Justin_Goncalves

View on GitHub

Recorded Future Cyber Threat Intelligence Project

Back to Projects

Project Overview

The Recorded Future Cyber Threat Intelligence Project focused on designing a threat intelligence-driven security architecture for a simulated multi-site hospitality organization based on a realistic enterprise environment. The project emphasized improving security visibility, investigation efficiency, and operational response workflows through the integration of Microsoft Sentinel, SentinelOne, Entra ID, ServiceNow, Tines SOAR, and Recorded Future threat intelligence capabilities.

The assessment involved analyzing a real-world organization’s existing security posture, identifying operational gaps, documenting current-state and future-state security architectures, recommending intelligence-driven integrations, and developing practical use cases aligned with the organization’s workflows and threat landscape.

In addition to creating detailed security architecture diagrams and operational data flows, I authored a comprehensive technical report and delivered a formal stakeholder presentation outlining the proposed security improvements, threat intelligence integrations, operational workflows, and automation use cases.

Project Deliverables

Table of Contents

  1. Project Scope
  2. Objectives
  3. Tools Used
  4. Conclusion
  5. Personal Reflection

Project Scope

The scope of this project focused on evaluating and improving the security operations architecture of a simulated hospitality organization operating across multiple hotel properties and a centralized corporate office. The environment utilized Microsoft Sentinel for SIEM operations, SentinelOne for endpoint detection and response, Microsoft Entra ID for identity management, ServiceNow for ticketing and incident management, and Tines for security automation workflows.

The project centered on identifying operational and intelligence gaps related to phishing, identity compromise, ransomware, malware delivery, suspicious authentication activity, and the misuse of legitimate credentials. Particular attention was placed on how external threat intelligence could be integrated into existing workflows to improve investigation quality, alert prioritization, operational efficiency, and incident response consistency.

To support the assessment, I designed current-state and future-state security architecture diagrams, developed integration recommendations for multiple security platforms, and created intelligence-driven automation use cases utilizing Recorded Future APIs and Tines SOAR workflows.

Objectives

The primary objectives of this project are as follows:

  1. Assess the Existing Security Environment: Evaluate the organization’s current operational workflows, technologies, and security architecture.
  2. Identify Operational and Intelligence Gaps: Determine areas where visibility, prioritization, automation, and threat intelligence integration could be improved.
  3. Design a Future-State Security Architecture: Develop a practical security architecture that strengthens detection, investigation, and response capabilities without disrupting existing workflows.
  4. Develop Threat Intelligence Integrations: Recommend integrations between Recorded Future and platforms including SentinelOne, ServiceNow, and Microsoft Entra ID.
  5. Create Practical Security Use Cases: Build intelligence-driven workflows and automation use cases utilizing Tines SOAR and Recorded Future APIs.
  6. Design Security Data Flow Diagrams: Create visual representations of current-state and future-state operational workflows and security data flows.
  7. Develop Technical Documentation and Presentation Materials: Produce a comprehensive technical report and stakeholder presentation outlining findings, recommendations, integrations, and operational improvements.

Tools Used

To effectively complete the assessment and design the proposed security architecture, I utilized the following technologies, platforms, and frameworks throughout the project:

  1. Microsoft Sentinel: Used as the primary SIEM platform for centralized log collection, security monitoring, and alert visibility.
  2. SentinelOne: Utilized as the organization’s endpoint detection and response (EDR/XDR) platform.
  3. Microsoft Entra ID: Used for identity and access management, authentication monitoring, and identity-related security workflows.
  4. Recorded Future: Leveraged for external threat intelligence enrichment, risk scoring, and IOC intelligence capabilities.
  5. Tines SOAR: Used to develop automated IOC enrichment and ServiceNow ticket creation workflows.
  6. ServiceNow: Incorporated as the primary ticketing and incident management platform for operational workflows and escalation procedures.
  7. Recorded Future APIs: Utilized for automated threat intelligence lookups, IOC enrichment, and intelligence-driven workflow automation.
  8. Security Architecture Diagrams: Created to visualize operational workflows, integrations, data flows, and future-state security improvements.

Conclusion

The Recorded Future Cyber Threat Intelligence Project provided valuable experience designing intelligence-driven security operations within a realistic enterprise hospitality environment. By evaluating operational workflows, identifying intelligence gaps, and developing integration recommendations, the project demonstrated how external threat intelligence can improve visibility, prioritization, and response consistency without introducing unnecessary operational complexity.

Through the development of future-state security architectures, integration recommendations, and automation workflows, I gained practical experience aligning threat intelligence capabilities with existing enterprise security tools and operational processes. The project also reinforced the importance of reducing manual investigative effort while improving context-driven decision-making across security operations.

Overall, this project strengthened my understanding of threat intelligence integration, security architecture design, operational workflows, SIEM/SOAR automation, and enterprise security operations within distributed environments.

Personal Reflection

This project significantly expanded my understanding of how threat intelligence can be operationalized within real-world enterprise environments. Prior to this assessment, I primarily viewed threat intelligence as supporting information used during investigations. Through this project, I developed a much stronger understanding of how intelligence can directly improve operational workflows, investigation quality, prioritization, and proactive security decision-making.

One of the most valuable aspects of the project was designing integrations and workflows that connected multiple enterprise security platforms together, including Microsoft Sentinel, SentinelOne, Entra ID, ServiceNow, Tines SOAR, and Recorded Future. This experience helped me better understand the importance of visibility, workflow integration, and operational efficiency within modern security operations environments.

Additionally, creating the technical report, architecture diagrams, and stakeholder presentation improved my ability to communicate complex cybersecurity concepts in a structured and professional manner to both technical and non-technical audiences. Overall, this project strengthened both my technical and analytical cybersecurity skills while further reinforcing my passion for security operations, threat intelligence, and security architecture.

Back to Projects