Skip to main content
All CollectionsConnectorsThreat Intelligence
Recorded Future Connector (new revision)
Recorded Future Connector (new revision)

Guide is in the making

Updated over 5 months ago

Am I reading the correct user guide?

Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.

Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.


Overview

About Recorded Future

Recorded Future uses patented machine learning and natural language processing methods to continuously collect and organize data from open web, dark web, and technical sources. The resulting information is displayed within a software-as-a-service portal.

Why integrate Recorded Future into the Vulcan platform?

The Recorded Future Connctor by Vulcan integrates with the Recorded Future platform to enrich vulnerability data based on their CVE. Once the integration is complete, the Vulcan Platform scans the TI findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Recorded Future Connector Details

Supported products

Vulnerability Intelligence

Category

Threat Intelligence

Ingested asset type(s)

-

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

  • Generate an API Token: Ensure that you have generated an API token from Recorded Future.

  • Acquire the Vulnerability Module: Confirm that you have acquired the Vulnerability Module from Recorded Future. This module is necessary for enabling the token to access the vulnerability API.

Generating API Token

  1. Log in to the Recorded Future Portal.

  2. Click on the menu in the upper right corner and select "User Settings."

  3. In the User Settings menu, navigate to the "API Access" section.

  4. Click on "Generate New API Token."

  5. Enter name and description for your token.

  6. Click the "Create" button.

  7. Save the generated API token securely.

Configuring the Recorded Future Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Recorded Future icon.

  4. Set up the Connector as follows:

  5. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Recorded Future instance, then click Create (or Save Changes).

  6. The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.

  7. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  8. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. Once the Recorded Future icon shows Connected, the sync is complete.


Recorded Future TI in the Vulcan Platform

Viewing vulnerabilities with Recorded Future TI tag in the Vulcan Platform

To view vulnerabilities by Connector:

  1. Go to the Vulnerabilities page.

  2. Click on Filter and set the condition to Vulnerability > Threat Tag is Recorded Future.

Taking Action on vulnerabilities

To take remediation action on vulnerabilities:

  1. Go to the Vulnerabilities pr Assets Page.

  2. Use the Filter to filter vulnerabilities by the Threat Tag Recorded Future connector and display all vulnerabilities with their associated threat tags.

  3. Select the relevant vulnerabilities from the results list.

  4. Click on Take Action to proceed with remediation or further actions.

Automating remediation actions on vulnerabilities

Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.


From Recorded Future to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Recorded Future through API to pull relevant vulnerability TI data and map it into the Vulcan Platform pages and fields.

TI Card mapping

Recorded Future field

Vulcan field

API Field

Value Example

CVE

Unique TI uniqueness criteria

Name

CVE + date

Card title

Name + FirstSeenDate

cve description

Description

Description

last seen date

Last seen

LastSeenDate

score

Risk score

RiskScore

Risk summary

Risk summary

RiskSummary

Analyst Notes

Analyst Notes

AnalystNotes

Observed risk rules

Observed risk rules

RiskEvidenceDetails

Latest reference

Latest reference

Sightings

Total references

Total references

Metrics.[*].totalHits

Total references in the last 60 days

Total references in the last 60 days

Metrics.[*].sixtyDaysHits

Total references in the last 7 days

Total references in the last 7 days

Metrics.[*].sevenDaysHits

Total references today

Total references today

Metrics.[*].oneDayHits

Recorded Future URL

Recorded Future URL

IntelligenceCard

URL to card

Threat Intelligence mapping

Recorded Future Risk Score

Vulcan TI Tag

RiskScore > 89

'Recorded Future risk: CRITICAL'

65<=RiskScore <= 89

'Recorded Future risk: HIGH'

25 <=RiskScore <= 64

'Recorded Future risk: MEDIUM

Support and Expected Behaviour

Support and expected behavior remarks on some Recorded Future ingested vs. un-ingested data:

  • During each data fetch, only CVEs with a severity greater than 25 will be retrieved.

  • If a CVE's severity later decreases to below 25, it will remain in Vulcan, retaining its previous severity level.

API Endpoints in Use

API version: Custom API for the Vulcan ExposureOS Platform

API

Use in Vulcan

Permissions required

check connection

Acquired the vulnerability module

Fetch all CVE data

Acquired the vulnerability module


Data Validation

This section shows how to ensure the threat intelligence (TI) count and data are aligned between the Vulcan Cyber Platform and Recorded Future.

Matching TI Count

From Vulcan Side

Search Vulnerabilities with Threat Tags:

  1. Navigate to the Vulcan platform.

  2. Go to the "Vulnerabilities" page.

  3. Use the search feature and filter by:

    • Vulnerability > Threat Tags > Recorded Future <TI-Tag>

  4. This filter will show vulnerabilities tagged with Recorded Future threat intelligence.

View Threat Intelligence Data:

  1. Select a vulnerability from the filtered list.

  2. Click on the "Threat Intelligence" tab within the vulnerability details.

  3. Note the details and data provided under this tab.

Compare with Recorded Future:

  1. Log in to the Recorded Future platform.

  2. Search for the same CVE you have in Vulcan.

  3. Verify that the threat intelligence data for the CVE in Recorded Future matches the data in the Vulcan platform under the "Threat Intelligence" tab.

From Recorded Future Side

Search for CVE in Recorded Future:

  1. Log in to the Recorded Future platform.

  2. Use the search feature to find a CVE that is relevant to your organization.

Cross-Check in Vulcan:

  1. Go to the Vulcan platform.

  2. Search for the same CVE in the "Vulnerabilities" page.

  3. Ensure that all vulnerabilities related to the CVE have Recorded Future data under the "Threat Intelligence" tab.

Validating Absence of TI from Recorded Future in Vulcan:

  • If a CVE's severity is below 25, it will not be retrieved.

Filter Vulnerabilities in Vulcan:

  1. In the Vulcan platform, navigate to the "Vulnerabilities" page.

  2. Use the filter/magic search to set the following criteria:

    Vulnerabilities > CVE RiskScore > less than 25

    • Confirm that no vulnerabilities with a CVE risk score below 25 are retrieved from Recorded Future.

    • Verify that the CVEs displayed in Recorded Future with a score less than 25 are not associated with any vulnerabilities in your Vulcan environment.

    • Ensure that these CVEs do not have Recorded Future threat intelligence data under the "Threat Intelligence" tab in Vulcan.


Did this answer your question?