Table of Contents
Introduction
The Recorded Future for Darktrace integration polls Recorded Future risk lists (IPs and Domains) for malicious indicators that then can be used for correlation use cases.
Partner Website: https://darktrace.com/
Prerequisites
- Valid Recorded Future API Key passed to the service via X-RFToken header
- Make sure that the Threat Indicator Module (Darktrace) is turned on. This is controlled by the Darktrace engineers
- Docker Compose: Python 3.5 - taxii2client - cybox - STIX
- Parser for each XML tag
- Parsed data stored in sqlite
- Relevant data sent to User Interface and to other backend APIs to be visualized and modeled for potential alerting needs
- No binary from STIX is ingested
- Recorded Future STIX data is “disguised as” Darktrace’s Inoculation feed
Installation Steps
- On the Darktrace UI navigate to Intel → Taxii Config
- Confirm that the “Taxii polling” has been enabled
- Click on ‘Add new Taxii service’
- For the "Collection" name, two collections cover different types of entities (IP, Domain). They need to be added separately:
-
- ip_full
- Domain_full
The following settings are required to enable Recorded Future's integration with DarkTrace:
|
For IPs Hostname : https://api.recordedfuture.com Username: RF_DarkTrace Password: API token Collection: ip_full Discovery: /taxii version :1.1 poll:3600 |
For Domain Hostname : https://api.recordedfuture.com Username: RF_DarkTrace Password: API token Collection: domain_full Discovery: /taxii version :1.1 poll:7200 |
- A successful entry and poll will present itself in “green” writing. Feeds can be checked by navigating to Intel → Taxii config → Taxii Exchange Service
Support
For more information, please contact support@darktrace.com.