We have made significant changes to ThreatQ’s Recorded Future Custom Connector to support Recorded Future’s new API changes and additional risk lists. By pulling in additional data from the new risk lists, the ThreatQ threat library becomes more robust and allows for greater context and prioritization.

Additional Risk List Support

In addition to the previously supported High Risk IP list, we’ve now added support for all of the remaining Recorded Future Risk Lists including Domain, Hash and Vulnerability.

Domain Risk List – Imports domains as FQDN indicators, along with risk scores and evidence as associated attributes.

Figure 1: FQDN Indicator from Recorded Future

Hash Risk List – Imports hashes as their specified algorithm type (SHA-256, MD-5, etc.), along with risk scores and evidence as associated attributes.

Figure 2: MD5 Indicator from Recorded Future

Vulnerability Risk List – Imports vulnerabilities (CVEs, Microsoft Security Bulletins, Red Hat Security Announcements, etc.) as String indicators, along with risk scores and evidence as associated attributes

Figure 3: CVE (as String) Indicator from Recorded Future

Setup

Once you have the new connector installed, simply navigate to Incoming Feeds » ThreatQ Labs to configure the connector settings:

1. Enter your Recorded Future token
2. Specify what risk lists you want to poll in comma-separated format. Valid values are hash, vulnerability, ip, and domain.

Figure 4: Recorded Future Custom Connector Settings

Then rerun the connector to start pulling in the configured risk list data, as shown below:

To learn more about how ThreatQ’s threat intelligence platform and Recorded Future work together, read about Project Honey Maid.