Fusion Use Case: Operationalizing Threat Indicators

April 26, 2018 • Karen Kiffney

In our last blog post, we talked about a strategic use case for the new analyst notes feature in Recorded Future Fusion. In this post, we are going to describe an operational use case for the exact same feature. Analyst notes are a new feature in Recorded Future Fusion that enables customers to add their own internal notes and analysis directly in the Recorded Future solution.

In this operational use case, the notes feature is used to capture the verdict and reasoning from research and investigations. Once the analyst has included all of the details in Recorded Future, the system automatically “reads” the notes and identifies the related entities including indicators of compromise and artifacts. Once the note is indexed, it is then integrated into the Recorded Future solution, and the note will appear in corresponding Intel Cards for any of the identified indicators. Lastly, the indicators can be tagged directly in the system to be added to risk lists — to a block list, for example. This way, when the block list is exported from Recorded Future, the newly validated indicators will be included automatically.

Operationalizing Indicators

In this example, analyst notes are used to streamline the process from research, to verdict, to integration in customized risk lists. This singular process works to ensure that nothing gets “lost,” and that the full value from the research and investigation is achieved and fully integrated into security processes.

In this blog series, we’ve covered four main use cases for Recorded Future Fusion, but the possibilities are nearly endless. From time to time, we’ll come back with new use cases from our customers.