Devo: Getting Started

Table of Contents

Introduction

The Recorded Future integration with Devo helps Devo users make informed verdicts based on ingested Recorded Future Threat Lists in the form of CSV files containing enriched lists of entities associated with cyber threats into Devo as Lookup Tables. These Lookup Tables include IP Address, Domain, and File Hash entities.

Partner Website: https://devo.com/resources/solution-brief/devo-and-recorded-future/

Prerequisites

  • Valid Recorded Future API token

Installation Steps

  1. You will need to configure a new collector for Recorded Future in your Devo environment. Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
    • url_value: This param refers to the endpoint used by the collector to pull data (see full installation guide for list of valid url_value)
    • api_token_value: This is the access token provided by Recorded Future.
    • list_of_sources: This configuration allows you to define what data sources will be pulled (see full installation guide for list of available data sources)
  2. Run the collector. There are two options for running the newly configured collector for Recorded Future intelligence:
    • Cloud Collector: You can send Devo the required information if you want us to host and manage the collector for you.
    • On-Prem Collector: deploy and host the collector in your own machine using a Docker image. 
    • See the ‘Run the collector’ section of the Recorded Future Devo documentation for more information about each scenario
  3. For Customers running Cloud Connectors, take the following steps to enable the collector:
    1. In the Collector Server GUI, access the domain in which you want this instance to be created
    2. Click Add Collector and find the one you wish to add.
    3. In the Version field, select the latest value.
    4. In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
    5. In the sending method select Direct Send. Direct Send configuration is optional for collectors that create Table events, but mandatory for those that create Lookups.
    6. In the Parameters section, establish the Collector Parameters as follows below:

{

    •   "global_overrides": {
    •     "debug": <debug_status>
    •   },
    •   "inputs": {
    •     "recorded_future": {
    •       "id": "<short_unique_id>",
    •       "enabled": <input_status>,
    •       "requests_per_second": <requests_per_second_value>,
    •       "base_url": <url_value>,
    •       "credentials":{
    •         "api_token": "<api_token_value>"
    •       },
    •       "services": {
    •         "lookup_puller": {
    •           "types": <list_of_sources>
    •         }
    •       }
    •     }
    •   }
    • }

Support

For more information, please contact Devo support at support@devo.com.

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more