Publisher: Recorded Future, Inc
Connector Version: 3.0.0
Product Vendor: Recorded Future, Inc
Product Name: Recorded Future App for Phantom
Product Version Supported (regex): ".*"
Minimum Product Version: 4.6.19142
This app implements investigative actions to perform lookups for quick reputation information, contextual threat intelligence and external threat alerts
Recorded Future App for Phantom allows clients to work smarter, respond faster, and strengthen their defenses through automation and orchestration. The Recorded Future App provides a number of actions that enable the creation of Playbooks to do automated enrichment, correlation, threat hunting, and alert handling.
Together with the Recorded Future App for Phantom 2.1, a new demo playbook was created and uploaded to the community site. The new playbook incorporates the new assessment functionality.
Four demo playbooks were released with the Recorded Future App for Phantom 2.0 to show how the actions in the app can be used. The playbooks are designed to operate on a Recorded Future App asset named "recorded-future" and Phantom SMTP asset named "smtp". If the assets are named differently, the playbooks will be adjusted. The email address used for the alert emails is specified in the linked SMTP asset.
Correlation Playbook
This playbook shows how to obtain IP reputation and, if its risk score is 90 or more, add the IP
address to a bad IP address list maintained by Phantom plus forward the information to Splunk and in
an email.
Enrichment Playbook
This playbook shows how to obtain intelligence of an IP address and, if its risk score is 90 or
more, to forward this in an email as well as adding the IP to a bad IP address list maintained by
Phantom.
Threat Hunting Playbook
The purpose of this playbook is to find out the IP reputation and when its risk score is 90 or
above, to find related entities - IP addresses, domains, files, vulnerabilities, and/or URLs - and
to search for them in Splunk. The results are summarised in an email and the IP address is added to
the bad IP address list maintained by Phantom.
Handling of Leaked Credentials
The purpose of this playbook is to demonstrate how Recorded Future Alerts can be used to monitor
various threats such as leaked credentials. The playbook is designed to be scheduled, polling for
new alerts each time it is run. If an alert is found the information is forwarded via an email.
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Recorded Future App for Phantom asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| recordedfuture_base_url | required | string | Recorded Future API Basename |
| recordedfuture_api_token | required | password | Recorded Future API Token |
| recordedfuture_verify_ssl | optional | boolean | Verify SSL Certificates |
test connectivity - Validate the asset configuration for connectivity
alert data lookup - Get details on alerts configured and generated by Recorded Future by alert rule ID and/or time range
alert rule lookup - Search for alert rule IDs by name
url intelligence - Get threat intelligence for a URL
url reputation - Get a quick indicator of the risk associated with a URL
vulnerability intelligence - Get threat intelligence for a vulnerability
vulnerability reputation - Get a quick indicator of the risk associated with a vulnerability
file intelligence - Get threat intelligence for a file identified by its hash
file reputation - Get a quick indicator of the risk associated with a file identified by its hash
domain intelligence - Get threat intelligence for a domain
domain reputation - Get a quick indicator of the risk associated with a domain
ip intelligence - Get threat intelligence for an IP address
ip reputation - Get a quick indicator of the risk associated with an IP address
threat assessment - Get an indicator of the risk based on context
list contexts - Get a list of possible contexts to use in threat triage
Validate the asset configuration for connectivity
Type: test
Read only: True
No parameters are required for this action
No Output
Get details on alerts configured and generated by Recorded Future by alert rule ID and/or time range
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| required | Alert Rule ID to look up alert data for | string | recordedfuture alert rule id |
|
| timeframe | required | Time range for when rules were triggered | string | recordedfuture alert timerange |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.parameter.rule_id | string | recordedfuture alert rule id |
| action_result.parameter.timeframe | string | recordedfuture alert timerange |
| action_result.data.*.alerts.*.alert.alertTitle | string | recordedfuture alert title |
| action_result.data.*.alerts.*.alert.alertUrl | string | recordedfuture alert url |
| action_result.data.*.alerts.*.alert.content.counts.documents | numeric | recordedfuture alert content count documents |
| action_result.data.*.alerts.*.alert.content.counts.entities | numeric | recordedfuture alert content count entities |
| action_result.data.*.alerts.*.alert.content.counts.references | numeric | recordedfuture alert content count references |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.references.*.entities.*.id | string | recordedfuture alert content entities references id |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.references.*.entities.*.name | string | email recordedfuture alert content entities references name |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.references.*.entities.*.type | string | recordedfuture alert content entities references type |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.references.*.fragment | string | recordedfuture alert content entities references fragment |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.references.*.language | string | recordedfuture alert content entities references language |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.source.id | string | recordedfuture alert content entities source id |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.source.name | string | recordedfuture alert content entities source name |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.source.type | string | recordedfuture alert content entities source type |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.title | string | recordedfuture alert content entities type |
| action_result.data.*.alerts.*.alert.content.entities.*.documents.*.url | string | recordedfuture alert content entities url |
| action_result.data.*.alerts.*.alert.content.entities.*.entity | string | recordedfuture alert content entities entity |
| action_result.data.*.alerts.*.alert.content.id | string | recordedfuture alert content id |
| action_result.data.*.alerts.*.alert.content.review.assignee | string | recordedfuture alert content review assignee |
| action_result.data.*.alerts.*.alert.content.review.note | string | recordedfuture alert content review note |
| action_result.data.*.alerts.*.alert.content.review.noteAuthor | string | recordedfuture alert content review note author |
| action_result.data.*.alerts.*.alert.content.review.noteDate | string | recordedfuture alert content review note data |
| action_result.data.*.alerts.*.alert.content.review.status | string | recordedfuture alert content review note status |
| action_result.data.*.alerts.*.alert.content.rule.id | string | recordedfuture alert content rule id |
| action_result.data.*.alerts.*.alert.content.rule.name | string | recordedfuture alert content rule name |
| action_result.data.*.alerts.*.alert.content.rule.url | string | recordedfuture alert content rule url |
| action_result.data.*.alerts.*.alert.content.title | string | recordedfuture alert content rule title |
| action_result.data.*.alerts.*.alert.content.triggered | string | recordedfuture alert content triggered |
| action_result.data.*.alerts.*.alert.content.type | string | recordedfuture alert content type |
| action_result.data.*.alerts.*.alert.content.url | string | recordedfuture alert content url |
| action_result.data.*.alerts.*.alert.entities.Document | string | recordedfuture alert content entities document |
| action_result.data.*.alerts.*.alert.entities.EmailAddress | string | email recordedfuture alert content entities email address |
| action_result.data.*.alerts.*.alert.triggered | string | recordedfuture alert triggered |
| action_result.data.*.rule.id | string | recordedfuture alert rule id |
| action_result.data.*.rule.name | string | recordedfuture alert rule id |
| action_result.data.*.rule.url | string | recordedfuture alert rule url |
| action_result.summary.returned_number_of_alerts | numeric | recordedfuture alert number of alerts |
| action_result.summary.rule_id | string | recordedfuture alert rule id |
| action_result.summary.rule_name | string | recordedfuture rule name |
| action_result.summary.total_number_of_alerts | numeric | recordedfuture alert number of alerts |
| action_result.message | string | recordedfuture result message |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Search for alert rule IDs by name
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| rule_name | required | Alert rule name | string | recordedfuture alert rule name |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.parameter.rule_name | string | recordedfuture alert rule name |
| action_result.data.*.rule.id | string | recordedfuture alert rule id |
| action_result.data.*.rule.title | string | recordedfuture alert rule title |
| action_result.summary.returned_number_of_rules | numeric | recordedfuture alerts number of rules |
| action_result.summary.rule_id_list | string | recordedfuture alerts rule ids |
| action_result.summary.total_number_of_rules | numeric | recordedfuture rules count total |
| action_result.message | string | recordedfuture result message |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get threat intelligence for a URL
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to query | string | url |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.parameter.url | string | url |
| action_result.data.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.entity.name | string | url |
| action_result.data.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.metrics.*.type | string | recordedfuture metrics type |
| action_result.data.*.metrics.*.value | numeric | recordedfuture metrics value |
| action_result.data.*.risk.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.evidenceDetails.*.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.evidenceString | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.mitigationString | string | recordedfuture mitigation string |
| action_result.data.*.risk.evidenceDetails.*.rule | string | recordedfuture evidence rule |
| action_result.data.*.risk.evidenceDetails.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.risk.riskString | string | recordedfuture risk string |
| action_result.data.*.risk.riskSummary | string | recordedfuture risk summary |
| action_result.data.*.risk.rules | numeric | recordedfuture risk rules |
| action_result.data.*.risk.score | numeric | recordedfuture risk score |
| action_result.data.*.timestamps.firstSeen | string | recordedfuture evidence firstseen |
| action_result.data.*.timestamps.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.summary.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.riskSummary | string | recordedfuture risk summary |
| action_result.message | string | recordedfuture result message |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get a quick indicator of the risk associated with a URL
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| url | required | URL to query | string | url |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.parameter.url | string | url |
| action_result.data.*.name | string | url |
| action_result.data.*.id | string | recordedfuture entity id |
| action_result.data.*.type | string | recordedfuture entity type |
| action_result.data.*.riskscore | numeric | recordedfuture risk score |
| action_result.data.*.risklevel | numeric | recordedfuture risk level |
| action_result.data.*.rulecount | numeric | recordedfuture rule count |
| action_result.data.*.maxrules | numeric | recordedfuture max rules |
| action_result.data.*.evidence.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.evidence.*.mitigation | string | recordedfuture evidence mitigation |
| action_result.data.*.evidence.*.description | string | recordedfuture evidence description |
| action_result.data.*.evidence.*.rule | string | recordedfuture risk rule |
| action_result.data.*.evidence.*.level | numeric | recordedfuture evidence level |
| action_result.message | string | recordedfuture result message |
| action_result.summary.riskscore | numeric | recordedfuture risk score |
| action_result.summary.type | string | recordedfuture entity type |
| action_result.summary.risklevel | numeric | recordedfuture risk level |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get threat intelligence for a vulnerability
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| vulnerability | required | CVE vulnerability identifier to look up | string | cve recordedfuture vulnerability id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.parameter.vulnerability | string | cve recordedfuture vulnerability id |
| action_result.data.*.cvss.accessComplexity | string | cvss access complexity |
| action_result.data.*.cvss.accessVector | string | cvss access vector |
| action_result.data.*.cvss.authentication | string | cvss authentication |
| action_result.data.*.cvss.availability | string | cvss availability |
| action_result.data.*.cvss.confidentiality | string | recordedfuture cvss confidentiality |
| action_result.data.*.cvss.integrity | string | cvss integrity |
| action_result.data.*.cvss.lastModified | string | cvss last modified |
| action_result.data.*.cvss.published | string | cvss published |
| action_result.data.*.cvss.score | numeric | cvss score |
| action_result.data.*.entity.description | string | recordedfuture entity description |
| action_result.data.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.entity.name | string | cve recordedfuture vulnerability id |
| action_result.data.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.intelCard | string | recordedfuture intelligence card url |
| action_result.data.*.metrics.*.type | string | recordedfuture metrics type |
| action_result.data.*.metrics.*.value | numeric | recordedfuture metrics value |
| action_result.data.*.nvdDescription | string | nvd description |
| action_result.data.*.relatedEntities.*.entities.*.count | numeric | recordedfuture related entities count |
| action_result.data.*.relatedEntities.*.entities.*.entity.description | string | recordedfuture entity description |
| action_result.data.*.relatedEntities.*.entities.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.relatedEntities.*.entities.*.entity.name | string | recordedfuture entity name |
| action_result.data.*.relatedEntities.*.entities.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.relatedEntities.*.type | string | recordedfuture related entity type |
| action_result.data.*.risk.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.evidenceDetails.*.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.evidenceString | string | recordedfuture evidence string |
| action_result.data.*.risk.evidenceDetails.*.mitigationString | string | recordedfuture mitigation string |
| action_result.data.*.risk.evidenceDetails.*.rule | string | recordedfuture evidence rule |
| action_result.data.*.risk.evidenceDetails.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.risk.riskString | string | recordedfuture risk string |
| action_result.data.*.risk.riskSummary | string | recordedfuture risk summary |
| action_result.data.*.risk.rules | numeric | recordedfuture risk rules |
| action_result.data.*.risk.score | numeric | recordedfuture risk score |
| action_result.data.*.timestamps.firstSeen | string | recordedfuture evidence firstseen |
| action_result.data.*.timestamps.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.summary.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.riskSummary | string | recordedfuture risk summary |
| action_result.message | string | recordedfuture result message |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get a quick indicator of the risk associated with a vulnerability
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| vulnerability | required | CVE vulnerability identifier to look up | string | cve recordedfuture vulnerability id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.data.*.name | string | cve recordedfuture vulnerability id |
| action_result.data.*.id | string | recordedfuture entity id |
| action_result.data.*.type | string | recordedfuture entity type |
| action_result.data.*.description | string | recordedfuture evidence description |
| action_result.data.*.riskscore | numeric | recordedfuture risk score |
| action_result.data.*.risklevel | numeric | recordedfuture risk level |
| action_result.data.*.rulecount | numeric | recordedfuture rule count |
| action_result.data.*.maxrules | numeric | recordedfuture max rules |
| action_result.data.*.evidence.*.description | string | recordedfuture evidence description |
| action_result.data.*.evidence.*.level | numeric | recordedfuture evidence level |
| action_result.data.*.evidence.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.evidence.*.ruleid | string | recordedfuture risk rule id |
| action_result.data.*.evidence.*.rule | string | recordedfuture risk rule |
| action_result.data.*.evidence.*.mitigation | string | recordedfuture evidence mitigation |
| action_result.message | string | recordedfuture result message |
| action_result.parameter.vulnerability | string | cve recordedfuture vulnerability id |
| action_result.summary.riskscore | numeric | recordedfuture risk score |
| action_result.summary.type | stri F438 ng | recordedfuture entity type |
| action_result.summary.risklevel | numeric | recordedfuture risk level |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get threat intelligence for a file identified by its hash
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hash | required | File hash to query | string | hash sha256 sha1 md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.parameter.hash | string | hash sha256 sha1 md5 |
| action_result.data.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.entity.name | string | hash sha256 sha1 md5 |
| action_result.data.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.hashAlgorithm | string | recordedfuture hash algorithm |
| action_result.data.*.intelCard | string | recordedfuture intelligence card url |
| action_result.data.*.metrics.*.type | string | recordedfuture metrics type |
| action_result.data.*.metrics.*.value | numeric | recordedfuture metrics value |
| action_result.data.*.relatedEntities.*.entities.*.count | numeric | recordedfuture related entities count |
| action_result.data.*.relatedEntities.*.entities.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.relatedEntities.*.entities.*.entity.name | string | recordedfuture entity name |
| action_result.data.*.relatedEntities.*.entities.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.relatedEntities.*.type | string | recordedfuture related entity type |
| action_result.data.*.risk.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.evidenceDetails.*.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.evidenceString | string | recordedfuture evidence string |
| action_result.data.*.risk.evidenceDetails.*.mitigationString | string | recordedfuture mitigation string |
| action_result.data.*.risk.evidenceDetails.*.rule | string | recordedfuture evidence rule |
| action_result.data.*.risk.evidenceDetails.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.risk.riskString | string | recordedfuture risk string |
| action_result.data.*.risk.riskSummary | string | recordedfuture risk summary |
| action_result.data.*.risk.rules | numeric | recordedfuture risk rules |
| action_result.data.*.risk.score | numeric | recordedfuture risk score |
| action_result.data.*.timestamps.firstSeen | string | recordedfuture evidence firstseen |
| action_result.data.*.timestamps.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.summary.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.riskSummary | string | recordedfuture risk summary |
| action_result.message | string | recordedfuture result message |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get a quick indicator of the risk associated with a file identified by its hash
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hash | required | File hash to query | string | hash sha256 sha1 md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.data.*.name | string | hash sha1 sha256 md5 |
| action_result.data.*.id | string | recordedfuture entity id |
| action_result.data.*.type | string | recordedfuture entity type |
| action_result.data.*.riskscore | numeric | recordedfuture risk score |
| action_result.data.*.risklevel | numeric | recordedfuture risk level |
| action_result.data.*.rulecount | numeric | recordedfuture rule count |
| action_result.data.*.maxrules | numeric | recordedfuture max rules |
| action_result.data.*.evidence.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.evidence.*.mitigation | string | recordedfuture evidence mitigation |
| action_result.data.*.evidence.*.description | string | recordedfuture evidence description |
| action_result.data.*.evidence.*.rule | string | recorded future risk rule |
| action_result.data.*.evidence.*.level | numeric | recordedfuture risk rule level |
| action_result.message | string | action result message |
| action_result.parameter.hash | string | hash sha256 sha1 md5 |
| action_result.summary.riskscore | numeric | recordedfuture risk score |
| action_result.summary.type | string | recordedfuture entity type |
| action_result.summary.risklevel | numeric | recordedfuture risk level |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get threat intelligence for a domain
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| domain | required | Domain to query | string | domain |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.parameter.domain | string | domain |
| action_result.data.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.entity.name | string | domain |
| action_result.data.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.intelCard | string | recordedfuture intelligence card url |
| action_result.data.*.metrics.*.type | string | recordedfuture metrics type |
| action_result.data.*.metrics.*.value | numeric | recordedfuture metrics value |
| action_result.data.*.relatedEntities.*.entities.*.count | numeric | recordedfuture related entities count |
| action_result.data.*.relatedEntities.*.entities.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.relatedEntities.*.entities.*.entity.name | string | recordedfuture entity name |
| action_result.data.*.relatedEntities.*.entities.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.relatedEntities.*.type | string | recordedfuture related entity type |
| action_result.data.*.risk.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.evidenceDetails.*.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.evidenceString | string | recordedfuture evidence string |
| action_result.data.*.risk.evidenceDetails.*.mitigationString | string | recordedfuture mitigation string |
| action_result.data.*.risk.evidenceDetails.*.rule | string | recordedfuture evidence rule |
| action_result.data.*.risk.evidenceDetails.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.risk.riskString | string | recordedfuture risk string |
| action_result.data.*.risk.riskSummary | string | recordedfuture risk summary |
| action_result.data.*.risk.rules | numeric | recordedfuture risk rules |
| action_result.data.*.risk.score | numeric | recordedfuture risk score |
| action_result.data.*.threatLists.*.description | string | recordedfuture threatlist description |
| action_result.data.*.threatLists.*.id | string | recordedfuture threatlist id |
| action_result.data.*.threatLists.*.name | string | recordedfuture threatlist name |
| action_result.data.*.threatLists.*.type | string | recordedfuture threatlist type |
| action_result.data.*.timestamps.firstSeen | string | recordedfuture evidence firstseen |
| action_result.data.*.timestamps.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.summary.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.riskSummary | string | recordedfuture risk summary |
| action_result.message | string | recordedfuture result message |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get a quick indicator of the risk associated with a domain
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| domain | required | Domain to query | string | domain |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.data.*.name | string | domain |
| action_result.data.*.id | string | recordedfuture entity id |
| action_result.data.*.type | string | recordedfuture entity type |
| action_result.data.*.riskscore | numeric | recordedfuture risk score |
| action_result.data.*.risklevel | numeric | recordedfuture risk level |
| action_result.data.*.rulecount | numeric | recordedfuture rule count |
| action_result.data.*.maxrules | numeric | recordedfuture max rules |
| action_result.data.*.evidence.*.description | string | recordedfuture evidence description |
| action_result.data.*.evidence.*.level | numeric | recordedfuture evidence level |
| action_result.data.*.evidence.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.evidence.*.ruleid | string | recordedfuture risk rule id |
| action_result.data.*.evidence.*.rule | string | recordedfuture risk rule |
| action_result.data.*.evidence.*.mitigation | string | recordedfuture evidence mitigation |
| action_result.message | string | recordedfuture result message |
| action_result.parameter.domain | string | domain |
| action_result.summary.riskscore | numeric | recordedfuture risk score |
| action_result.summary.type | string | recordedfuture summary type |
| action_result.summary.risklevel | numeric | recordedfuture risk level |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get threat intelligence for an IP address
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IP to query | string | ip ipv6 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.parameter.ip | string | ip ipv6 |
| action_result.data.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.entity.name | string | ip ipv6 |
| action_result.data.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.intelCard | string | recordedfuture intelligence card url |
| action_result.data.*.location.asn | string | recordedfuture location asn |
| action_result.data.*.location.cidr.id | string | recordedfuture location cidr id |
| action_result.data.*.location.cidr.name | string | recordedfuture location cidr name |
| action_result.data.*.location.cidr.type | string | recordedfuture location cidr type |
| action_result.data.*.location.location.city | string | recordedfuture location city |
| action_result.data.*.location.location.continent | string | recordedfuture location continent |
| action_result.data.*.location.location.country | string | recordedfuture location country |
| action_result.data.*.location.organization | string | recordedfuture location organization |
| action_result.data.*.metrics.*.type | string | recordedfuture metrics type |
| action_result.data.*.metrics.*.value | numeric | recordedfuture metrics value |
| action_result.data.*.relatedEntities.*.entities.*.count | numeric | recordedfuture related entities count |
| action_result.data.*.relatedEntities.*.entities.*.entity.id | string | recordedfuture entity id |
| action_result.data.*.relatedEntities.*.entities.*.entity.name | string | recordedfuture entity name |
| action_result.data.*.relatedEntities.*.entities.*.entity.type | string | recordedfuture entity type |
| action_result.data.*.relatedEntities.*.type | string | recordedfuture related entity type |
| action_result.data.*.risk.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.criticality | numeric | recordedfuture risk criticality |
| action_result.data.*.risk.evidenceDetails.*.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.data.*.risk.evidenceDetails.*.evidenceString | string | recordedfuture evidence string |
| action_result.data.*.risk.evidenceDetails.*.mitigationString | string | recordedfuture mitigation string |
| action_result.data.*.risk.evidenceDetails.*.rule | string | recordedfuture evidence rule |
| action_result.data.*.risk.evidenceDetails.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.risk.riskString | string | recordedfuture risk string |
| action_result.data.*.risk.riskSummary | string | recordedfuture risk summary |
| action_result.data.*.risk.rules | numeric | recordedfuture risk rules |
| action_result.data.*.risk.score | numeric | recordedfuture risk score |
| action_result.data.*.timestamps.firstSeen | string | recordedfuture evidence firstseen |
| action_result.data.*.timestamps.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.criticalityLabel | string | recordedfuture risk criticality label |
| action_result.summary.lastSeen | string | recordedfuture evidence lastseen |
| action_result.summary.riskSummary | string | recordedfuture risk summary |
| action_result.message | string | recordedfuture result message |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get a quick indicator of the risk associated with an IP address
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IP to query | string | ip ipv6 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result status |
| action_result.data.*.id | string | recordedfuture entity id |
| action_result.data.*.name | string | ip ipv6 |
| action_result.data.*.type | string | recordedfuture entity type |
| action_result.data.*.risklevel | numeric | recordedfuture risk level |
| action_result.data.*.rulecount | numeric | recordedfuture rule count |
| action_result.data.*.evidence.ruleid | string | recordedfuture risk rule id |
| action_result.data.*.evidence.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.evidence.mitigation | string | recordedfuture evidence mitigation |
| action_result.data.*.evidence.description | string | recordedfuture evidence description |
| action_result.data.*.evidence.rule | string | recordedfuture risk rule |
| action_result.data.*.evidence.level | numeric | recordedfuture evidence level |
| action_result.data.*.maxrules | numeric | recordedfuture max rules |
| action_result.data.*.riskscore | numeric | recordedfuture risk score |
| action_result.message | string | recordedfuture result message |
| action_result.parameter.ip | string | ip ipv6 |
| action_result.summary.riskscore | numeric | recordedfuture risk score |
| action_result.summary.type | string | recordedfuture entity type |
| action_result.summary.risklevel | numeric | recordedfuture risk level |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recordedfuture total objects successful |
Get an indicator of the risk based on context
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| threat_context | required | Context to use | string | recordedfuture threat assessment context |
| ip | optional | IP to query | string | ip ipv6 |
| domain | optional | Domain to query | string | domain |
| url | optional | URL to query | string | url |
| hash | optional | Hash to query | string | hash sha256 sha1 md5 |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | action result status |
| action_result.data.*.entities.*.id | string | recorded future entity id |
| action_result.data.*.entities.*.name | string | ip domain hash sha1 md5 sha256 url |
| action_result.data.*.entities.*.type | string | recordedfuture entity type |
| action_result.data.*.verdict | boolean | recordedfuture threat assessment verdict |
| action_result.data.*.risklevel | numeric | recordedfuture threat assessment risk level |
| action_result.data.*.rulecount | numeric | recordedfuture threat assessmewnt rule count |
| action_result.data.*.entities.*.evidence.*.ruleid | string | recordedfuture risk rule id |
| action_result.data.*.entities.*.evidence.*.timestamp | string | recordedfuture evidence timestamp |
| action_result.data.*.entities.*.evidence.*.mitigation | string | recordedfuture evidence mitigation |
| action_result.data.*.entities.*.evidence.*.description | string | recordedfuture evidence description |
| action_result.data.*.entities.*.evidence.*.rule | string | recorded future risk rule |
| action_result.data.*.entities.*.evidence.*.level | numeric | recordedfuture risk rule level |
| action_result.data.*.maxrules | numeric | recordedfuture threat assessment max rules |
| action_result.data.*.assessment_riskscore | numeric | recordedfuture threat assessment risk score |
| action_result.message | string | action result message |
| action_result.parameter.threat_context | string | recordedfuture threat assessment context |
| action_result.parameter.ip | string | ip ipv6 |
| action_result.parameter.domain | string | domain |
| action_result.parameter.url | string | url |
| action_result.parameter.hash | string | hash sha256 sha1 md5 |
| action_result.summary.riskscore | numeric | recordedfuture threat assessment risk score |
| action_result.summary.type | string | recordedfuture entity type |
| action_result.summary.risklevel | numeric | recordedfuture risk level |
| summary.total_objects | numeric | recordedfuture total objects |
| summary.total_objects_successful | numeric | recodedfuture total objects successful |
| action_result.data.*.entities.*.score | numeric | recordedfuture risk score |
| action_result.data.*.entities.*.evidence.*.name | string | recordedfuture evidence name |
| action_result.data.*.context | string | recordedfuture threat assessment context |
| action_result.summary.riskscore | string | recordedfuture threat assessment risk score |
| action_result.summary.assessment | string | recordedfuture threat assessment summary |
Get a list of possible contexts to use in threat triage
Type: investigate
Read only: True
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | recordedfuture result string |
| action_result.data.*.context | string | recordedfuture threat assessment context |
| action_result.data.*.name | string | ip domain hash sha1 sha256 md5 vulnerability |
| action_result.message | string | recordedfuture threat assessment result message |
| action_result.summary.contexts_available_for_threat_assessment | string | recordedfuture threat assessment contexts |
| summary.total_objects | numeric | recordedfuture threat assessment total objects |
| summary.total_objects_successful | numeric | recordedfuture threat assessment total objects successful |