Previous

Next

Recorded Future Dashboard Intro

Recorded Future Playbook Alert Widgets

Recorded Future Threat Intel Widgets

Recorded Future Classic Alert Widgets

Overview

The Recorded Future integration for Datadog enriches your security monitoring with real-time threat intelligence and actionable context. This integration connects Datadog with Recorded Future’s threat intelligence platform to automatically pull and analyze key indicators including IPs, hashes, and domains from Recorded Future Risk Lists.

Datadog ingests the top 100K threats from each category, enabling deeper visibility into potential risks within your environment. You can correlate this data with logs, metrics, and Cloud SIEM alerts to identify and respond to malicious activity faster.

This integration includes:

• Threat Intelligence Feeds: Import IP, hash, and domain risk lists directly into Datadog for continuous enrichment.
• Log Integrations: Capture and analyze Recorded Future Classic and Playbook alerts in Datadog.
• Cloud SIEM Correlation: Combine Recorded Future intelligence with Datadog logs to detect and prioritize threats.

For more details on Recorded Future’s API, see the Recorded Future API documentation.

Setup

Prerequisites

• You must be an Enterprise Admin in Recorded Future to create an API token.
• Datadog collects logs from:
  • Playbook Alert Logs API
  • Classic Alert Logs
• Datadog collects Threat Intelligence data from the following sources:
  • IP Address Risk List
  • Hash Risk List
  • Domain Risk List
• Required API scopes and permissions depend on the modules you enable when creating your API token. Refer to the Entitlements by Modules section in Recorded Future’s documentation to confirm which modules are needed for your use case (e.g., Threat Intelligence, Third-Party Intelligence).

Setup

1. Follow Recorded Future’s Setup Guide to create an API Token.
2. Paste the Recorded Future API Token in the Datadog Configuration Table.

Next Steps

• Classic Alert and Playbook Alert logs are crawled at 15-minute intervals. Upon installation, the integration backfills alerts from the previous hour.
• Threat Intelligence data is crawled daily. We consume the top 100K risks for each category with a Recorded Future risk score of >65.

Uninstallation

To uninstall the Recorded Future integration:

1. In Datadog, navigate to Integrations, select the Recorded Future tile, and click Uninstall Integration.
2. Delete all associated Recorded Future accounts in Datadog.
3. Out-of-the-box (OOTB) assets are automatically removed.
4. If you cloned or customized any assets, delete those manually.

Once this integration has been uninstalled, any previous authorizations are revoked. Additionally, ensure that all API keys associated with this integration have been disabled by searching for “Recorded Future” on the API Keys page.

Support

Need help? For permission issues or licensing requirements, reach out to Recorded Future.

For configuration or integration errors, contact Datadog support.