Table of Contents
Introduction
With the Recorded Future integration for ThreatQuotient, you can ingest threat intelligence data in its entirety or filter it based on thresholds, risk scores, or other customizable parameters. The integration enables data enrichment for IP addresses, FQDNs, CVEs, and hashes (MD5, SHA1, SHA256, SHA384, SHA512). Leveraging the Recorded Future Action Bundle, supported object types from a data collection are sent to the Recorded Future API, which returns risk scores and associated rules for identified Indicators of Compromise, enhancing your threat prioritization and response.
Prerequisites
- Active Recorded Future API token
- The following is required to install and run the integration:
- MITRE ATT&CK attack patterns must have already been ingested by a previous run of the MITRE.
- ATT&CK feeds in order for MITRE ATT&CK attack patterns ingested by the Analyst Note feed to be created. MITRE ATT&CK attack patterns are ingested from the following feeds:
- MITRE Enterprise ATT&CK
- MITRE Mobile ATT&CK
- MITRE PRE-ATT&CK
Installation Steps
- Log into https://marketplace.threatq.com/.
- Locate and download the integration file.
- Navigate to the integrations management page on your ThreatQuotient instance.
- Click on the Add New Integration button.
- Upload the integration yaml file using one of the following methods:
- Drag and drop the yaml file into the dialog box
- Select Click to Browse to locate the yaml file on your local machine
- Select the individual feeds to install, when prompted, and click Install. The feed will be added to the integrations page.
- You will still need to configure and then enable the feed.
- See the configuration guide (attached at bottom of this article) for the full list of configurations for the Recorded Future for ThreatQuotient integration.
Support
For integration support, please go to https://www.threatq.com/company/contact/.