Recorded Future
App Vendor: Recorded Future
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.1.0
API Version: 2.0.0
About App
Recorded Future is a global real-time cyber threat intelligence provider, to dynamically categorize, link, and analyze intelligence in real-time and deliver easy-to-consume insights for proactively reducing risk. The Recorded Future app allows security teams to integrate with the Recorded Future enterprise application to search for threats and lookup endpoints.
The Recorded Future app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Domain Lookup | This action looks up threat intel information for a domain. |
Hash Lookup | This action looks up threat intel for a hash. |
IP Address Lookup | This action looks up threat intel for an IP address. |
URL Lookup | This action looks up threat intel for a URL. |
IOC Lookup - SOAR | This action looks up multiple IOCs including IP addresses, URLs, domains, hashes, and vulnerabilities. |
Search Alert Rules | This action searches alert rules using free text. |
Search Alert Notification | This action searches alert notifications to get details such as assignee, note author, status, and so on. |
Search Alert by ID | This action searches an alert by unique ID. |
Search entity lists | This action searches the entity list with free text. |
Search entity list by ID | This action searches the entity list with the unique ID. |
Search Malware | This action searches for malware. |
Triage IOCs | This action is used to triage multiple IOCs and set the threshold value. |
Lookup risk context | This action looks up the risk context and retrieves a list of all context names. |
Search Vulnerability | This action searches for a vulnerability. |
Credentials Lookup | This action looks up credential data for a set of subjects. |
Credentials Search | This action searches credential data for a set of domains. |
Entity Match | This action finds the entity ID based on the entity name. |
Generic Action | This is a generic action to perform any additional use case on Recorded Future. |
Get Malware Statistics | This action returns malware family statistics. |
Incident Report | This action provides an exposure incident report for a single malware log. |
Password Lookup | This action looks up passwords for exposure. |
Search Dump Metadata | This action searches dump metadata for given names. |
Configuration Parameters
The following configuration parameters are required for the Recorded Future app to communicate with the Recorded Future enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Token | Enter the API token. | Password | Required |
Action: Domain Lookup
This action looks up threat intel information for a domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain. | Text | Required | |
Metadata | Optional preference to add metadata to the response. | Boolean | Optional | Allowed values:
Default value: false |
Action: IP Address Lookup
This action looks up threat intel for an IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address. | Text | Required | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: URL Lookup
This action looks up threat intel for a URL.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL. | Text | Required | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: IOC Lookup - SOAR
This action looks up multiple IOCs including IP addresses, URLs, domains, hashes, and vulnerabilities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP addresses in a list. | List | Optional | |
URL | Enter the URLs in a list. | List | Optional | |
Domain | Enter the domains in a list. | List | Optional | |
Hash | Enter the hashes in a list. | List | Optional | |
Vulnerability | Enter the vulnerabilities in a list. | List | Optional | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Search Alert Rules
This action searches alert rules using free text.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text. | Text | Optional | |
Limit | Enter the limit of results to return. | Integer | Optional |
Action: Search Alert Notification
This action searches alert notifications to get details such as assignee, note author, status, and so on.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text. | Text | Optional | |
Limit | Enter the limit of results to return. | Integer | Optional | |
Additional Parameters | Enter the additional parameters. | Key Value | Optional |
Action: Search Alert by ID
This action searches an alert by unique ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unique ID | Enter the unique ID. | Text | Required |
Action: Search Entity Lists
This action searches the entity list with free text.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text. | Text | Optional | |
Limit | Enter the limit. | Integer | Optional | Default value: 10 |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Search Entity List by ID
This action searches the entity list with the unique ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unique ID | Enter the unique ID for the entity list. | Text | Required |
Action: Search Malware
This action searches for malware.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text to search the malware information. | Text | Optional | |
Extra Params | Enter the extra parameters. | Key Value | Optional | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Triage IOCs
This action is used to triage multiple IOCs and set the threshold value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Name | Enter the context name to determine a verdict. | Text | Required | |
Threshold Value | Enter the threshold value to determinate the verdict. | Integer | Optional | |
IP Address | Enter the IP addresses in a list. | List | Optional | |
URL | Enter the URLs in a list. | List | Optional | |
Domain | Enter the domains in a list. | List | Optional | |
Hash | Enter the hashes in a list. | List | Optional | Allowed values:
|
Vulnerability | Enter the vulnerabilities in a list. | List | Optional | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Additional Parameters | Enter the additional parameters. | Key Value | Optional |
Action: Lookup Risk Context
This action looks up the risk context and retrieves a list of all context names.
Action Input Parameters
This action does not require any input parameter.
Action: Search Vulnerability
This action searches for a vulnerability.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text value. | Text | Optional | |
Meta data | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Limit | Enter the limit for the number of results. | Integer | Optional | Default value: 10 |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed values:
|
Action: Credentials Lookup
This action is used to lookup credential data for a set of subjects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subjects | Enter the list of subjects. | List | Optional | |
Filter | Enter the filters in json format. available keys: malware_families, authorization_protocols, username_properties | Any | Optional | |
Organization id | Enter the organization id. | Text | Optional | |
Extra data | Enter additional data to be added in the payload json. | Any | Optional |
Example Request
Action: Credentials Search
This action is used to search credential data for a set of domains.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domains | Enter the list of domains. | List | Optional | |
Filter | Enter the filters in json format. available keys: malware_families, authorization_protocols, username_properties | Any | Optional | |
Offset | Enter the offset. | Text | Optional | |
Limit | Specify the maximum number of results to return. | Integer | Optional | |
Organization id | Enter the organization id. | Text | Optional |
Example Request
Action: Entity Match
This action is used to find the entity id based on the entity name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the entity name. | Text | Required | |
Type | Enter the entity type. | List | Optional | |
Limit | Enter the limit. default 10. | Integer | Optional |
Example Request
Action: Generic Action
This is a generic action to perform any additional use case that you want on recorded future.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Version | Enter the version. available: v1,v2 | Text | Required | |
Endpoint | Enter the endpoint. example: /identity/metadata/dump/search | Text | Required | |
Method | Enter the method. example: get, post, patch, delete | Text | Required | |
Payload json | Enter the payload json. example: {'format': 'json'} | Key Value | Optional | |
Query params | Enter the query params. example: {'format': 'json'} | Key Value | Optional | |
Headers | Enter the header. ex: {'content-type':'application/json'} | Key Value | Optional |
Example Request
Action: Get Malware Statistics
This action is used to return malware family statistics.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Specify the maximum number of results to return. default: 10 | Integer | Optional |
Example Request
Action: Hash lookup
This action looks up threat intel for a hash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash | Enter the hash value. | Text | Required | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Incident Report
This action provides an exposure incident report for a single malware log.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source Malware Log | Enter the malware log to retrieve the data. | Text | Required |
Action: Search Dump Metadata
This action searches dump metadata for given names.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Names | Enter the list of names. | List | Required |
|
Limit | Specify the maximum number of results to return. | Integer | Optional | Default value: 10 |
Action: Password Lookup
This action looks up passwords for exposure.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash Type | Enter the hash type. Example:
| Text | Required |
|
Hash Value | Enter the hash value. Example: "7c33e832cb0eb2610c8d3bf603bde1e986c6ea7d" | Text | Required |
|