Collect Recorded Future IOC logs
This document explains how to collect Recorded Future IOC logs by setting up a Google Security Operations feed using the Third Party API.
Recorded Future, a Mastercard company, is a threat intelligence platform that delivers real-time intelligence on indicators of compromise (IOCs) including malicious IP addresses, domains, URLs, and file hashes. Recorded Future aggregates and analyzes data from open, dark, and technical sources using machine learning to assign risk scores, enabling security teams to prioritize and respond to threats effectively.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- Privileged access to the Recorded Future portal (
app.recordedfuture.com). - A Recorded Future Enterprise account with API access enabled.
Configure Recorded Future API access
To enable Google SecOps to retrieve IOC data, you need to generate an API token from the Recorded Future portal.
Generate an API token
- Sign in to the Recorded Future portal at
app.recordedfuture.com. - Click your avatar in the top-right corner and select User Settings.
- In the left navigation pane, click API Access.
- Click Generate New API Token.
- Copy and save the API token (for example,
RF-1234567890abcdef).
Configure a feed in Google SecOps to ingest Recorded Future IOC logs
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Recorded Future IOC). - Select Third Party API as the Source type.
- Select Recorded Future as the Log type.
- Click Next.
Specify values for the following input parameters:
Authentication HTTP header: Enter the authentication credentials in the following format:
X-RFToken:your-api-token-valueReplace
your-api-token-valuewith the API token generated in the Recorded Future portal.Asset namespace: The asset namespace.
Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
After setup, the feed begins to retrieve IOC data from the Recorded Future platform in chronological order.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
Risk |
confidence_score |
Directly mapped |
Value |
domain_and_ports.domain |
Directly mapped |
Value |
entity.file.sha256 |
Directly mapped |
Value |
entity.hostname |
Directly mapped |
ip |
entity.ip |
Merged |
Value |
entity.url |
Directly mapped |
ip |
ip_and_ports.ip_address |
Directly mapped |
Value |
metadata.entity_type |
Mapped: [a-f0-9]{64} → FILE |
timestamp |
metadata.event_timestamp |
Parsed as ISO8601 |
threat_det |
metadata.threat |
Merged |
| N/A | feed_name |
Constant: Recorded Future IOC |
| N/A | metadata.entity_type |
Constant: FILE |
| N/A | metadata.vendor_name |
Constant: RECORDED_FUTURE_IOC |
detail.FirstSeen |
event.idm.entity.metadata.threat.first_discovered_time |
Mapped from changelog |
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.