Incoming feed - Recorded Future Vulnerability Feed

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.

Specifications

Transport types

Recorded Future Vulnerability Feed

Content type

Recorded Future CSV

Ingested data

Ingests Exploit target risk lists from Recorded Future. Exploit target found in these lists have matched one or more risk rules.

Endpoint(s)

https://api.recordedfuture.com/v2/vulnerability/risklist?format=csv%2Fsplunk

Processed data

See Data mapping.

Requirements

  • Email address registered with Recorded Future.

  • Recorded Future API key.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Recorded Future Vulnerability Feed from the drop-down menu.

    Content type*

    Select Recorded Future CSV from the drop-down menu.

    API URL*

    By default, this is set to https://api.recordedfuture.com/v2/vulnerability/risklist?format=csv%2Fsplunk.

    API key*

    Set this to your Recorded Future API key.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Stop feed after x minutes*

    Set to 450 minutes by default.

    Once the feed reaches this time limit, no more packages are requested from the feed source. In-progress downloads and ingestion will continue.

  3. Store your changes by selecting Save.

SSL certificates

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.

Data mapping

The sections below contain non-exhaustive information about how Recorded Future Vulnerability Feed data is mapped to EclecticIQ Platform entities and observables.

The Recorded Future Vulnerability Feed downloads risk lists from Recorded Future in csv/splunk format. Each record in these lists have matched one or more risk rules on the Recorded Future platform.

Records are ingested by EclecticIQ Platform as Exploit target Indicators.

Map risk list to Exploit target

This table shows how each record from a Recorded Future Vulnerability Feed feed is mapped to Exploit target entities on the platform:

Exploit target field name

Mapped from feed source

Example value

Description

Title

Rule

CVE-2014-2595

Exploit target that matches one or more risk rules.

Analysis

EvidenceDetails

Name: nistHigh

Rule Category: Vulnerablity

X sightings on Y source: Bad Actor Name. More information on sightings here.

Criticality Label: Medium

Criticality: 2.0

Risk rules that match this Exploit target are listed in this field. These risk rules are presented here as:

Name: <Name>
Rule Category: <RuleCategory>
<EvidenceString>
Criticality Label: <CriticalityLabel>
Criticality: <Criticality>

Timestamps for matched risk rules are set as the Indicator’s Estimated time -> Observed field.

Tags

Rule

  • Nist Severity High

Risk rules that match the Exploit target are also added as tags to the Indicator, allowing you to search and filter Exploit target entities using <Rule>.