You can collect the RF threat feeds for Domains, IPs, File Hashes and URLs.
1. Define RF Rest Message (Recorded Future Taxii) method with Basic Auth Username = rf and Password = *RF API Key*
2. Create a Post Method(Default Post) , endpoint - https://api.recordedfuture.com/taxii/
3. Create RF TAXII Profile. Select the Discovery Service Configuration,
a. check use Rest Message
b. Rest Message - Recorded Future Taxii
c. Rest Method - Default Post
d. Save
4. Create TAXII Collections for domains, ips, url etc separately
a. Name : Recorded Future Domain / [ Urls/Ips/File Hashes ]
b. Collection Identifier : domain_full / [ url_full / full / hash_full ]
c. Schedule : on Demand
d. Source Details - check Use Rest Message
REST Message : Recorded Future Taxii , REST Method : Default Post
Integration Script : TAXIISourceIntegration
Report processor : TAXIICollectionDataProcessor
e. Save & Execute Now
5. Navbar - > Search IOC => Indicators / Observables
6. You can customize the STIXParser script include file to accommodate Risk Score to Indicator table custom fields.
_processIndicatorNode: function(node) {
var id = node.getAttribute("id");
var gr = new GlideRecord(this.INDICATOR_TABLE);
if (!gr.get("id", id)) {
gr = new GlideRecord(this.INDICATOR_TABLE);
gr.setValue("id", node.getAttribute("id"));
}
if (node.getAttribute("timestamp") != "")
gr.setValue("first_seen", node.getAttribute("timestamp"));
var ttps = [];
var observables = [];
var indicatorTypes = [];
var iter = node.getChildNodeIterator();
while (iter.hasNext()) {
var child = iter.next();
switch (child.getNodeName()) {
case "indicator:Title":
gr.setValue("title", child.getTextContent().trim());
gr.setValue("u_ioc", child.getTextContent().trim());
break;
case "indicator:Description":
var score=child.getTextContent().trim();
gr.setValue("notes", score);
var n_score = score.indexOf("Recorded Future Intelligence Risk Score:");
if (n_score == 0){
gr.setValue("u_risk_score", score.split("Recorded Future Intelligence Risk Score:")[1]);
gr.setValue("u_ioc_source", 'Recorded Future');
}
break;
case "indicator:Indicated_TTP":
ttps.push(this._parseIndicatedTTPNode(child));
break;
case "indicator:Observable":
observables = observables.concat(this._parseRelatedObservablesNode(child));
break;
case "indicator:Type":
indicatorTypes.push(this._parseIndicatorType(child));
gr.setValue("u_ioc_type", child.getTextContent().trim());
break;
}
}
* Be careful when you pull the threat feeds for URLs, Hashes and IPs since the Integration Run Process pulls large size data file( 200+ MB). As per this KB: https://hi.service-now.com/kb_view.do?sysparm_article=KB0750207, the workaround is to "configure TAXII collection so as not to pull all data feed into ServiceNow, the size of the payload needs to be tested via tool outside ServiceNow first.". This issue will be fixed in the upcoming release - New York.
