
Recorded Future
Threat Intelligence- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Recorded Future Connector integrates with the Recorded Future Threat Intelligence platform to synchronize vulnerability risk data and threat intelligence indicators. It connects to the Recorded Future V2 API to fetch vulnerability risk lists and associated evidence details.
Official documentation can be found at https://api.recordedfuture.com.
Data retrieved from Recorded Future
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Vulnerability Risk | Yes | Cve Record |
| Vulnerability Risk Indicator | Yes | Threat Intel |
Model relationships
For detailed steps on how to view the data retrieved from Recorded Future in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Recorded Future from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://api.recordedfuture.com | Recorded Future API URL |
| API Key | No | — | Recorded Future API Key |
| Request timeout (secs) | No | 120 | The maximum seconds allotted before a request will time out. Maximum allowed value 300 |
Authentication
The connector uses API key authentication. The API key is provided in the X-RFToken request header to authenticate and authorize access to the endpoints.
Endpoint
The connectivity/authentication check calls the risk-rules endpoint; the vulnerability risk data itself is synced from the risk list endpoint.
| Method | URL | Purpose |
|---|---|---|
GET | https://api.recordedfuture.com/v2/vulnerability/riskrules | Connectivity / auth check |
GET | https://api.recordedfuture.com/v2/vulnerability/risklist | Vulnerability risk data sync |
Request Headers
| Header | Value |
|---|---|
X-RFToken | your-api-key |
X-RF-User-Agent | brinqa |
Accept | application/json |
Sample Response
The risk-rules connectivity check returns the available risk rules:
{
"data": {
"results": [
{
"name": "exploitedInTheWild",
"description": "Exploited in the Wild by Recently Active Malware",
"count": 142,
"criticality": 4
}
]
}
}
Response Fields
| Field | Description |
|---|---|
data.results[].name | Risk rule identifier |
data.results[].description | Human-readable rule description |
data.results[].count | Number of entities currently matching the rule |
data.results[].criticality | Rule criticality level |
Usage
The API key is sent on every request in the X-RFToken request header to authenticate and authorize access to the risk-rules and risk-list endpoints:
X-RFToken: <your-api-key>
How to obtain Recorded Future credentials
Generate a Recorded Future API key
For the Recorded Future connector to use the Recorded Future API, you must provide an API key. Recorded Future does not allow retrieval of an active token, therefore, you must generate a new key instead. To do so, follow these steps:
-
Log in to your organization's Recorded Future portal as an administrator.
-
Click the menu on the upper-right corner, and then click User Settings.
-
Under API Access, click Generate New API Token.
-
Give the new API key a name and description.
-
Click Create.
Copy the new Recorded Future API key and store it in a secure location.
Note: Consult Recorded Future documentation for accuracy. If you do not have the permissions to create an API key, contact your Recorded Future administrator.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Vulnerability Risk
| Source Field Name | SDM Attribute |
|---|---|
EvidenceDetail.rule | EXPLOITED_IN_THE_WILD |
EvidenceDetail.rule | RECENTLY_LINKED_TO_EXPLOIT_KIT |
EvidenceDetail.rule | RECENTLY_LINKED_TO_RAT |
EvidenceDetail.rule | RECENTLY_LINKED_TO_RANSOMWARE |
EvidenceDetail.rule | RECENTLY_LINKED_TO_MALWARE |
EvidenceDetail.rule | RECENTLY_LINKED_TO_PEN_TESTING |
EvidenceDetail.rule | RECENTLY_LINKED_TO_CYBER_EXPLOIT |
EvidenceDetail.rule | HISTORICALLY_LINKED_TO_EXPLOIT_KIT |
EvidenceDetail.rule | HISTORICALLY_LINKED_TO_RAT |
EvidenceDetail.rule | HISTORICALLY_LINKED_TO_RANSOMWARE |
EvidenceDetail.rule | HISTORICALLY_LINKED_TO_MALWARE |
EvidenceDetail.rule | HISTORICALLY_LINKED_TO_PEN_TESTING |
EvidenceDetail.rule | HISTORICALLY_LINKED_TO_CYBER_EXPLOIT |
EvidenceDetail.rule | RECENT_VERIFIED_POC_RCE |
EvidenceDetail.rule | HISTORICAL_VERIFIED_POC_RCE |
EvidenceDetail.rule | RECENT_VERIFIED_POC |
EvidenceDetail.rule | HISTORICAL_VERIFIED_POC |
EvidenceDetail.rule | RECENT_UNVERIFIED_POC |
EvidenceDetail.rule | HISTORICAL_UNVERIFIED_POC |
EvidenceDetail.rule | CYBER_EXPLOIT_SIGNAL |
EvidenceDetail.timestamp | LAST_REFERENCED |
Risk.name | UID |
Risk.risk | SCORE |
| — | LAST_CAPTURED |
Vulnerability Risk Indicator
| Source Field Name | SDM Attribute |
|---|---|
EvidenceDetail.category | CATEGORIES |
EvidenceDetail.criticality | SOURCE_SEVERITY |
EvidenceDetail.evidenceString | DESCRIPTION |
EvidenceDetail.mitigation | RECOMMENDATION |
EvidenceDetail.rule | NAME |
EvidenceDetail.timestamp | SOURCE_CREATED_DATE |
getFindingSeverityScore(severity) | SEVERITY_SCORE |
MD5(Risk.name, EvidenceDetail.rule, evidenceString, timestamp) | UID |
normalizeFindingSeverity(criticality) | SEVERITY |
Risk.cpes | AFFECTED |
Risk.name | CVE_IDS |
Risk.name | CVE_RECORDS |
| — | LAST_CAPTURED |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Vulnerability Risk
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST · Endpoint:
GET /v2/vulnerability/risklist - Default filters:
format=csv/splunk+cpe,list=large
Vulnerability Risk Indicator
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST · Endpoint:
GET /v2/vulnerability/risklist - Default filters:
format=csv/splunk+cpe,list=large
Changelog
The Recorded Future connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.3 | Bug Fixes - Vulnerability Risk Indicator source severity type mismatch — Source severity was reported with an inconsistent type, producing data-warehouse type errors. The Vulnerability Risk Indicator model now declares Source severity as a numeric attribute, preserving Recorded Future's raw criticality value (1–4) exactly as returned by the API. - Timestamp attributes stored as raw numbers — Source created date (Vulnerability Risk Indicator) and Last referenced (Vulnerability Risk) were written as raw epoch-millisecond numbers instead of date/time values. They are now stored as proper timestamps. Improvements - Attribute consolidation precedence — Custom attributes reported by this connector now consolidate at the standard precedence, so connector-sourced values take precedence over non-connector data channels (UI edits, manual imports) instead of ranking last. | • Vulnerability Risk Indicator and Vulnerability Risk: records ingested before this release carry the previous, inconsistent types for Source severity, Source created date, and Last referenced. Action: re-sync both models so these attributes are rewritten with their corrected types. |
| 3.2.2 | New Features - Last captured timestamp — A new Last captured attribute is now reported on both the Vulnerability Risk and Vulnerability Risk Indicator models, recording when each record was most recently retrieved from Recorded Future. Improvements Dependency Upgrades - Updated underlying platform and data-model libraries to current versions. | N/A |
| 3.2.1 | New Features - Configurable request timeout — A new Request Timeout setting lets you control how long the connector waits for a response from the Recorded Future API (default 2 minutes, up to a 5-minute maximum), reducing failures on slow or large responses. | N/A |
| 3.2.0 | Improvements Dependency Upgrades - Updated underlying platform and data-model libraries to current versions. | N/A |
| 3.0.0 | Overview The Recorded Future connector integrates with Recorded Future to synchronize vulnerability risk intelligence, including per-CVE risk signals and vulnerability risk indicators. Category: Threat Intelligence Models | N/A |