Connectors Reference

Recorded Future

Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and Related Entities) , Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files

 

Status: Preview

Tier: Premium

Version: 1.0

 

Actions:

Name

Summary

IP_E (string ip, [internal]string fields)

IP Enrichment

IP_E_E (string ip, string extension)

IP Extension Enrichment

R_List_D (string path)

Recorded Future RiskLists and SCF Download

D_E (string domain, [internal]string fields)

Domain Enrichment

D_E_E (string domain, string extension)

Domain Extension Enrichment

U_E (string url, [internal]string fields)

URL Enrichment

U_E_E (string url, string extension)

URL Extension Enrichment

H_E (string hash, [internal]string fields)

Hash Enrichment

H_E_E (string hash, string extension)

Hash Extension Enrichment

Vuln_E (string id, [internal]string fields)

Vulnerability Enrichment

Vuln_E_E (string id, string extension)

Vulnerability Extension Enrichment

Alert_Rules_Search ([advanced][Optional]string freetext, [advanced][Optional]integer limit)

Search Alert Rules

Alert_Not_Search ([advanced][Optional]string triggered, string alertRule, [advanced][Optional]integer limit, [advanced][Optional]integer from)

Search Alert Notifications

Alert_Not_Lookup (string id)

Lookup Alert Notification

Soar_Bulk_Lookup ([Optional]Soar_Bulk_LookupParameterBody body)

SOAR API - Look up multiple entities

 

Triggers:

Name

Summary

 

Objects:

Name

Summary

Alert_Not_LookupResponse

 

Alert_Rules_SearchResponse

 

D_EResponse

 

D_E_EResponse

 

H_EResponse

 

H_E_EResponse

 

IP_EResponse

 

IP_E_EResponse

 

R_List_DResponse

 

Soar_Bulk_LookupParameterBody

 

U_EResponse

 

U_E_EResponse

 

Vuln_EResponse

 

Vuln_E_EResponse

 

 

Actions:

IP_E

Summary: IP Enrichment

Description: IP Enrichment with Recorded Future data

 

Syntax:

RecordedFuture.IP_E (string ip, [internal]string fields)

 

Parameters:

Name

Type

Summary

Required

Related Action

ip

string

(IP input)

The IP address to lookup. Must be a single IP address

True

fields

string

 

 

True

 

Returns:

          Type:IP_EResponse

 

IP_E_E

Summary: IP Extension Enrichment

Description: IP Enrichment with Recorded Future Extension Partner data

 

Syntax:

RecordedFuture.IP_E_E (string ip, string extension)

 

Parameters:

Name

Type

Summary

Required

Related Action

ip

string

(Input IP)

The IP address to lookup. Must be a single IP address

True

extension

string

(Extension to call)Values: [Censys, GreyNoiseIntelligence, SentinelOne, alienvault, cisco_umbrella, deepsight_extension, domaintools_iris, dragos, dt, facebookte, farsight, isight, multirbl, nucleon, panw, phishme, reversinglabs, riskiq, servicenow_poc, shodan, virustotal, xforce]

Extension to call

True

 

Returns:

          Type:IP_E_EResponse

 

R_List_D

Summary: Recorded Future RiskLists and SCF Download

Description: Recorded Future RiskList & Security Control Feeds Download

 

Syntax:

RecordedFuture.R_List_D (string path)

 

Parameters:

Name

Type

Summary

Required

Related Action

path

string

(Path to file)Values: [/public/MicrosoftAzure/ip_default.json, /public/MicrosoftAzure/ip_gt_90.json, /public/MicrosoftAzure/ip_active_c2.json, /public/MicrosoftAzure/ip_current_c2.json, /public/MicrosoftAzure/ip_botnet.json, /public/MicrosoftAzure/ip_insikt.json, /public/MicrosoftAzure/ip_phishing.json, /public/MicrosoftAzure/domain_default.json, /public/MicrosoftAzure/domain_gt_90.json, /public/MicrosoftAzure/domain_c2_dns.json, /public/MicrosoftAzure/domain_ransomware_payment.json, /public/MicrosoftAzure/domain_recent_weaponized.json, /public/MicrosoftAzure/domain_insikt.json, /public/MicrosoftAzure/domain_covid_lure.json, /public/MicrosoftAzure/domain_phishing.json, /public/MicrosoftAzure/url_gt_90.json, /public/MicrosoftAzure/url_c2.json, /public/MicrosoftAzure/url_ransomware_distribution.json, /public/MicrosoftAzure/url_compromised.json, /public/MicrosoftAzure/url_insikt.json, /public/MicrosoftAzure/url_malware_verdict.json, /public/MicrosoftAzure/hash_targeting_vulns.json, /public/MicrosoftAzure/hash_observed_testing.json, /public/MicrosoftAzure/hash_malware_ssl.json, /public/MicrosoftAzure/vuln_default.json, /public/MicrosoftAzure/vuln_gt_90.json, /public/MicrosoftAzure/vuln_recent_active_malware.json, /public/MicrosoftAzure/vuln_recent_exploit_kit.json, /public/MicrosoftAzure/vuln_recent_ransomware.json, /public/MicrosoftAzure/vuln_recent_rat.json, /public/MicrosoftAzure/vuln_recent_poc_remote.json, /public/MicrosoftAzure/vuln_recent_exploit_dev_itw.json, /public/MicrosoftAzure/vuln_exploited_itw_malware.json, /public/MicrosoftAzure/vuln_critical_cyber_signal.json, /public/prevent/c2_communicating_ips.json, /public/prevent/weaponized_domains.json, /public/prevent/weaponized_urls.json]

Path to file

True

 

Returns:

          Type:R_List_DResponse

 

D_E

Summary: Domain Enrichment

Description: Domain Enrichment with Recorded Future data

 

Syntax:

RecordedFuture.D_E (string domain, [internal]string fields)

 

Parameters:

Name

Type

Summary

Required

Related Action

domain

string

(Domain input)

The domain to lookup. Must be a single domain

True

fields

string

 

 

True

 

Returns:

          Type:D_EResponse

 

D_E_E

Summary: Domain Extension Enrichment

Description: Domain Enrichment with Recorded Future Extension Partner data

 

Syntax:

RecordedFuture.D_E_E (string domain, string extension)

 

Parameters:

Name

Type

Summary

Required

Related Action

domain

string

(Domain input)

The domain to lookup. Must be a single domain

True

extension

string

(Extension to call)Values: [Censys, alienvault, cisco_umbrella, deepsight_extension, domaintools_iris, dragos, dt, facebookte, farsight, isight, phishme, report_website, reversinglabs, riskiq, servicenow_poc, shodan, virustotal, xforce]

Extension to call

True

 

Returns:

          Type:D_E_EResponse

 

U_E

Summary: URL Enrichment

Description: URL Enrichment with Recorded Future data

 

Syntax:

RecordedFuture.U_E (string url, [internal]string fields)

 

Parameters:

Name

Type

Summary

Required

Related Action

url

string

(URL input)

The URL to lookup. Must be a single URL

True

fields

string

 

 

True

 

Returns:

          Type:U_EResponse

 

U_E_E

Summary: URL Extension Enrichment

Description: URL Enrichment with Recorded Future Extension Partner data

 

Syntax:

RecordedFuture.U_E_E (string url, string extension)

 

Parameters:

Name

Type

Summary

Required

Related Action

url

string

(URL input)

The URL to lookup. Must be a single URL

True

extension

string

(Extension to call)Values: [alienvault, deepsight_extension, facebookte, phishme, report_website, servicenow_poc, shodan]

Extension to call

True

 

Returns:

          Type:U_E_EResponse

 

H_E

Summary: Hash Enrichment

Description: Hash Enrichment with Recorded Future data

 

Syntax:

RecordedFuture.H_E (string hash, [internal]string fields)

 

Parameters:

Name

Type

Summary

Required

Related Action

hash

string

(HASH input)

The HASH to lookup. Must be a single HASH

True

fields

string

 

 

True

 

Returns:

          Type:H_EResponse

 

H_E_E

Summary: Hash Extension Enrichment

Description: Hash Enrichment with Recorded Future Extension Partner data

 

Syntax:

RecordedFuture.H_E_E (string hash, string extension)

 

Parameters:

Name

Type

Summary

Required

Related Action

hash

string

(HASH input)

The HASH to lookup. Must be a single HASH

True

extension

string

(Extension to call)Values: [Censys, SentinelOne, active_reversinglabs, alienvault, cisco_umbrella, deepsight_extension, dragos, facebookte, pan_autofocus, phishme, reversinglabs, servicenow_poc, virustotal, xforce]

Extension to call

True

 

Returns:

          Type:H_E_EResponse

 

Vuln_E

Summary: Vulnerability Enrichment

Description: Vulnerability Enrichment with Recorded Future data

 

Syntax:

RecordedFuture.Vuln_E (string id, [internal]string fields)

 

Parameters:

Name

Type

Summary

Required

Related Action

id

string

(Vulnerability ID (CVE, name) input)

The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name)

True

fields

string

 

 

True

 

Returns:

          Type:Vuln_EResponse

 

Vuln_E_E

Summary: Vulnerability Extension Enrichment

Description: Vulnerability Enrichment with Recorded Future Extension Partner data

 

Syntax:

RecordedFuture.Vuln_E_E (string id, string extension)

 

Parameters:

Name

Type

Summary

Required

Related Action

id

string

(Vulnerability ID (CVE, name) input)

The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name)

True

extension

string

(Extension to call)Values: [RBS, alienvault, bit_sight, facebookte, reversinglabs, shodan, xforce]

Extension to call

True

 

Returns:

          Type:Vuln_E_EResponse

 

Alert_Rules_Search

Summary: Search Alert Rules

Description: Search Recorded Future UI Alert Rules

 

Syntax:

RecordedFuture.Alert_Rules_Search ([advanced][Optional]string freetext, [advanced][Optional]integer limit)

 

Parameters:

Name

Type

Summary

Required

Related Action

freetext

string

(Freetext search)

Freetext search for Alert Rule Name

False

limit

integer

(Maximum number of records)

Maximum number of records

False

 

Returns:

          Type:Alert_Rules_SearchResponse

 

Alert_Not_Search

Summary: Search Alert Notifications

Description: Search Alert Notifications

 

Syntax:

RecordedFuture.Alert_Not_Search ([advanced][Optional]string triggered, string alertRule, [advanced][Optional]integer limit, [advanced][Optional]integer from)

 

Parameters:

Name

Type

Summary

Required

Related Action

triggered

string

(Triggered)

All Elasticsearch compatible date formats are valid.

False

alertRule

string

(Alert Rule ID)

Alert Rule ID

True

limit

integer

(Maximum number of records)

Maximum number of records

False

from

integer

(Records from offset)

Records from offset

False

 

Returns:

          Type:string

 

Alert_Not_Lookup

Summary: Lookup Alert Notification

Description: Lookup Alert Notification

 

Syntax:

RecordedFuture.Alert_Not_Lookup (string id)

 

Parameters:

Name

Type

Summary

Required

Related Action

id

string

(Alert Notification ID)

Alert Notification ID

True

 

Returns:

          Type:Alert_Not_LookupResponse

 

Soar_Bulk_Lookup

Summary: SOAR API - Look up multiple entities

Description: SOAR API - Look up multiple entities (Specific Access is Required)

 

Syntax:

RecordedFuture.Soar_Bulk_Lookup ([Optional]Soar_Bulk_LookupParameterBody body)

 

Parameters:

Name

Type

Summary

Required

Related Action

body

Soar_Bulk_LookupParameterBody

 

 

False

 

Returns:

          Type:string

 

 

Alert_Not_LookupResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

 

Alert_Rules_SearchResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

data

Data

 

data

counts

Counts

 

counts

 

Data

Summary:

Description: data

 

          Properties:

Name

Type

Summary

results

array of (ResultsItem)

 

results

 

ResultsItem

Summary:

Description:

 

          Properties:

Name

Type

Summary

title

string

 

title

id

string

 

id

 

Counts

Summary:

Description: counts

 

          Properties:

Name

Type

Summary

returned

integer(int32)

 

returned

total

integer(int32)

 

total

 

 

D_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

data

Data

 

data

 

Data

Summary:

Description: data

 

          Properties:

Name

Type

Summary

intelCard

string

 

Recorded Future Intelligence Card Link

risk

Risk

 

risk

 

Risk

Summary:

Description: risk

 

          Properties:

Name

Type

Summary

criticalityLabel

string

 

Recorded Future Indicator Criticality Level

score

integer(int32)

 

Recorded Future Indicator Risk Score

evidenceDetails

array of (EvidenceDetailsItem)

 

evidenceDetails

riskString

string

 

riskString

rules

integer(int32)

 

rules

criticality

integer(int32)

 

criticality

riskSummary

string

 

Recorded Future Risk Rules Summary

 

EvidenceDetailsItem

Summary:

Description:

 

          Properties:

Name

Type

Summary

mitigationString

string

 

mitigationString

timestamp

string

 

timestamp

criticalityLabel

string

 

criticalityLabel

evidenceString

string

 

Recorded Future Risk Rules Evidence Details

rule

string

 

Recorded Future Indicator Risk Rules

criticality

integer(int32)

 

criticality

 

 

D_E_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

 

H_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

data

Data

 

data

 

Data

Summary:

Description: data

 

          Properties:

Name

Type

Summary

intelCard

string

 

Recorded Future Intelligence Card Link

risk

Risk

 

risk

 

Risk

Summary:

Description: risk

 

          Properties:

Name

Type

Summary

criticalityLabel

string

 

Recorded Future Indicator Criticality Level

score

integer(int32)

 

Recorded Future Indicator Risk Score

evidenceDetails

array of (EvidenceDetailsItem)

 

evidenceDetails

riskString

string

 

riskString

rules

integer(int32)

 

rules

criticality

integer(int32)

 

criticality

riskSummary

string

 

Recorded Future Risk Rules Summary

 

EvidenceDetailsItem

Summary:

Description:

 

          Properties:

Name

Type

Summary

mitigationString

string

 

mitigationString

timestamp

string

 

timestamp

criticalityLabel

string

 

criticalityLabel

evidenceString

string

 

Recorded Future Risk Rules Evidence Details

rule

string

 

Recorded Future Indicator Risk Rules

criticality

integer(int32)

 

criticality

 

 

H_E_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

 

IP_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

data

Data

 

data

 

Data

Summary:

Description: data

 

          Properties:

Name

Type

Summary

intelCard

string

 

Recorded Future Intelligence Card Link

risk

Risk

 

risk

 

Risk

Summary:

Description: risk

 

          Properties:

Name

Type

Summary

criticalityLabel

string

 

Recorded Future Indicator Criticality Level

score

integer(int32)

 

Recorded Future Indicator Risk Score

evidenceDetails

array of (EvidenceDetailsItem)

 

evidenceDetails

riskString

string

 

riskString

rules

integer(int32)

 

rules

criticality

integer(int32)

 

criticality

riskSummary

string

 

Recorded Future Risk Rules Summary

 

EvidenceDetailsItem

Summary:

Description:

 

          Properties:

Name

Type

Summary

mitigationString

string

 

mitigationString

timestamp

string

 

timestamp

criticalityLabel

string

 

criticalityLabel

evidenceString

string

 

Recorded Future Risk Rules Evidence Details

rule

string

 

Recorded Future Indicator Risk Rules

criticality

integer(int32)

 

criticality

 

 

IP_E_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

 

R_List_DResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

 

Soar_Bulk_LookupParameterBody

Summary:

Description:

 

          Properties:

Name

Type

Summary

ip

array of (string)

 

ip

url

array of (string)

 

url

domain

array of (string)

 

domain

hash

array of (string)

 

hash

vulnerability

array of (string)

 

vulnerability

 

U_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

data

Data

 

data

 

Data

Summary:

Description: data

 

          Properties:

Name

Type

Summary

risk

Risk

 

risk

 

Risk

Summary:

Description: risk

 

          Properties:

Name

Type

Summary

criticalityLabel

string

 

Recorded Future Indicator Criticality Level

score

integer(int32)

 

Recorded Future Indicator Risk Score

evidenceDetails

array of (EvidenceDetailsItem)

 

evidenceDetails

riskString

string

 

riskString

rules

integer(int32)

 

rules

criticality

integer(int32)

 

criticality

riskSummary

string

 

Recorded Future Risk Rules Summary

 

EvidenceDetailsItem

Summary:

Description:

 

          Properties:

Name

Type

Summary

mitigationString

string

 

mitigationString

timestamp

string

 

timestamp

criticalityLabel

string

 

criticalityLabel

evidenceString

string

 

Recorded Future Risk Rules Evidence Details

rule

string

 

Recorded Future Indicator Risk Rules

criticality

integer(int32)

 

criticality

 

 

U_E_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

 

Vuln_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary

data

Data

 

data

 

Data

Summary:

Description: data

 

          Properties:

Name

Type

Summary

intelCard

string

 

Recorded Future Intelligence Card Link

risk

Risk

 

risk

 

Risk

Summary:

Description: risk

 

          Properties:

Name

Type

Summary

criticalityLabel

string

 

Recorded Future Vulnerability Criticality Level

score

integer(int32)

 

Recorded Future Vulnerability Risk Score

evidenceDetails

array of (EvidenceDetailsItem)

 

evidenceDetails

riskString

string

 

riskString

rules

integer(int32)

 

rules

criticality

integer(int32)

 

criticality

riskSummary

string

 

Recorded Future Risk Rules Summary

 

EvidenceDetailsItem

Summary:

Description:

 

          Properties:

Name

Type

Summary

mitigationString

string

 

mitigationString

timestamp

string

 

timestamp

criticalityLabel

string

 

criticalityLabel

evidenceString

string

 

Recorded Future Risk Rules Evidence Details

rule

string

 

Recorded Future Vulnerability Risk Rules

criticality

integer(int32)

 

criticality

 

 

Vuln_E_EResponse

Summary:

Description:

 

          Properties:

Name

Type

Summary