Recorded Future Custom Connector updates for ThreatQPOSTED BY JULIAN DEFRONZO
We have made significant changes to ThreatQ’s Recorded Future Custom Connector to support Recorded Future’s new API changes and additional risk lists. By pulling in additional data from the new risk lists, the ThreatQ threat library becomes more robust and allows for greater context and prioritization.
Additional Risk List Support
In addition to the previously supported High Risk IP list, we’ve now added support for all of the remaining Recorded Future Risk Lists including Domain, Hash and Vulnerability.
Domain Risk List – Imports domains as FQDN indicators, along with risk scores and evidence as associated attributes.
Figure 1: FQDN Indicator from Recorded Future
Hash Risk List – Imports hashes as their specified algorithm type (SHA-256, MD-5, etc.), along with risk scores and evidence as associated attributes.
Figure 2: MD5 Indicator from Recorded Future
Vulnerability Risk List – Imports vulnerabilities (CVEs, Microsoft Security Bulletins, Red Hat Security Announcements, etc.) as String indicators, along with risk scores and evidence as associated attributes
Figure 3: CVE (as String) Indicator from Recorded Future
Once you have the new connector installed, simply navigate to Incoming Feeds » ThreatQ Labs to configure the connector settings:
- Enter your Recorded Future token
- Specify what risk lists you want to poll in comma-separated format. Valid values are hash, vulnerability, ip, and domain.
Figure 4: Recorded Future Custom Connector Settings
Then rerun the connector to start pulling in the configured risk list data, as shown below:
To learn more about how ThreatQ and Recorded Future work together, read about Project Honey Maid.