Using the API to upload Recorded Future IOCs to an IDR Custom Threat Feed

Hola everyone!

If you are a Recorded Future user, you can benefit from the power of combining their threat feed in IDR to further increase the detection capabilities.

I will share with you a Powershell script that allows you to download Recorded Future IOCs for the 4 categories supported in IDR (domains, hashes, IPs and URLs) and upload them to IDR. This script is based on the awesome blogs that my colleague Teresa Copple has written on this subject, which I highly recommend!!!
https://blog.rapid7.com/2019/10/16/import-external-threat-intelligence-with-the-insightidr-threats-api/
https://blog.rapid7.com/2019/11/05/unlocking-the-power-of-the-insightidr-threat-api-part-2/

Things you will need:

  1. A Recorded Future license to get your Recorded Future API key.
    (You can get your API key by going to your User Settings > API Access)
  2. An IDR license and your Insight Platform API key.
    https://docs.rapid7.com/insight/managing-platform-api-keys/#api-keys-based-on-your-insight-account-role
  3. A custom threat feed in IDR, along with the feed’s key.
    https://docs.rapid7.com/insightidr/threats/#threat-apis
  4. A Windows computer to run the Powershell script.

The script will download the IOC CSV lists to the hard drive, format them, extract the IOCs only and upload them to the target threat feed in IDR.

Anyhow, here’s the script:
https://gist.github.com/flegorreta-r7/07c2885de5d2f5738b266dcefaa86788

Once you have it, simply edit the script (I recommend Powershell ISE) and edit the following lines:

  1. Line 37 - Set your Recorded Future API key
  2. Line 46 - Set your IDR Threat Feed key
  3. Line 51 - Set your Insight Platform API key

Done! Now you can run the script and watch your IDR getting empowered by IOCs from Recorded Future.
NOTE: The script is configured with URLs to download ALL IOCs from Recorded Future, but you can actually customize it for specific lists. The script also uses the “replace” API call for IDR, which will replace all IOCs in the IDR threat feed every time you run it.

Additional resources:
https://api.recordedfuture.com/v2/
https://help.rapid7.com/insightidr/en-us/api/v1/docs.html#operation/replaceIndicators

Happy scripting!

4 Likes