How To Automate Recorded Future With Torq

One of the superpowers of the Torq Hyperautomation platform is the ability to integrate with anything. We team up with leading security vendors to combine forces to create automations that make SOC analysts’ lives easier while also improving their organizations’ security posture.  

In this post, we’ll talk about how to automate Recorded Future using the enterprise-grade Torq Hyperautomation platform to level up how your organization collects, processes, analyzes, and disseminates threat intelligence.

Here are the top four Torq and Recorded Future automations:

Analyze URLs and Files in Recorded Future Sandbox

In three simple steps, this workflow submits URLs to Recorded Future Sandbox for analysis.

  1. URLs in the urls_list are submitted as URLs and are analyzed as a website.
  2. URLs in the files_url_list are downloaded and analyzed as a file in the sandbox.
  3. Both lists are verified to have valid URLs here submitted to analysis, other values are removed

Boom! It’s that simple to use Torq and Recorded Future to analyze URLs and files in the sandbox. 

Enrich Hashes, CVEs and IP Addresses with Recorded Future

The focus of this automation is for users to receive a message with one or more CVEs, SHA256 hashes, or suspicious IP addresses from Slack and enrich the data with Recorded Future.

The first step is receiving a Slack message that extracts all indicators of compromise (IoCs). Then, it confirms the extracted IoCs with the requesting user. If provided in the event, the CVE detail is enriched and the Slack thread is replied to. The same is done for hash details and IP details if they’re provided in the event. 

The results are then sent to the Slack thread where the request originated.

Monitor an Outlook Mailbox for Phishing With Recorded Future

Thwart phishing attempts by cutting them off at the pass!

With this workflow you can automatically scan the messages arriving to a specific folder in Outlook with Recorded Future and Recorded Future Sandbox to look for malicious or suspicious URLs and files. The workflow looks for messages in the folder labeled “Not-Scanned” and uses Microsoft 365 Delegated access for easy setup on a mailbox.

The message headers will also be extracted and the public IP addresses that are not domains will be looked up for a verdict in Recorded Future. 

After that, the workflow will also attempt to look for additional attachments at the top level of the message that are included and scan them – nested file attachments will not be scanned.

When results are found in either Recorded Future or Recorded Future Sandbox, the label on the email will be updated to indicate either Torq Investigated, Suspicious, Malicious, and/or Phishing (this workflow automatically creates the necessary labels in the mailbox if they do not exist). Then an email is sent back to the originator of the message with the findings.

TIP: Setup an Outlook rule that moves messages into the scan folder and sets the Not-Scanned category on the message.

Detect Impossible Travels In Okta Logins

This workflow analyzes users’ successful logins from different locations within a three-hour timeframe. If the end user does not accept ownership of a login, account hijacking is suspected and can be remediated by resetting that user’s password. When the password is reset, the user will receive a link by email to create a new password.

This workflow triggers only on successful logins and maintains the user’s login history using global variables. It obtains the geolocation of the source IP and compares it with the geolocation of the last login to find the distance between the two locations.

It can use VirusTotal and Recorded Future to enrich the source IP reputation. 

Those are just four of the myriad integrations Torq offers with Recorded Future to improve how your organization collects, processes, analyzes, and disseminates threat intelligence.

Ready to see Torq in action? Click here to get a demo.