Recorded Future
App Vendor: Recorded Future
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.2.1
API Version: 2.0.0
About App
Recorded Future is a global real-time cyber threat intelligence provider, to dynamically categorize, link, and analyze intelligence in real-time and deliver easy-to-consume insights for proactively reducing risk. The Recorded Future app allows security teams to integrate with the Recorded Future enterprise application to search for threats and lookup endpoints.
The Recorded Future app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Credentials Lookup | This action looks up credential data for a set of subjects. |
Credentials Search | This action searches credential data for a set of domains. |
Domain Lookup | This action looks up threat intel information for a domain. |
Entity Match | This action finds the entity ID based on the entity name. |
Get Malware Statistics | This action returns malware family statistics. |
Hash Lookup | This action looks up threat intel for a hash. |
Incident Report | This action provides an exposure incident report for a single malware log. |
IOC Lookup - SOAR | This action looks up multiple IOCs including IP addresses, URLs, domains, hashes, and vulnerabilities. |
IP Address Lookup | This action looks up threat intel for an IP address. |
Lookup risk context | This action looks up the risk context and retrieves a list of all context names. |
Password Lookup | This action looks up passwords for exposure. |
Search Alert by ID | This action searches an alert by unique ID. |
Search Alert Notification | This action searches alert notifications to get details such as assignee, note author, status, and so on. |
Search Alert Rules | This action searches alert rules using free text. |
Search Dump Metadata | This action searches dump metadata for given names. |
Search entity list by ID | This action searches the entity list with the unique ID. |
Search entity lists | This action searches the entity list with free text. |
Search Malware | This action searches for malware. |
Search Vulnerability | This action searches for a vulnerability. |
Triage IOCs | This action is used to triage multiple IOCs and set the threshold value. |
URL Lookup | This action looks up threat intel for a URL. |
Generic Action | This is a generic action to perform any additional use case on Recorded Future. |
Configuration Parameters
The following configuration parameters are required for the Recorded Future app to communicate with the Recorded Future enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Token | Enter the API token. | Password | Required | |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is not enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Recorded Future. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Domain | Enter the domain value. | Text | Optional |
Action: Credentials Lookup
This action is used to look up credential data for a set of subjects.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subjects | Enter the list of subjects. | List | Optional | |
Filter | Enter the filters in JSON format. | Any | Optional | Available keys: malware_families, authorization_protocols, username_properties |
Organization ID | Enter the organization ID. | Text | Optional | |
Extra Data | Enter additional data to be added in the payload JSON. | Any | Optional |
Action: Credentials Search
This action is used to search credential data for a set of domains.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domains | Enter the list of domains. | List | Optional | |
Filter | Enter the filters in JSON format. | Any | Optional | Allowed keys: malware_families, authorization_protocols, username_properties |
Offset | Enter the offset value. | Text | Optional | |
Limit | Specify the maximum number of results to return. | Integer | Optional | |
Organization ID | Enter the organization ID. | Text | Optional |
Action: Domain Lookup
This action looks up threat intel information for a domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain | Enter the domain. | Text | Required | |
Metadata | Optional preference to add metadata to the response. | Boolean | Optional | Allowed values:
Default value: false |
Action: Entity Match
This action is used to find the entity ID based on the entity name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the entity name. | Text | Required | |
Type | Enter the entity type. | List | Optional | |
Limit | Enter the limit. | Integer | Optional | Default value: 10 |
Action: Get Malware Statistics
This action is used to return malware family statistics.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Specify the maximum number of results to return. | Integer | Optional | Default value: 10 |
Action: Hash lookup
This action looks up threat intel for a hash.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash | Enter the hash value. | Text | Required | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Incident Report
This action provides an exposure incident report for a single malware log.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Source Malware Log | Enter the malware log to retrieve the data. | Text | Required |
Action: IOC Lookup - SOAR
This action looks up multiple IOCs including IP addresses, URLs, domains, hashes, and vulnerabilities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP addresses in a list. | List | Optional | |
URL | Enter the URLs in a list. | List | Optional | |
Domain | Enter the domains in a list. | List | Optional | |
Hash | Enter the hashes in a list. | List | Optional | |
Vulnerability | Enter the vulnerabilities in a list. | List | Optional | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: IP Address Lookup
This action looks up threat intel for an IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address. | Text | Required | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Lookup Risk Context
This action looks up the risk context and retrieves a list of all context names.
Action Input Parameters
This action does not require any input parameter.
Action: Password Lookup
This action looks up passwords for exposure.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash Type | Enter the hash type. Example:
| Text | Required |
|
Hash Value | Enter the hash value. Example: "7c33e832cb0eb2610c8d3bf603bde1e986c6ea7d" | Text | Required |
|
Action: Search Alert by ID
This action searches an alert by unique ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unique ID | Enter the unique ID. | Text | Required |
Action: Search Alert Notification
This action searches alert notifications to get details such as assignee, note author, status, and so on.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text. | Text | Optional | |
Limit | Enter the limit of results to return. | Integer | Optional | |
Additional Parameters | Enter the additional parameters. | Key Value | Optional |
Action: Search Alert Rules
This action searches alert rules using free text.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text. | Text | Optional | |
Limit | Enter the limit of results to return. | Integer | Optional |
Action: Search Dump Metadata
This action searches dump metadata for given names.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Names | Enter the list of names. | List | Required |
|
Limit | Specify the maximum number of results to return. | Integer | Optional | Default value: 10 |
Action: Search Entity List by ID
This action searches the entity list with the unique ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Unique ID | Enter the unique ID for the entity list. | Text | Required |
Action: Search Entity Lists
This action searches the entity list with free text.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text. | Text | Optional | |
Limit | Enter the limit. | Integer | Optional | Default value: 10 |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Search Malware
This action searches for malware.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text to search the malware information. | Text | Optional | |
Extra Params | Enter the extra parameters. | Key Value | Optional | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Search Vulnerability
This action searches for a vulnerability.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Free Text | Enter the free text value. | Text | Optional | |
Meta data | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Limit | Enter the limit for the number of results. | Integer | Optional | Default value: 10 |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed values:
|
Action: Triage IOCs
This action is used to triage multiple IOCs and set the threshold value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Context Name | Enter the context name to determine a verdict. | Text | Required | |
Threshold Value | Enter the threshold value to determinate the verdict. | Integer | Optional | |
IP Address | Enter the IP addresses in a list. | List | Optional | |
URL | Enter the URLs in a list. | List | Optional | |
Domain | Enter the domains in a list. | List | Optional | |
Hash | Enter the hashes in a list. | List | Optional | Allowed values:
|
Vulnerability | Enter the vulnerabilities in a list. | List | Optional | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Additional Parameters | Enter the additional parameters. | Key Value | Optional |
Action: URL Lookup
This action looks up threat intel for a URL.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL. | Text | Required | |
Metadata | Optional preference to either include or exclude metadata. | Boolean | Optional | Allowed values:
Default value: false |
Action: Generic Action
This is a generic action used to make requests to any Recorded Future endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Version | Enter the version. | Text | Required | Allowed values: v1,v2 |
Endpoint | Enter the endpoint. Example: /identity/metadata/dump/search | Text | Required | |
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Payload JSON | Enter the payload JSON. Example: {'format': 'json'} | Key Value | Optional | |
Query Params | Enter the query params. Example: {'format': 'json'} | Key Value | Optional | |
Headers | Enter the header. Example: {'content-type':'application/json'} | Key Value | Optional |