Introduction
Recorded Future for Google Security Operations elevates the integration experience across the entire Google Security Operations Platform. It enhances SIEM functionality by incorporating Recorded Future Intelligence for enriched data and improved correlation, facilitating quicker triage of security incidents. Additionally, it integrates Recorded Future Alerts into SOAR components, streamlining the automation and response to these alerts for a more efficient security operations workflow.
Mutual Use Cases
The combination of Recorded Future intelligence with Google SecOps enables customers to address critical security use cases across the SIEM and SOAR components:
- Automated Alert Triage & Enrichment: Automatically enrich high-volume alerts in SOAR with real-time threat context (Risk Score, Risk Rules, Insikt Notes), enabling analysts to quickly prioritize and focus on the most dangerous threats.
- Vulnerability Prioritization: Enrich CVEs and vulnerability data with real-time threat context to prioritize patching and mitigation efforts based on evidence of active exploitation or discussion in the underground.
- Proactive Threat Hunting & Detection: Leverage continuously updated Recorded Future Indicators of Compromise (IoCs) to search and hunt for threats that may have already bypassed perimeter defenses, reducing dwell time.
- Third-Party Risk Management: Automate the monitoring and triage of alerts related to compromised third-party companies, ensuring rapid response to supply chain risks.
- Identity Exposure Mitigation: Automate the investigation and remediation process for exposed credentials and compromised hosts found on the dark web.
- Digital Asset Protection: Automatically detect and respond to threats like domain abuse or code repository leakage that put your external assets at risk.
Integration Components & Available Content
Our content pack provides all the necessary components for a seamless integration with Google SecOps:SIEM (Threat Intelligence Detection) Assets
| Asset Type | Asset Name(s) | Description |
|---|---|---|
| IoC Types | IP Addresses, Domains, URLs, File Hashes | Continuously delivered indicators with associated risk scores. |
| Parser | standard_risklist.conf |
A custom parser configured to efficiently map Recorded Future IoC data to Google's Unified Data Model (UDM), ensuring immediate correlation. |
| Dashboards | Recorded Future Ingestion |
A dedicated dashboard to monitor the health and operational status of the threat intelligence feed, including total indicator count, ingestion over time, and a breakdown by entity type. |
Recorded Future IOC Matches |
A core security dashboard that tracks matches against your security log data, showing total match counts, matches by risk score distribution, and listing the top malicious IPs and Domains found in your environment. | |
| Detection Rules (YARA-L) | rf_domain_correlation |
Correlates malicious domains from Recorded Future Risk Lists with internal network traffic logs. |
rf_hash_correlation |
Correlates malicious file hashes (SHA256) from Risk Lists with event types such as endpoint logs, Windows events, and vulnerability scan logs. | |
rf_ip_correlation |
Correlates malicious IPs from Recorded Future Risk Lists with internal network connection logs. | |
rf_url_correlation |
Correlates malicious URLs from Recorded Future Risk Lists with network HTTP logs. |
SOAR (Automation and Response) Assets
| Asset Type | Asset Name(s) | Focus |
|---|---|---|
| Actions | Enrich IOC, Enrich CVE, Add Analyst Note | Over a dozen actions for on-demand enrichment of observables and management of security cases directly from the playbook or SOAR workbench. |
| Connector | Recorded Future - Security Alerts Connector | Ingests Playbook Alerts directly from the Recorded Future platform into SOAR cases, serving as the trigger for all custom playbooks. |
| Playbooks | Refresh RF Code Repo Leakage |
Automates the enrichment and assessment process for alerts related to exposed company code, credentials, and configuration files on public code repositories. |
Refresh RF Cyber Vulnerability |
Automates the enrichment and triage process for alerts related to actively discussed cyber vulnerabilities (CVEs), providing details on the affected products and related Insikt Notes. | |
Refresh RF Domain Abuse |
Automates the enrichment, DNS lookup, and WHOIS data retrieval for alerts related to malicious domain abuse against company brand or assets. | |
Refresh RF Identity Exposures |
Automates the enrichment and investigation of novel identity exposures and compromised credentials, providing context on the malware, host, and dump information. | |
Refresh RF Third Party Risk |
Automates the enrichment and triage process for alerts related to third-party supply chain risk, including alerts on company and risk score. |
Integration and Ingestion Best Practices
The integration process involves setting up both the SIEM component (for continuous data ingestion) and the SOAR component (for automated enrichment and response).
1. SIEM Integration (Threat Intelligence Ingestion)
The goal is to deliver and manage fresh, actionable threat intelligence into the Google SecOps SIEM.
-
Best Practices:
- The ingestion process should be scheduled to run at least daily to ensure IoC data is fresh and up-to-date.
-
The provided custom parser (
standard_risklist.conf) must be installed in the Google SecOps console to correctly interpret the ingested data and map it to UDM fields.
-
High-Level Installation Steps: The setup involves deploying Google Cloud Run and Cloud Scheduler resources for the ingestion script and installing the custom parser and YARA-L rules in the Google SecOps console.
- For full deployment details, please refer to the GitHub repository: RecordedFuture GSecOps SIEM Integration
2. SOAR Integration (Automation and Enrichment)
The goal is to enable analysts to enrich alerts and automate response workflows directly within the SOAR platform.
- Best Practices: The SOAR playbooks automatically update cases with the latest information from the Recorded Future platform, dramatically reducing manual investigation time and ensuring consistency in triage procedures.
-
High-Level Installation Steps: The integration is installed directly from the Google SecOps Marketplace. Authentication is handled using a user-specific API Key generated in the Recorded Future console.
- For full configuration details, please refer to the Google Cloud documentation: Recorded Future SOAR Integration
Support
Please reach out to Recorded Future Support at support@recordedfuture.com for further queries and additional assistance needed during the installation process.