×
Recorded Future
Recorded Future

Overview

The Security Flow Recorded Future Plugin exposes and automates the enrichment of incidents with threat intelligence using either cached risk list data or up-to-date information from the Recorded Future API. This plugin enriches domain, file hash, IP address, and URL Indicators of Compromise (IoCs).

Functionality

The Recorded Future Plugin provides the functionality to gather threat intelligence on domains, hashes, IP addresses, and URLs.

When risk lists are enabled, changes to a plugin instance’s risk list configuration will trigger a pull. The following rules apply for risk list updates:

  • Changing any setting will not interrupt an existing risk list pull.
  • Enabling the risk list pull will trigger the queuing of a pull request.
  • Changing the risk list name will trigger the queuing of a pull request.
  • The risk list cache entries are updated based on the following refresh cycle.
    • Domains – Two (2) hours
    • Hashes – One day
    • IP Addresses – Hourly
    • URLs – Two (2) hours
  • The risk list cache entries expire, i.e. are removed from the cache, based on aging out according to the refresh cycles.
  • Until cached, a risk list check will fail to find the threat intelligence.
  • The risk list cache is periodically checked once every five (5) minutes.

Instance Configuration Parameters

Property
Description

Instance Name

Name for the Recorded Future instance.


Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.


API Key

API key used to access the Recorded Future services.


Fallback to Connect API if not Found in Risk List

Boolean value determining the if the the Recorded Future API should be queried about a specific Indicator of Compromise (IoC) when it is not found in the risk list cache. This setting determines the behavior of the NL Recorded Future node and the NL Broadcast Gather Threat Intelligence node.


Enable Domain Risk List Caching

Enables caching a domain risk list. This selected Domain Risk List will be refreshed approximately once every two-hours.


Domain Risk List

The name of the domain risk list to cache. The drop down is seeded with the available lists.


Enable Hash Risk List Caching

Enables caching a hash risk list. This selected Hash Risk List will be refreshed approximately once a day.


Hash Risk List

The name of the hash risk list to cache. The drop down is seeded with the available lists.


Enable IP Address Risk List Caching

Enables caching a IP address risk list. This selected IP Address Risk List will be refreshed approximately hourly.


IP Address Risk List

The name of the IP address risk list to cache. The drop down is seeded with the available lists.


Enable URL Risk List Caching

Enables caching a URL risk list. This selected URL Risk List will be refreshed approximately once every two-hours.


URL Risk List

The name of the IP address risk list to cache. The drop down is seeded with the available lists.

Flow Node

Communication node which controls the Nevelex Labs Recorded Future Plugin Instance by directly querying the Recorded Future Connect API or by using the cached risk lists. The risk lists are used by default if they are enabled. If the plugin instance is configured to fallback to Fallback to Connect API if not Found in Risk List, the node will make a Recorded Future API request if the IoC is not found in the risk list.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Report Type

Configuration option determining the type of Recorded Future API call to make or risk list cache to search:

  • Search Within: dynamically search in the message and perform operations based on the IoC type found
  • Domain Report: Request a report for the specified Domain
  • File Hash Report: Request a report for the specified hash
  • IP Address Report: Request a report for the specified IP Address
  • URL Report: Request a report for the specified URL

Search Within / Domain / File Hash / IP Address / URL

This field defines the location from the message, flow, global, or JSONata expression to use as the data source for the IoC Threat Intelligence report. The following contexts are supported:

  • msg: This selects part of the incoming message as the source of the data. This is typical choice.
  • flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression: JSONata expression language to perform query and transform operations on the payload.
Utility node to route a message based on the detection level set for a Recorded Future report. Analyzes the results from the NL-Recorded-Future node and sets msg.payload.recordedfuture.nl_detections to 1, indicating a detection, or 0, indicating no detection, based on the configured risk score setting. The risk score is found at the msg.payload.recordedfuture.response.data.risk.score field within the report.
Property
Description

Name

The display name of the node within the flows.


Risk Score Detection

Defines the comparison to use to indicate a report detection has been made. The following values are supported:

  • Unusual (>= 5)
  • Suspicious (>= 25)
  • Malicious (>= 65)
  • Very Malicious (>= 90)

Audit Missing Report

If checked, a missing report audit message will be added to the Incident’s timeline.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to the Node Messaging Format. The content exists within the recordedfuture object.

Success

The italicized, green text is inserted into the message payload upon a successful request from a cached risk list. There is more information in the API request response, but it is not shown here. The response has been trimmed for readability.

"payload": {
  "recordedfuture": {  
    "topic": "/nevelexlabs/event/3ef51ea7.b9c29a/domainreportreply",
    "response": {
      "data": {
        "risk": {
          "rules": 2,
          "score": 91,
          "riskString": "2/34",
          "criticality": 4,
          "riskSummary": "2 of 34 Risk Rules currently observed.",
          "evidenceDetails": [ ... ],
          "criticalityLabel": "Very Malicious"
        },
        "entity": {
          "name": "IOC"
          ...
        },
        "intelCard": "https://app.recordedfuture.com/live/sc/entity/idn%3A..."
      },
      "risklistCache": true
    }
  }
}

Error

The italicized, maroon text is inserted into the message payload upon a failed request.

"payload": {
    "recordedfuture": {
        "error": {
            "error_code": 5,
            "error_message": "Error text"
        }
    }
}
Nevelex Labs, Main Office

International Plaza
7900 International Drive, Suite 305
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2019, All Rights Reserved.

EULA