Introduction
Ingest Recorded Future threat lists with Elastic Agent in order to set correlation searches to identify malicious indicators and enrich IOCs with Recorded Future context.
Partner Website: https://www.elastic.co/
Prerequisites
- Python 3.8+
- Requires Elastic version 8 or greater
- Elasticsearch and Kibana credentials
- Recorded Future Connect API Token
- Recorded Future platform account for accessing content when pivoting outside of ELK to the Recorded Future platform
Installation Steps
The Recorded Future integration fetches risklists from the Recorded Future API. It supports domain, hash, IP, and URLentities. Ingest threat intelligence indicators from Recorded Future risk lists with Elastic Agent.
To use Recorded Future risklists, you need to define the entity and list to fetch. Find machine names for risk rules on the following Recorded Future support pages:
Image below is an example rule configuration. You would set this up to monitor the desired indexes:
Update Lists Pulled by the Integration
The integration policies for this integration can take lists available on the Connect API/risklist endpoint
The ingested IOCs expire after certain duration. An Elastic Transform is created to facilitate only active IOCs being available to the end users. This transform creates a destination index named logs-ti_recordedfuture_latest.threat-1 that only contains active and unexpired IOCs.
The destination index also has an alias logs-ti_recordedfuture_latest.threat. When setting up indicator match rules, use this latest destination index to avoid false positives from expired IOCs. Please read the ILM Policy, which is added to avoid unbounded growth on source .ds-logs-ti_recordedfuture.threat-* indices.
Support
Please reach out to your Elastic Support team at support@elastic.com for further queries and assistance needed during the installation.
To include Recorded Future Alerts in your Elastic integration, please submit your request to support@recodedfuture.com.