Incoming feed - Recorded Future IP Feed#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Specifications |
|
|---|---|
Transport types |
Recorded Future IP Feed |
Content type |
Recorded Future CSV |
Ingested data |
Ingests IP address risk lists from Recorded Future. IP address found in these lists have matched one or more risk rules. |
Endpoint(s) |
|
Processed data |
See Data mapping. |
Requirements#
Email address registered with Recorded Future.
Recorded Future API key.
Configure the incoming feed#
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Recorded Future IP Feed from the drop-down menu.
Content type*
Select Recorded Future CSV from the drop-down menu.
API URL*
By default, this is set to
https://api.recordedfuture.com/v2/fusion/files/?path=/public/risklists/default_ip_risklist.csv.API key*
Set this to your Recorded Future API key.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
For more information, see SSL certificates.
Stop feed after x minutes*
Set to
450minutes by default.Once the feed reaches this time limit, no more packages are requested from the feed source. In-progress downloads and ingestion will continue.
(Recommended) Set the Schedule > Execution schedule to Every 1 hours.
Store your changes by selecting Save.
SSL certificates#
To use an SSL certificate, it must be:
Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the
eclecticiquser.Owned by
eclecticiq:eclecticiq.
To make sure that EclecticIQ Intelligence Center can access the SSL certificate:
Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq /path/to/cert.pem
Where
/path/to/cert.pemis the location of the SSL certificate EclecticIQ Intelligence Center needs to access.
Data mapping#
The sections below contain non-exhaustive information about how Recorded Future IP Feed data is mapped to EclecticIQ Platform entities and observables.
The Recorded Future IP Feed downloads risk lists
from Recorded Future in csv format.
Each record in these lists have matched one or more risk rules
on the Recorded Future platform.
Records are ingested by EclecticIQ Platform as IP address Indicators.
Map risk list to Indicator#
This table shows how each record from a Recorded Future IP Feed feed is mapped to Indicators on the platform:
Indicator field name |
Mapped from feed source |
Example value |
Description |
|---|---|---|---|
Title |
|
10.0.0.4 |
IP address that matches one or more risk rules. |
Confidence |
|
Medium |
See Confidence mapping. |
Analysis |
|
Risk Rule: Phishing X sightings on Y source: Bad Actor Name. More information on sightings here. Criticality: 3 |
Risk rules that match this IP address are listed in this field. Risk Rule: <Rule name>
<Evidence string>
Criticality: <Criticality value>
Timestamps for matched risk rules are set as the Indicator’s Estimated time -> Observed field. |
Tags |
|
Positive Malware Verdict - Malicious |
Risk rules that match the IP address
are also added as tags to the Indicator,
allowing you to search and filter
Indicators using a combination of
|
Confidence mapping#
This table shows how Recorded Future risk scores are mapped to Confidence values in ingested Indicators.
Recorded Future |
Confidence value |
|---|---|
1 – 33 |
Low |
34 – 66 |
Medium |
67 – 100 |
High |