In August 2024, we announced enhancements to our integration of Recorded Future with Google Security Operations. The enhancements were designed to better integrate Recorded Future Threat Intelligence into the Google Security Operations platform.
Now, we’re excited to introduce updates to our integration with Google Security Operations. This means that you’ll have Recorded Future intelligence more comprehensively integrated throughout the end-to-end experience when using your Google Security Operations platform.
Significant SOAR integration enhancements
We’ve expanded our SOAR updates to more completely track intelligence from Recorded Future and close the feedback loop from Google Security Operations response workflow and capabilities to Recorded Future.
First, we’ve added a Collective Insights® capability. By running the Recorded Future enrichment action with Collective Insights enabled, you can enrich entities and send Collective Insights to Recorded Future. This will happen for any entity that’s enriched, whether you’re manually executing the action or running it within an enrichment playbook.
Second, we’ve added support for playbook alerts. Google Security Operations can now ingest the following playbook alert types: Domain Abuse, Data Leakage on Code Repository, Identity Novel Exposures, Geopolitical - Facility Risk Event, and Vulnerability. Cases are created for new playbook alerts with supporting evidence, and full alert details are ingested into separate panels. Entities within playbook alerts are added to an Entity Highlights panel. And you can track playbook alert updates via a dedicated connector.
Third, we’ve added support for sandboxing URLs and files. They’re sandboxed asynchronously, and the sandbox actions check results from Recorded Future every minute for half an hour. When results become available, cases are automatically updated with sandbox enrichment from Recorded Future.
Finally, Google Security Operations users can now author analyst notes for entities, and the notes can be viewed in the Recorded Future portal.
All-new SIEM integration
You can deploy our new integration with Google Security Operations from our GitHub repository.
The new functionality:
- Expands IOC types to include file hashes and URLs
- Ages out old IOCs correctly to prevent false positives
- Allows for the use of custom risklists created for Google Security Operations
- Parses indicators efficiently to reduce ingestion size
- Populates UDM fields to more closely align with Google Security Operations best practices
- Includes Yara-L rules to correlate threat intelligence against detection rule matches where the entity was sourced from a Recorded Future risklist
- Includes dashboards that provide a global view of Recorded Future threat intelligence in your Google Security Operations environment and track IOC matches for IPs and domains
Powerful integrations that strengthen your security posture
With these updates, Recorded Future data supports every part of the intelligence lifecycle in Google Security Operations — and you can customize the way you view and use the data to fit your workflows.
Our work on these integrations is ongoing, so be on the lookout for more enhancements in the coming months.
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/blog/introducing-extensive-updates-recorded-future-google-security-operations