Recorded Future Vulnerability Enrichment

The integration with Archer & Recorded Future (RF) will allow customers the ability to automatically download a feed of cyber vulnerability enrichment data. The information in this data feed can be used to help identify trends and patterns in emerging and disclosed vulnerabilities as well as to drive proactive workflows for resolving known vulnerabilities in the customer’s enterprise. Combined with the asset criticality information in Archer, the intelligence gained from Recorded Future enables users to better prioritize vulnerability management activities.

On this page

Release history

Last updated: May 2018

Solution summary

Partner Integration Overview
Archer Solution	IT & Security Risk Management
Archer Use Case	IT Security Vulnerabilities Program
Archer Applications	Vulnerability
Uses Custom Application	No
Requires On-Demand License	No

Benefits

Faster awareness of emerging threats that affect your key assets

Enrich the context around disclosed vulnerabilities

Better prioritize remediation with external intelligence

Partner product configuration

Before you begin

This section provides instructions for configuring Recorded Future’s (RF) vulnerability enrichment data with the Archer Platform. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

Two things are required before you begin configuration of this data feed.

A Recorded Future API token. This support article provides information on how Recorded Future users can create and access their API tokens.
Access to the Recorded Future Fusion API product feature & a configured Fusion Flow providing a feed of vulnerability enrichment data. If you would like to customize the feed of vulnerability data you are receiving & have questions, please contact the Recorded Future Professional Services team for additional assistance.

Archer configuration

Sub-form configuration

Risk rule details sub-form

Navigate to the Application Builder & create a new sub-form named ‘Recorded Future: Risk Rule Details’
Configure the sub-form by adding the following custom fields. Modify the ‘Options’ for each of the fields with the provided formulas.

Field Name	Field Type	Formula
DataString	Text (Calculated)
Risk Criticality	Numeric (Calculated)	"substring([DataString],14,1)"
Risk Details	Text (Calculated)	"substring([DataString],(FIND("evidenceString=",[DataString])+15),(l en([DataString])-(FIND("evidenceString=",[DataString])+15)))"
Risk Rule	Text (Calculated)	"substring([DataString],(FIND("rule=",[DataString])+5),((FIND("evide nceString=",[DataString])-2)-(FIND("rule=",[DataString])+5)))"
Timestamp	Date (Calculated)	"substring([DataString],(FIND("timestamp=",[DataString])+10),10)"

Configure the layout of the sub-form as follows:

Application configuration

Navigate to the Application Builder & modify the Vulnerabilities application
Create the following new custom fields:

Field	Type	Setup Options
Related Product	Values List	Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 6
Related Attack Vector	Values List	Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 7
Related Malware	Values List	Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 8
Related Malware Category	Values List	Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 9
Risk Rules	Values List	Control: Listbox, Maximum Selections: No Maximum, Minimum Selections: No Minimum, Field Height: 10
Intelligence Card	Text	N/A
Intelligence Card Link	Text	N/A

Last Seen Date	Date	N/A
Risk Score	Numeric	N/A
Seven Day Hits	Numeric	N/A
One Day Hits	Numeric	N/A
Analyst Notes	Text	N/A
Related Links	Sub-Form	See Sub-Form Details
Triggered Risk Rules	Sub-Form	See Sub-Form Details
Recorded Future	Tab	Added to current tab set, moved to front, selected as Default. Triggered Risk Rules and Related Links Sub- Forms added to this tab
Recorded Future Summary	Section	Contains custom fields: Risk Score, Intelligence Card Link, Analysis Notes, Last Seen Date, Risk Rules, Related Malware Category, Related Malware, Related Attack Vector, Related Product

For the following calculated fields, modify the formulas for each in ‘Options’ of the field:

Field	Formula
Intelligence Card Link	"substring([Column04],9,(len([Column04])+9))"
CVSS Score	"IF(or(CONTAINS(EXACT,[Source],VALUEOF([Source],"NVD")),CONTAINS(EXACT,[Source], VALUEOF([Source],"Recorded Future"))),[Base Score],IF( OR( ISEMPTY( [Environmental Score]), [Environmental Score] <= 0), [Temporal Score], [Environmental Score]))"
Intelligence Card Link	"IF(NOT(ISEMPTY([Intelligence Card])),"<a target='_new' href='https://" & [Intelligence Card] & "'> Click Here </a>", NOVALUE())"

Field

Formula

Intelligence

Card Link

"substring([Column04],9,(len([Column04])+9))"

CVSS Score

"IF(or(CONTAINS(EXACT,[Source],VALUEOF([Source],"NVD")),CONTAINS(EXACT,[Source],

VALUEOF([Source],"Recorded Future"))),[Base Score],IF( OR( ISEMPTY( [Environmental Score]), [Environmental Score] <= 0), [Temporal Score], [Environmental Score]))"

Intelligence Card Link

"IF(NOT(ISEMPTY([Intelligence Card])),"<a target='_new' href='https://" & [Intelligence

Card] & "'> Click Here </a>", NOVALUE())"

Configure the Layout of the Vulnerabilities Application as follows:

Data Feed configuration

After configuring the custom fields & sub-forms, you are ready to configure the data feed import and data mapping options.

Browse to Administration > Integration > Data Feeds
Click Import and browse to the data feed file: Recorded_Future_Vulnerability_Enrichment_Feed.dx5
In the ‘Transport’ section, ensure that the ‘Data Request URI’ points to the output path for your RF Fusion Feed file and modify the value for the ‘X-RF-Token’ header property with your Recorded Future API token.

Configure the Data Map as follows:

Source Field	Destination Field	Field Type
Title	Title	Text
CVE(s)	CVE(s)	Text
Description	Description	Text
Intelligence Card_Calc	Intelligence Card	Text
Intelligence Card	DO NOT MAP	DO NOT MAP
Risk Score	Risk Score	Numeric
Severity	Severity	Value List
Risk Rules	Risk Rules	Value List
Triggered Risk Rules	SubForm: Triggered Risk Rules, Field: DataString	SubForm
Access Vector	Access Vector	Value List
Access Complexity	Access Complexity	Value List
Authentication	Authentication	Value List
Integrity Impact	Integrity Impact	Value List
Confidentiality Impact	Confidentiality Impact	Value List
Availability Impact	Availability Impact	Value List
Base Score	Base Score	Numeric
Last Seen Date	Last Seen Date	Date
Related Links	SubForm: Related Links, Field: URL	SubForm
Related Malware	Related Malware	Value List
Related Malware Category	Related Malware Category	Value List
Related Attack Vector	Related Attack Vector	Value List
Related Product	Related Product	Value List
One Day Hits	One Day Hits	Numeric
Seven Day Hits	Seven Day Hits	Numeric

Dashboard configuration

A number of custom reports can be configured to provide additional contextual information about specific or trending vulnerabilities using your own custom definitions. Provided below are some sample report configurations which use the Recorded Future Vulnerabilities enrichment data.