risk score of 0 but no information in the Intelligence Card associated with it in the Recorded Future Portal. As expected, we decided to still show those IOCs related to the note for completeness of information. The occurrence of such IOC is expected to be very low.
How do I view CVE enrichment data from Recorded Future in Anomali?
The Informational topic creates an Analyst Note under the Vulnerability threat model, which does not contain CVSS and CVSSv3 information due to data being unavailable for the Threat and SecOps modules.
What do I do if I believe my Recorded Future API token is not working?
Ensure that you are using the API token specifically assigned for Recorded Future Analyst Notes for Anomali ThreatStream. Other Recorded Future API tokens may not have the necessary permissions for the integration to function properly. If you believe you are using the correct token but are still encountering access errors, please reach out to Recorded Future Support for further assistance.