{ "name": "ti_recordedfuture", "title": "Recorded Future", "version": "2.4.2", "release": "ga", "description": "Ingest threat intelligence and alert data from Recorded Future with Elastic Agent.", "type": "integration", "download": "/epr/ti_recordedfuture/ti_recordedfuture-2.4.2.zip", "path": "/package/ti_recordedfuture/2.4.2", "icons": [ { "src": "/img/logo.svg", "path": "/package/ti_recordedfuture/2.4.2/img/logo.svg", "title": "Recorded Future", "size": "216x216", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.18.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "threat_intel" ], "signature_path": "/epr/ti_recordedfuture/ti_recordedfuture-2.4.2.zip.sig", "format_version": "3.3.2", "readme": "/package/ti_recordedfuture/2.4.2/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/rf-overview.png", "path": "/package/ti_recordedfuture/2.4.2/img/rf-overview.png", "title": "Dashboard: RecordedFuture Overview", "size": "1280x1329", "type": "image/png" }, { "src": "/img/rf-files.png", "path": "/package/ti_recordedfuture/2.4.2/img/rf-files.png", "title": "Dashboard: RecordedFuture Files", "size": "1280x1329", "type": "image/png" }, { "src": "/img/rf-urls.png", "path": "/package/ti_recordedfuture/2.4.2/img/rf-urls.png", "title": "Dashboard: RecordedFuture URLs", "size": "1280x1329", "type": "image/png" }, { "src": "/img/rf-triggered.png", "path": "/package/ti_recordedfuture/2.4.2/img/rf-triggered.png", "title": "Dashboard: RecordedFuture Triggered Alerts", "size": "1280x1329", "type": "image/png" }, { "src": "/img/rf-playbook.png", "path": "/package/ti_recordedfuture/2.4.2/img/rf-playbook.png", "title": "Dashboard: RecordedFuture Playbook Alerts", "size": "1280x1329", "type": "image/png" } ], "assets": [ "/package/ti_recordedfuture/2.4.2/LICENSE.txt", "/package/ti_recordedfuture/2.4.2/changelog.yml", "/package/ti_recordedfuture/2.4.2/manifest.yml", "/package/ti_recordedfuture/2.4.2/validation.yml", "/package/ti_recordedfuture/2.4.2/docs/README.md", "/package/ti_recordedfuture/2.4.2/img/logo.svg", "/package/ti_recordedfuture/2.4.2/img/rf-files.png", "/package/ti_recordedfuture/2.4.2/img/rf-overview.png", "/package/ti_recordedfuture/2.4.2/img/rf-playbook.png", "/package/ti_recordedfuture/2.4.2/img/rf-triggered.png", "/package/ti_recordedfuture/2.4.2/img/rf-urls.png", "/package/ti_recordedfuture/2.4.2/kibana/tags.yml", "/package/ti_recordedfuture/2.4.2/data_stream/playbook_alert/manifest.yml", "/package/ti_recordedfuture/2.4.2/data_stream/playbook_alert/sample_event.json", "/package/ti_recordedfuture/2.4.2/data_stream/threat/lifecycle.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/manifest.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/sample_event.json", "/package/ti_recordedfuture/2.4.2/data_stream/triggered_alert/manifest.yml", "/package/ti_recordedfuture/2.4.2/data_stream/triggered_alert/sample_event.json", "/package/ti_recordedfuture/2.4.2/kibana/dashboard/ti_recordedfuture-50e440e7-edab-496d-b9b0-f5ee64b16aa3.json", "/package/ti_recordedfuture/2.4.2/kibana/dashboard/ti_recordedfuture-554321f4-a649-49da-a5ce-b3dfef1a179b.json", "/package/ti_recordedfuture/2.4.2/kibana/dashboard/ti_recordedfuture-57ab05de-cd7e-4779-9201-1e099f7ab23b.json", "/package/ti_recordedfuture/2.4.2/kibana/dashboard/ti_recordedfuture-da0e8301-3c0b-4ba4-9389-85976e73d6ca.json", "/package/ti_recordedfuture/2.4.2/kibana/dashboard/ti_recordedfuture-ea3dd012-69d8-423d-81b1-2ad9174c75d3.json", "/package/ti_recordedfuture/2.4.2/data_stream/playbook_alert/fields/base-fields.yml", "/package/ti_recordedfuture/2.4.2/data_stream/playbook_alert/fields/beats.yml", "/package/ti_recordedfuture/2.4.2/data_stream/playbook_alert/fields/fields.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/fields/agent.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/fields/base-fields.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/fields/beats.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/fields/ecs.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/fields/fields.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/fields/is-ioc-transform-source-true.yml", "/package/ti_recordedfuture/2.4.2/data_stream/triggered_alert/fields/base-fields.yml", "/package/ti_recordedfuture/2.4.2/data_stream/triggered_alert/fields/beats.yml", "/package/ti_recordedfuture/2.4.2/data_stream/triggered_alert/fields/fields.yml", "/package/ti_recordedfuture/2.4.2/elasticsearch/transform/latest_ioc/manifest.yml", "/package/ti_recordedfuture/2.4.2/elasticsearch/transform/latest_ioc/transform.yml", "/package/ti_recordedfuture/2.4.2/data_stream/playbook_alert/agent/stream/cel.yml.hbs", "/package/ti_recordedfuture/2.4.2/data_stream/playbook_alert/elasticsearch/ingest_pipeline/default.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/agent/stream/cel.yml.hbs", "/package/ti_recordedfuture/2.4.2/data_stream/threat/agent/stream/logfile.yml.hbs", "/package/ti_recordedfuture/2.4.2/data_stream/threat/elasticsearch/ilm/default_policy.json", "/package/ti_recordedfuture/2.4.2/data_stream/threat/elasticsearch/ingest_pipeline/decode_csv.yml", "/package/ti_recordedfuture/2.4.2/data_stream/threat/elasticsearch/ingest_pipeline/default.yml", "/package/ti_recordedfuture/2.4.2/data_stream/triggered_alert/agent/stream/cel.yml.hbs", "/package/ti_recordedfuture/2.4.2/data_stream/triggered_alert/elasticsearch/ingest_pipeline/default.yml", "/package/ti_recordedfuture/2.4.2/elasticsearch/transform/latest_ioc/fields/agent.yml", "/package/ti_recordedfuture/2.4.2/elasticsearch/transform/latest_ioc/fields/base-fields.yml", "/package/ti_recordedfuture/2.4.2/elasticsearch/transform/latest_ioc/fields/beats.yml", "/package/ti_recordedfuture/2.4.2/elasticsearch/transform/latest_ioc/fields/ecs.yml", "/package/ti_recordedfuture/2.4.2/elasticsearch/transform/latest_ioc/fields/fields.yml", "/package/ti_recordedfuture/2.4.2/elasticsearch/transform/latest_ioc/fields/is-ioc-transform-source-false.yml" ], "policy_templates": [ { "name": "ti_recordedfuture", "title": "Recorded Future", "description": "Ingest threat intelligence and alert data from Recorded Future with Elastic Agent.", "inputs": [ { "type": "cel", "vars": [ { "name": "api_key", "type": "password", "title": "API Key", "description": "API Key of the Recorded Future API.", "multi": false, "required": true, "show_user": true }, { "name": "url", "type": "text", "title": "URL", "description": "Base URL of Recorded Future API.", "multi": false, "required": true, "show_user": false, "default": "https://api.recordedfuture.com" }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "i.e. certificate_authorities, supported_protocols, verification_mode etc.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Recorded Future data via API", "description": "Collect Recorded Future data via API." }, { "type": "logfile", "title": "Collect Recorded Future threat intelligence via CSV files", "description": "Collect Recorded Future threat intelligence via CSV files." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "ti_recordedfuture.playbook_alert", "title": "Playbook Alert", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Recorded Future Playbook Alert logs from the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "batch_size", "type": "text", "title": "Batch Size", "description": "Batch size for the response of the Recorded Future API. Maximum batch size can be 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "Http Client Timeout", "description": "Duration of the time limit on HTTP requests. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "120s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags for the data-stream.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "recordedfuture-playbook_alert" ] }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve recordedfuture.playbook_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Playbook alerts", "description": "Collect data from Recorded Future's [API for Playbook Alerts](https://api.recordedfuture.com/playbook-alert).", "enabled": false, "ingestion_method": "API" } ], "package": "ti_recordedfuture", "path": "playbook_alert" }, { "type": "logs", "dataset": "ti_recordedfuture.threat", "ilm_policy": "logs-ti_recordedfuture.threat-default_policy", "title": "Recorded Future", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "recordedfuture" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "logfile.yml.hbs", "title": "Threat intelligence", "description": "Collect indicators from CSV files in the format served by the [risklist endpoints](https://api.recordedfuture.com/v2/#!/Domain/Domain_Risk_Lists).", "enabled": false, "ingestion_method": "File" }, { "input": "cel", "vars": [ { "name": "entity", "type": "text", "title": "Entity", "description": "The type of entity to fetch. One of domain, hash, ip or url.", "multi": false, "required": true, "show_user": true, "default": "domain" }, { "name": "list", "type": "text", "title": "List", "description": "List to fetch for the given entity.", "multi": false, "required": true, "show_user": true, "default": "default" }, { "name": "interval", "type": "text", "title": "Interval between risklist downloads", "description": "Use Go Duration syntax (eg. 1h)", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "timeout", "type": "text", "title": "Request timeout for the risklist download", "description": "Must provide enough time for downloading and processing the risklist. Valid time units are ns, us, ms, s, m, h.\n", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-cel#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "custom_url", "type": "url", "title": "Custom URL", "description": "URL to download a custom Fusion File.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "recordedfuture" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Threat intelligence", "description": "Collect indicators from the Recorded Future Connect API's [risklist endpoints](https://api.recordedfuture.com/v2/#!/Domain/Domain_Risk_Lists).", "enabled": false, "ingestion_method": "API" } ], "package": "ti_recordedfuture", "path": "threat" }, { "type": "logs", "dataset": "ti_recordedfuture.triggered_alert", "title": "Triggered Alert", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Recorded Future triggered alert logs from the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. NOTE: Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "batch_size", "type": "text", "title": "Batch Size", "description": "Batch size for the response of the Recorded Future API. Maximum batch size can be 1000. Using lesser batch size would be recommended to avoid http timeout.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "http_client_timeout", "type": "text", "title": "Http Client Timeout", "description": "Duration of the time limit on HTTP requests. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "120s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags for the data-stream.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "recordedfuture-triggered_alert" ] }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve recordedfuture.triggered_alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Triggered alerts", "description": "Collect triggered alerts data from the Recorded Future Connect API's [alerts endpoint](https://api.recordedfuture.com/v2/#!/Alerts/Alert_Notification_Search).", "enabled": false, "ingestion_method": "API" } ], "package": "ti_recordedfuture", "path": "triggered_alert" } ] }