Am I reading the correct user guide?
Am I reading the correct user guide?
Some connectors on the Vulcan help center offer multiple user guides tailored to different setups and versions.
Click on 'How to connect' on the Connector's setup page to open the right guide for your setup and version, ensuring accuracy and relevance.
Overview
About Recorded Future
Recorded Future uses patented machine learning and natural language processing methods to continuously collect and organize data from open web, dark web, and technical sources. The resulting information is displayed within a software-as-a-service portal.
Why integrate Recorded Future into the Vulcan platform?
The Recorded Future Connctor by Vulcan integrates with the Recorded Future platform to enrich vulnerability data based on their CVE. Once the integration is complete, the Vulcan Platform scans the TI findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Recorded Future Connector Details
Supported products | Vulnerability Intelligence |
Category | Threat Intelligence |
Ingested asset type(s) | - |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Generate an API Token: Ensure that you have generated an API token from Recorded Future.
Acquire the Vulnerability Module: Confirm that you have acquired the Vulnerability Module from Recorded Future. This module is necessary for enabling the token to access the vulnerability API.
Generating API Token
Log in to the Recorded Future Portal.
Click on the menu in the upper right corner and select "User Settings."
In the User Settings menu, navigate to the "API Access" section.
Click on "Generate New API Token."
Enter name and description for your token.
Click the "Create" button.
Save the generated API token securely.
Configuring the Recorded Future Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Recorded Future icon.
Set up the Connector as follows:
Enter the API Token you generated earlier.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Recorded Future instance, then click Create (or Save Changes).
The Advanced Configuration drop-down allows you to set the Connector's sync time. By default, all days are selected.
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Recorded Future icon shows Connected, the sync is complete.
Recorded Future TI in the Vulcan Platform
Viewing vulnerabilities with Recorded Future TI tag in the Vulcan Platform
To view vulnerabilities by Connector:
Go to the Vulnerabilities page.
Click on Filter and set the condition to Vulnerability > Threat Tag is Recorded Future.
You can add more filters to narrow down your search further.
See the complete list of available vulnerability filters.Click on a vulnerability for more vulnerability details.
Taking Action on vulnerabilities
To take remediation action on vulnerabilities:
Go to the Vulnerabilities pr Assets Page.
Use the Filter to filter vulnerabilities by the Threat Tag Recorded Future connector and display all vulnerabilities with their associated threat tags.
Select the relevant vulnerabilities from the results list.
Click on Take Action to proceed with remediation or further actions.
Automating remediation actions on vulnerabilities
Use Vulcan Playbooks to create automation and remediate vulnerabilities at scale.
From Recorded Future to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Recorded Future through API to pull relevant vulnerability TI data and map it into the Vulcan Platform pages and fields.
TI Card mapping
Recorded Future field | Vulcan field | API Field | Value Example |
CVE | Unique TI uniqueness criteria | Name | 
|
CVE + date | Card title | Name + FirstSeenDate | 
|
cve description | Description | Description | 
|
last seen date | Last seen | LastSeenDate | 
|
score | Risk score | RiskScore | 
|
Risk summary | Risk summary | RiskSummary | 
|
Analyst Notes | Analyst Notes | AnalystNotes | 
|
Observed risk rules | Observed risk rules | RiskEvidenceDetails | 
|
Latest reference | Latest reference | Sightings | 
|
Total references | Total references | Metrics.[*].totalHits | 
|
Total references in the last 60 days | Total references in the last 60 days | Metrics.[*].sixtyDaysHits | 
|
Total references in the last 7 days | Total references in the last 7 days | Metrics.[*].sevenDaysHits | 
|
Total references today | Total references today | Metrics.[*].oneDayHits | 
|
Recorded Future URL | Recorded Future URL | IntelligenceCard | URL to card |
Threat Intelligence mapping
Recorded Future Risk Score | Vulcan TI Tag |
RiskScore > 89 | 'Recorded Future risk: CRITICAL' |
65<=RiskScore <= 89 | 'Recorded Future risk: HIGH' |
25 <=RiskScore <= 64 | 'Recorded Future risk: MEDIUM |
Support and Expected Behaviour
Support and expected behavior remarks on some Recorded Future ingested vs. un-ingested data:
During each data fetch, only CVEs with a severity greater than 25 will be retrieved.
If a CVE's severity later decreases to below 25, it will remain in Vulcan, retaining its previous severity level.
API Endpoints in Use
API version: Custom API for the Vulcan ExposureOS Platform
API | Use in Vulcan | Permissions required |
check connection | Acquired the vulnerability module
| |
Fetch all CVE data | Acquired the vulnerability module
|
Data Validation
This section shows how to ensure the threat intelligence (TI) count and data are aligned between the Vulcan Cyber Platform and Recorded Future.
Matching TI Count
From Vulcan Side
Search Vulnerabilities with Threat Tags:
Navigate to the Vulcan platform.
Go to the "Vulnerabilities" page.
Use the search feature and filter by:
Vulnerability > Threat Tags > Recorded Future <TI-Tag>
This filter will show vulnerabilities tagged with Recorded Future threat intelligence.
View Threat Intelligence Data:
Select a vulnerability from the filtered list.
Click on the "Threat Intelligence" tab within the vulnerability details.
Note the details and data provided under this tab.
Compare with Recorded Future:
Log in to the Recorded Future platform.
Search for the same CVE you have in Vulcan.
Verify that the threat intelligence data for the CVE in Recorded Future matches the data in the Vulcan platform under the "Threat Intelligence" tab.
From Recorded Future Side
Search for CVE in Recorded Future:
Log in to the Recorded Future platform.
Use the search feature to find a CVE that is relevant to your organization.
Cross-Check in Vulcan:
Go to the Vulcan platform.
Search for the same CVE in the "Vulnerabilities" page.
Ensure that all vulnerabilities related to the CVE have Recorded Future data under the "Threat Intelligence" tab.
Validating Absence of TI from Recorded Future in Vulcan:
If a CVE's severity is below 25, it will not be retrieved.
Filter Vulnerabilities in Vulcan:
In the Vulcan platform, navigate to the "Vulnerabilities" page.
Use the filter/magic search to set the following criteria:
Vulnerabilities > CVE RiskScore > less than 25Confirm that no vulnerabilities with a CVE risk score below 25 are retrieved from Recorded Future.
Verify that the CVEs displayed in Recorded Future with a score less than 25 are not associated with any vulnerabilities in your Vulcan environment.
Ensure that these CVEs do not have Recorded Future threat intelligence data under the "Threat Intelligence" tab in Vulcan.