Go to Settings >> Configuration >> Recorded Future.
Select Settings.
Select the Enable Source option to activate the Recorded Future threat source.
Configuring Recorded Future¶
Enter the API Key provided by Recorded Future.
Select the required Entities. The application fetches and stores the data of the selected entities only.
Select the Enable Proxy option to connect to Recorded Future via a proxy server.
In the Proxy Configuration section:
7.1 Enter the IP address and the Port number of the proxy server.
7.2 Select the HTTP or HTTPS protocol as required.
Click Submit.
Note
The data fetched from Recorded Future is stored in the Threat Intelligence database. Therefore, you must use the Threat Intelligence enrichment source while creating an enrichment policy for the Recorded Future application.
The RecordedFuture application enriches the incoming logs with the threat information fetched from Recorded Future. You can find the enriched logs using the Search tab in LogPoint and can further drill forward on the enriched fields to access the Intelligence Card. You must map the LogPoint fields with the Recorded Future entity type to use the drill forward feature as you can only drill forward from the mapped fields.
The application maps the following fields by default:
LogPoint Taxonomy Field |
Recorded Future Entity Type |
|---|---|
source_address |
IP Address |
destination_address |
IP Address |
ip_address |
IP Address |
device_ip |
IP Address |
host_address |
IP Address |
hash |
Hash |
hash_sha256 |
Hash |
hash_sha1 |
Hash |
domain |
Domain |
url |
URL |
threat |
Vulnerability |
Follow these steps to map LogPoint fields to the Recorded Future entity types:
Go to Settings >> Configuration >> Recorded Future.
Select Drill Forward Settings.
Select the Type of entity from the drop-down menu.
Enter the LogPoint Taxonomy Field to map the entity type.
Mapping LogPoint Field with the Recorded Future Entity Type¶
Click Add.
Click Submit.