Collect Recorded Future IOC logs
Supported in:
This document explains how to ingest Recorded Future IOC logs to Google Security Operations using an API. The parser transforms the data in JSON format into a unified data model (UDM). It extracts IOC details, maps them to UDM fields, categorizes threats based on criticality, and enriches the data with timestamps and vendor information.
Before you begin
Make sure you have the following prerequisites:
- Google SecOps instance
- Privileged access to a Recorded Future Enterprise account
Acquire the Recorded Future API token
- Sign in to Recorded Future.
- Click your avatar in the top-right corner and select User Settings.
- In the navigation menu, click API Access.
- Click Generate New API Token.
- Copy the long string that appears (for example
RF-1234567890abcdef...).- You can create more than one key; Provide a descriptive name such as Google SecOps.
- Copy and save the token in a secure location. The API token is not displayed again.
Set up feeds
- Go to SIEM Settings > Feeds.
- Click + Add New Feed.
- In the Feed name field, enter a name for the feed (for example,
Recorded Future IOC). - Select Third Party API as the Source type.
- Select the Recorded Future log type.
- Click Next.
- Specify values for the following input parameters:
- Authentication HTTP Header
X-RFToken:<your-api_key>- Make sure to replace
<your-api_key>with the actual key copied in the previous step.
- Asset namespace: The asset namespace.
- Ingestion labels: The label applied to the events from this feed.
- Authentication HTTP Header
- Click Next.
- Review the feed configuration in the Finalize screen, and then click Submit.
UDM Mapping Table
| Log Field | UDM Mapping | Logic |
|---|---|---|
| Details.EvidenceDetails.Criticality | ||
| Details.EvidenceDetails.CriticalityLabel | ||
| Details.EvidenceDetails.EvidenceString | ioc.description | The value of the "EvidenceString" field is mapped to this field. |
| Details.EvidenceDetails.EvidenceString | entity.metadata.threat.description | The value of the "EvidenceString" field is mapped to this field. |
| Details.EvidenceDetails.MitigationString | ||
| Details.EvidenceDetails.Rule | ioc.categorization | The value of the "Rule" field is mapped to this field. |
| Details.EvidenceDetails.Rule | entity.metadata.threat.rule_name | The value of the "Rule" field is mapped to this field. |
| Details.EvidenceDetails.Timestamp | ||
| Risk | ioc.confidence_score | The value of the "Risk" field is converted to a string and mapped to this field. |
| Risk | entity.metadata.threat.severity_details | The value of the "Risk" field is concatenated with the string "Risk - " and mapped to this field. |
| Value | entity.entity.hostname | If the "Value" field is a domain name, it is mapped to this field. |
| Value | ioc.domain_and_ports.domain | If the "Value" field is a domain name, it is mapped to this field. |
| Value | ioc.ip_and_ports.ip_address | If the "Value" field is an IP address, it is mapped to this field. |
| entity.entity.ip | The value of the "Value" field is parsed as an IP address and mapped to this field. | |
| ioc.feed_name | The value "Recorded Future IOC" is assigned to this field. | |
| ioc.raw_severity | The value is generated by concatenating the "Risk" field with the "CriticalityLabel" field, separated by a colon. | |
| entity.metadata.collected_timestamp | The value of the "Details.EvidenceDetails.Timestamp" field is parsed as an ISO8601 timestamp and mapped to this field. | |
| entity.metadata.entity_type | The value is set to "DOMAIN_NAME" if the "Value" field is a domain name, and "IP_ADDRESS" if it is an IP address. | |
| entity.metadata.interval.end_time | The value "253402300799" (representing the maximum timestamp value) is assigned to this field. | |
| entity.metadata.interval.start_time | The value of the "Details.EvidenceDetails.Timestamp" field is parsed as an ISO8601 timestamp and mapped to this field. | |
| entity.metadata.threat.category | The value is determined based on the "CriticalityLabel" field: "Malicious" maps to "SOFTWARE_MALICIOUS", "Suspicious" maps to "SOFTWARE_SUSPICIOUS", and any other value maps to "UNKNOWN_CATEGORY". | |
| entity.metadata.threat.category_details | The value is generated by concatenating the strings "Criticality - ", "Criticality", ":", and "CriticalityLabel", with the corresponding values from the input data. | |
| entity.metadata.threat.severity | The value is determined based on the "CriticalityLabel" field: "Malicious" maps to "HIGH", "Suspicious" maps to "MEDIUM", and any other value maps to "LOW". | |
| entity.metadata.threat.threat_feed_name | The value "Recorded Future IOC" is assigned to this field. | |
| entity.metadata.vendor_name | The value "RECORDED_FUTURE_IOC" is assigned to this field. |
Need more help? Get answers from Community members and Google SecOps professionals.