Recorded Future (Deprecated)
This Integration is part of the Recorded Future (Deprecated) Pack.#
Deprecated
Use Recorded Future v2 from RecordedFuture pack instead.
Deprecated. Use Recorded Future v2 from RecordedFuture pack instead.
Recorded Future is a threat intelligence platform, whose indicator and alert data is ingested into Cortex XSOAR for enrichment.
This integration was integrated and tested with revision r128029 of Recorded Future.
Use Cases
- Get reputation of IOCs: IP addresses, domains and files.
- Look up threat intelligence context for an IOC.
- Ingest indicators from risk lists - important note below.
- Fetch alerts by rules - important note below.
Fetched Incidents Data
{
"data": {
"rule": {
"url": "https://app.recordedfuture.com/live/sc/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%22Y8d2JN%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22DJIA+Cyber%22%7D&state.bNavbar=false",
"name": "DJIA Cyber",
"id": "Y8d2JN"
},
"type": "EVENT",
"entities": [
{
"entity": null,
"risk": {},
"trend": {},
"documents": [
{
"references": [
{
"fragment": "This malware can steal passwords, credit card info in Chrome, Safari.",
"entities": [
{
"id": "czhXN",
"name": "PT Reliance Securities Tbk",
"type": "Company"
},
{
"id": "B_sMd",
"name": "Apple Safari",
"type": "Product"
},
{
"id": "B_tZO",
"name": "Palo Alto Networks",
"type": "Company"
},
{
"id": "GARXk",
"name": "MSMEs",
"type": "Company"
},
{
"id": "B_LyO",
"name": "Apple",
"type": "Company"
},
{
"id": "B_HE4",
"name": "Google",
"type": "Company"
}
],
"language": "eng"
}
],
"source": {
"id": "KFGeiP",
"name": "CanIndia NEWS",
"type": "Source"
},
"url": "http://www.canindia.com/this-malware-can-steal-passwords-credit-card-info-in-chrome-safari/",
"title": "This malware can steal passwords, credit card info in Chrome, Safari"
},
{
"references": [
{
"fragment": "Malicious code hidden in the Windows registry.",
"entities": [
{
"id": "B_Hs5",
"name": "F5 Networks",
"type": "Company"
},
{
"id": "B_E-R",
"name": "Twitter",
"type": "Company"
},
{
"id": "J0LOpv",
"name": "Malicious code",
"type": "AttackVector"
},
{
"id": "Y97Q48",
"name": "HTML Signature Solutions",
"type": "Company"
},
{
"id": "CBJSs",
"name": "LinkedIn",
"type": "Company"
},
{
"id": "B_HOS",
"name": "Microsoft Windows",
"type": "Product"
}
],
"language": "eng"
}
],
"source": {
"id": "RrKkHT",
"name": "F5 Networks",
"type": "Source"
},
"url": "https://www.f5.com/labs/articles/threat-intelligence/gozi-adds-evasion-techniques-to-its-growing-bag-of-tricks",
"title": null
},
{
"references": [
{
"fragment": "The company noted in a blog post the ransomware had infected more than 100 Windows servers by exploiting several web application vulnerabilities, and the number of victims was rising.",
"entities": [
{
"id": "Cq3eF",
"name": "Web application vulnerabilities",
"type": "IndustryTerm"
},
{
"id": "J0Nl-p",
"name": "Ransomware",
"type": "MalwareCategory"
},
{
"id": "B_HOS",
"name": "Microsoft Windows",
"type": "Product"
}
],
"language": "eng"
},
{
"fragment": "The company noted in a blog post the ransomware had infected more than 100 Windows servers by exploiting several web application vulnerabilities, and the number of victims was rising.",
"entities": [
{
"id": "Cq3eF",
"name": "Web application vulnerabilities",
"type": "IndustryTerm"
},
{
"id": "J0Nl-p",
"name": "Ransomware",
"type": "MalwareCategory"
},
{
"id": "B_HOS",
"name": "Microsoft Windows",
"type": "Product"
}
],
"language": "eng"
}
],
"source": {
"id": "idn:8btc.com",
"name": "8btc.com",
"type": "InternetDomainName"
},
"url": "https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
"title": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days | NEWS.8BTC.COM."
},
{
"references": [
{
"fragment": "example.gmail.com|1qazse4r",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|snapy573",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|ric290888",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|cumicumi49",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|20may1993",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|04041995",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|lk63864551",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|mememesheryl",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|danubrata45",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|miracles7",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|albert",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|14Oktober1998",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|1234qwer",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|dwitamaalfred",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|oliviaagnes",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|5148520362",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|kucit11",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|n1kuailema",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|limajuli",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|tasyakevinrio",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|747474",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|sanurlovers",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|bologe10101994",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|flymuc12",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|donnie",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|g153ll3",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|kolonel8",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|Na11032009",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|gogle05",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|my9snapy",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|bani2005",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|mala2581998",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|961501",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|april322912",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|dalshabet2012",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|vicha1002",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|0811570188",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|amidala7",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|janand",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|cheptie",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|Dealova33",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|jss231094",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|arschgeil00",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|burlgoat97",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|Ahau7296",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|gilaabis",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|123456",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|Tiffani16694",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|4ndr15ukm4v4r094",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
}
],
"source": {
"id": "Jv_xrR",
"name": "PasteBin",
"type": "Source"
},
"url": "https://pastebin.com/20WrvAKf",
"title": "5K empas Indo + Bonus"
},
{
"references": [
{
"fragment": "| [+] E-mail Found: example.gmail.com",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
}
],
"source": {
"id": "Jv_xrR",
"name": "PasteBin",
"type": "Source"
},
"url": "https://pastebin.com/Ntk14mse",
"title": "Anonymous JTSEC #OpIsis Full Recon #11"
},
{
"references": [
{
"fragment": "I remember reading that it was made loose on purpose so cords don't bring your Mac down if they're tripped over.",
"entities": [
{
"id": "BBh7yv",
"name": "Mac",
"type": "Product"
}
],
"language": "eng"
}
],
"source": {
"id": "TiY1wz",
"name": "Apple devices",
"type": "Source"
},
"url": "https://www.reddit.com/r/apple/comments/aljr4z/apple_testing_iphones_with_usbc_port/efi3j06/",
"title": "/u/ccrama on Apple testing iPhones with USB-C port"
},
{
"references": [
{
"fragment": "App Store, iTunes Store, Apple Music been down for several hours now! @AppleSupport.",
"entities": [
{
"id": "JZHhWg",
"name": "Apple iTunes",
"type": "Product"
},
{
"id": "QGkOLY",
"name": "@AppleSupport",
"type": "Username"
},
{
"id": "B_LyO",
"name": "Apple",
"type": "Company"
}
],
"language": "eng"
}
],
"source": {
"id": "BV5",
"name": "Twitter",
"type": "Source"
},
"url": "https://twitter.com/PRHTH/statuses/1091215388086394880",
"title": "App Store, iTunes Store , Apple Music down พร้อมกันหมดเลยจ้า หลายชั่วโมงแล้ว \n\nApp Store, iTunes Store, Apple Music been down for several hours now! @AppleSupport"
},
{
"references": [
{
"fragment": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days - 8BTC via BTCnews #Bitcoin https://t.co/1YEkzEdO92.",
"entities": [
{
"id": "B75KVV",
"name": "via",
"type": "IndustryTerm"
},
{
"id": "url:https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
"name": "https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
"type": "URL"
},
{
"id": "IH6pHd",
"name": "Bitcoin",
"type": "Technology"
},
{
"id": "Kei3LZ",
"name": "#Bitcoin",
"type": "Hashtag"
},
{
"id": "SePISm",
"name": "Satan",
"type": "Malware"
},
{
"id": "B_FNa",
"name": "China",
"type": "Country"
},
{
"id": "J0Nl-p",
"name": "Ransomware",
"type": "MalwareCategory"
},
{
"id": "B_HOS",
"name": "Microsoft Windows",
"type": "Product"
}
],
"language": "eng"
}
],
"source": {
"id": "BV5",
"name": "Twitter",
"type": "Source"
},
"url": "https://twitter.com/btcnewsapp/statuses/1091268383180537856",
"title": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days - 8BTC via BTCnews #Bitcoin https://t.co/1YEkzEdO92"
},
{
"references": [
{
"fragment": "@Apple Flaw that allows hacker to access target mic, camera, location, memory.",
"entities": [
{
"id": "P_iscR",
"name": "@Apple",
"type": "Username"
}
],
"language": "eng"
}
],
"source": {
"id": "BV5",
"name": "Twitter",
"type": "Source"
},
"url": "https://twitter.com/ganag92444992/statuses/1091257432662134784",
"title": "@Apple Flaw that allows hacker to access target mic, camera, location, memory.\nAny remedy for that? Targetted due to that flaw\nSo not #iOS #Apple #iphone #hacker #HackerNews #cybersecurity #privacy #HumanRights #surveillance #DataSecurity #DataProtection"
}
]
}
],
"review": {
"noteDate": null,
"note": null,
"noteAuthor": null,
"assignee": null,
"status": "no-action"
},
"url": "https://app.recordedfuture.com/live/sc/notification/?id=Y9-jli",
"triggered": "2019-02-01T09:58:13.564Z",
"title": "DJIA Cyber - New references in 9 documents",
"counts": {
"references": 58,
"entities": 0,
"documents": 9
},
"id": "Y9-jli"
}
}
Configure Recorded Future on Cortex XSOAR
To use Recorded Future in Cortex XSOAR, a Recorded Future API token is required. For more information, see the Recorded Future documentation .
- Navigate to Settings > Integrations > Servers & Services .
- Search for Recorded Future.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://api.recordedfuture.com )
- API Token
- File Threshold. Minimum risk score from Recorded Future to consider the file malicious.
- IP Threshold. Minimum risk score from RF to consider the IP malicious.
- Domain Threshold. Minimum risk score from Recorded Future to consider the domain malicious.
- URL Threshold. Minimum risk score from Recorded Future to consider the URL malicious.
- Vulnerability Threshold. Minimum risk score from Recorded Future to consider the vulnerability critical.
- Trust any certificate (not secure)
- Use system proxy settings
- Fetch incidents
- Rule names to fetch alerts by, separated by semicolon. If empty, all alerts will be fetched
- First fetch time (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
- Incident type
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get information for a domain or DNS: domain
- Get information for an IP address: ip
- Get information for a file: file
- Get information for a URL: url
- Get threat intelligence context for an indicator: recorded-future-get-related-entities
- Get hash threats: recorded-future-get-threats-hash
- Get IP threats: recorded-future-get-threats-ip
- Get URL threats: recorded-future-get-threats-url
- Get domain threats: recorded-future-get-threats-domain
- Get vulnerability threats: recorded-future-get-threats-vulnerabilities
- Get the domain risk list: recorded-future-get-domain-risklist
- Get the URL risk list: recorded-future-get-url-risklist
- Get the IP address risk list: recorded-future-get-ip-risklist
- Get the vulnerability risk list: recorded-future-get-vulnerability-risklist
- Get the hash risk list: recorded-future-get-hash-risklist
- Get domain risk rules: recorded-future-get-domain-riskrules
- Get hash risk rules: recorded-future-get-hash-riskrules
- Get IP address risk rules: recorded-future-get-ip-riskrules
- Get URL risk rules: recorded-future-get-url-riskrules
- Get vulnerability risk rules: recorded-future-get-vulnerability-riskrules
- Get a list of alert rules: recorded-future-get-alert-rules
- Get a list of alerts: recorded-future-get-alerts
1. Get information for a domain or DNS
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following argument `entity_type=domain` and `entity=domain_value`.
You can find context differences here . Notice that 'community notes' output is no longer supported.
Returns threat intelligence information for a domain or DNS in Recorded Future.
Base Command
domain
Input
| Argument Name | Description | Required |
|---|---|---|
| domain | Domain to get the reputation of | Required |
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested |
| DBotScore.Type | string | Indicator type |
| DBotScore.Vendor | string | Vendor used to calculate the score |
| DBotScore.Score | number | The actual score |
| Domain.Name | string | Domain name |
| Domain.RecordedFuture.Criticality | string | Domain criticality label |
| Domain.RecordedFuture.FirstSeen | date | Risk first seen timestamp |
| Domain.RecordedFuture.LastSeen | date | Risk last seen timestamp |
| Domain.Tags | String | Tags that are associated with the Domain. |
| Domain.CommunityNotes.note | String | A summary note on the mentioning of the domain in a source monitored by Recorded Future. |
| Domain.CommunityNotes.timestamp | date | The timestamp in which the community note was created. |
| Domain.Publications.source | String | The publication's source. |
| Domain.Publications.title | String | The title of the published information. |
| Domain.Publications.link | String | A link to the published information. |
| Domain.Publications.timestamp | date | The timestamp in which the information was published. |
Command Example
!domain domain=google.com detailed=true
Context Example
{
"DBotScore": {
"Indicator": "google.com",
"Score": 2,
"Type": "domain",
"Vendor": "Recorded Future"
},
"Domain": {
"Name": "google.com",
"RecordedFuture": {
"Criticality": "Unusual",
"FirstSeen": "2009-01-21T14:00:18.000Z",
"LastSeen": "2018-07-04T07:25:34.533Z",
}
}
}
Human Readable Output
2. Get information for an IP address
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following argument `entity_type=ip` and `entity=ip_value`.
You can find context differences here . Notice that 'community notes' output is no longer supported.
Returns threat intelligence information for an IP address in Recorded Future.
Base Command
ip
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | IP address to get the reputation of | Required |
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested |
| DBotScore.Type | string | Indicator type |
| DBotScore.Vendor | string | Vendor used to calculate the score |
| DBotScore.Score | number | The actual score |
| IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision |
| IP.Malicious.Description | string | For malicious IP addresses, the reason that the vendor made the decision |
| IP.Address | string | IP address |
| IP.RecordedFuture.Criticality | string | Risk criticality label |
| IP.RecordedFuture.FirstSeen | date | Risk first seen timestamp |
| IP.RecordedFuture.LastSeen | date | Risk last seen timestamp |
| IP.Tags | String | Tags that are associated with the IP. |
| IP.CommunityNotes.note | String | A summary note on the mentioning of the IP in a source monitored by Recorded Future. |
| IP.CommunityNotes.timestamp | date | The timestamp in which the community note was created. |
| IP.Publications.source | String | The publication's source. |
| IP.Publications.title | String | The title of the published information. |
| IP.Publications.link | String | A link to the published information. |
| IP.Publications.timestamp | date | The timestamp in which the information was published. |
Command Example
!ip ip=93.174.93.63 detailed=true
Context Example
{
"DBotScore": {
"Indicator": "93.174.93.63",
"Score": 3,
"Type": "ip",
"Vendor": "Recorded Future"
},
"IP": {
"Address": "93.174.93.63",,
"Malicious": {
"Description": "Score above 99",
"Vendor": "Recorded Future"
},
"RecordedFuture": {
"Criticality": "Very Malicious",
"FirstSeen": "2014-12-07T04:37:34.125Z",
"LastSeen": "2018-07-01T22:02:26.908Z",
}
}
}
Human Readable Output
3. Get information for a file
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following argument `entity_type=file` and `entity=hash_value`.
You can find context differences here . Notice that 'community notes' output is no longer supported.
Returns threat intelligence information for a file in Recorded Future.
Base Command
file
Input
| Argument Name | Description | Required |
|---|---|---|
| file | File hash to check the reputation of (MD5, SHA-1, SHA-256, SHA-512, CRC-32, CTPH) | Required |
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | File SHA-256 |
| File.SHA512 | string | File SHA-512 |
| File.SHA1 | string | File SHA-1 |
| File.MD5 | string | File MD5 |
| File.CRC32 | string | File CRC-32 |
| File.CTPH | string | File CTPH |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision |
| DBotScore.Indicator | string | The indicator that was tested |
| DBotScore.Type | string | Indicator type |
| DBotScore.Vendor | string | Vendor used to calculate the score |
| DBotScore.Score | number | The actual score |
| File.Criticality | string | Risk criticality label |
| File.RecordedFuture.FirstSeen | date | Risk first seen timestamp |
| File.RecordedFuture.LastSeen | date | Risk last seen timestamp |
| File.Tags | String | Tags that are associated with the File. |
| File.CommunityNotes.note | String | A summary note on the mentioning of the file in a source monitored by Recorded Future. |
| File.CommunityNotes.timestamp | date | The timestamp in which the community note was created. |
| File.Publications.source | String | The publication's source. |
| File.Publications.title | String | The title of the published information. |
| File.Publications.link | String | A link to the published information. |
| File.Publications.timestamp | date | The timestamp in which the information was published. |
Command Example
!file file=9d0e761f3803889dc83c180901dc7b22 detailed=true
Context Example
{
"DBotScore": {
"Indicator": "9d0e761f3803889dc83c180901dc7b22",
"Score": 3,
"Type": "file",
"Vendor": "Recorded Future"
},
"File": {
"MD5": "9d0e761f3803889dc83c180901dc7b22",
"Malicious": {
"Description": "Score above 65",
"Vendor": "Recorded Future"
},
"RecordedFuture": {
"Criticality": "Malicious",
"FirstSeen": "2017-12-06T09:57:02.802Z",
"LastSeen": "2018-02-01T08:25:27.902Z",
}
}
}
Human Readable Output
4. Get information for a URL
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following argument `entity_type=url` and `entity=url_value`.
You can find context differences here . Notice that 'community notes' output is no longer supported.
Returns threat intelligence information for a URL in Recorded Future.
Base Command
url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | URL to get the reputation of | Required |
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested |
| DBotScore.Type | string | Indicator type |
| DBotScore.Vendor | string | Vendor used to calculate the score |
| DBotScore.Score | number | The actual score |
| URL.Data | string | URL name |
| URL.RecordedFuture.Criticality | string | URL criticality label |
| URL.RecordedFuture.FirstSeen | date | Risk first seen timestamp |
| URL.RecordedFuture.LastSeen | date | Risk last seen timestamp |
| URL.Tags | String | Tags that are associated with the URL. |
| URL.CommunityNotes.note | String | A summary note on the mentioning of the URL in a source monitored by Recorded Future. |
| URL.CommunityNotes.timestamp | date | The timestamp in which the community note was created. |
| URL.Publications.source | String | The publication's source. |
| URL.Publications.title | String | The title of the published information. |
| URL.Publications.link | String | A link to the published information. |
| URL.Publications.timestamp | date | The timestamp in which the information was published. |
Command Example
Context Example
{
"URL": {
"Malicious": {
"Vendor": "Recorded Future",
"Description": "Score above 70"
},
"Data": "https://www.obfuscated.com",
"RecordedFuture": {
"FirstSeen": "2019-02-02T00:00:00.000Z",
"Criticality": "Malicious",
"LastSeen": "2019-02-02T23:59:59.000Z"
}
},
"DBotScore": {
"Vendor": "Recorded Future",
"Indicator": "https://www.obfuscated.com",
"Score": 3,
"Type": "url"
}
}
Human Readable Output
5. Get threat intelligence context for an indicator
Returns threat intelligence context for an indicator in Recorded Future.
Base Command
recorded-future-get-related-entities
Input
| Argument Name | Description | Required |
|---|---|---|
| entityType | The type of entity to fetch context for. (Should be provided with its value in entityValue argument) | Required |
| entityValue | The value of the entity to fetch context for. (Should be provided with its type in entityType argument, Hash types supported: MD5, SHA-1, SHA-256, SHA-512, CRC-32, CTPH) | Required |
| resultEntityType | CSV list of related entity types to return in the result (e.g., Hash,IP,Domain) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | File SHA-256 |
| File.SHA512 | string | File SHA-512 |
| File.SHA1 | string | File SHA-1 |
| File.MD5 | string | File MD5 |
| File.CRC32 | string | File CRC-32 |
| File.CTPH | string | File CTPH |
| File.RecordedFuture.RelatedEntities.IPAddress.Count | number | File related entity count (IP) |
| File.RecordedFuture.RelatedEntities.IPAddress.ID | string | File related entity ID (IP) |
| File.RecordedFuture.RelatedEntities.IPAddress.Name | string | File related entity name (IP) |
| File.RecordedFuture.RelatedEntities.Hash.Count | number | File related entity count (Hash) |
| File.RecordedFuture.RelatedEntities.Hash.ID | string | File related entity ID (Hash) |
| File.RecordedFuture.RelatedEntities.Hash.Name | string | File related entity name (Hash) |
| File.RecordedFuture.RelatedEntities.Domain.Count | number | File related entity count (Domain) |
| File.RecordedFuture.RelatedEntities.Domain.ID | string | File related entity ID (Domain) |
| File.RecordedFuture.RelatedEntities.Domain.Name | string | File related entity name (Domain) |
| File.RecordedFuture.RelatedEntities.Attacker.Count | number | File related entity count (Attacker) |
| File.RecordedFuture.RelatedEntities.Attacker.ID | string | File related entity ID (Attacker) |
| File.RecordedFuture.RelatedEntities.Attacker.Name | string | File related entity name (Attacker) |
| File.RecordedFuture.RelatedEntities.Malware.Count | number | File related entity count (Malware) |
| File.RecordedFuture.RelatedEntities.Malware.ID | string | File related entity ID (Malware) |
| File.RecordedFuture.RelatedEntities.Malware.Name | string | File related entity name (Malware) |
| File.RecordedFuture.RelatedEntities.URL.Count | number | File related entity count (URL) |
| File.RecordedFuture.RelatedEntities.URL.ID | string | File related entity ID (URL) |
| File.RecordedFuture.RelatedEntities.URL.Data | string | File related entity name (URL) |
| IP.Address | string | IP address |
| IP.RecordedFuture.RelatedEntities.IPAddress.Count | number | IP related entity count (IP) |
| IP.RecordedFuture.RelatedEntities.IPAddress.ID | string | IP related entity ID (IP) |
| IP.RecordedFuture.RelatedEntities.IPAddress.Name | string | IP related entity name (IP) |
| IP.RecordedFuture.RelatedEntities.Hash.Count | number | IP related entity count (Hash) |
| IP.RecordedFuture.RelatedEntities.Hash.ID | string | IP related entity ID (Hash) |
| IP.RecordedFuture.RelatedEntities.Hash.Name | string | IP related entity name (Hash) |
| IP.RecordedFuture.RelatedEntities.Domain.Count | number | IP related entity count (Domain) |
| IP.RecordedFuture.RelatedEntities.Domain.ID | string | IP related entity ID (Domain) |
| IP.RecordedFuture.RelatedEntities.Domain.Name | string | IP related entity name (Domain) |
| IP.RecordedFuture.RelatedEntities.Attacker.Count | number | IP related entity count (Attacker) |
| IP.RecordedFuture.RelatedEntities.Attacker.ID | string | IP related entity ID (Attacker) |
| IP.RecordedFuture.RelatedEntities.Attacker.Name | string | IP related entity name (Attacker) |
| IP.RecordedFuture.RelatedEntities.Malware.Count | number | IP related entity count (Malware) |
| IP.RecordedFuture.RelatedEntities.Malware.ID | string | IP related entity ID (Malware) |
| IP.RecordedFuture.RelatedEntities.Malware.Name | string | IP related entity name (Malware) |
| IP.RecordedFuture.RelatedEntities.URL.Count | number | IP related entity count (URL) |
| IP.RecordedFuture.RelatedEntities.URL.ID | string | IP related entity ID (URL) |
| IP.RecordedFuture.RelatedEntities.URL.Data | string | IP related entity name (URL) |
| Domain.Name | string | Domain name |
| Domain.RecordedFuture.RelatedEntities.IPAddress.Count | number | Domain related entity count (IP) |
| Domain.RecordedFuture.RelatedEntities.IPAddress.ID | string | Domain related entity ID (IP) |
| Domain.RecordedFuture.RelatedEntities.IPAddress.Name | string | Domain related entity name (IP) |
| Domain.RecordedFuture.RelatedEntities.Hash.Count | number | Domain related entity count (Hash) |
| Domain.RecordedFuture.RelatedEntities.Hash.ID | string | Domain related entity ID (Hash) |
| Domain.RecordedFuture.RelatedEntities.Hash.Name | string | Domain related entity name (Hash) |
| Domain.RecordedFuture.RelatedEntities.Domain.Count | number | Domain related entity count (Domain) |
| Domain.RecordedFuture.RelatedEntities.Domain.ID | string | Domain related entity ID (Domain) |
| Domain.RecordedFuture.RelatedEntities.Domain.Name | string | Domain related entity name (Domain) |
| Domain.RecordedFuture.RelatedEntities.Attacker.Count | number | Domain related entity count (Attacker) |
| Domain.RecordedFuture.RelatedEntities.Attacker.ID | string | Domain related entity ID (Attacker) |
| Domain.RecordedFuture.RelatedEntities.Attacker.Name | string | Domain related entity name (Attacker) |
| Domain.RecordedFuture.RelatedEntities.Malware.Count | number | Domain related entity count (Malware) |
| Domain.RecordedFuture.RelatedEntities.Malware.ID | string | Domain related entity ID (Malware) |
| Domain.RecordedFuture.RelatedEntities.Malware.Name | string | Domain related entity name (Malware) |
| Domain.RecordedFuture.RelatedEntities.URL.Count | number | Domain related entity count (URL) |
| Domain.RecordedFuture.RelatedEntities.URL.ID | string | Domain related entity ID (URL) |
| Domain.RecordedFuture.RelatedEntities.URL.Data | string | Domain related entity name (URL) |
| URL.Data | string | URL name |
| URL.RecordedFuture.RelatedEntities.IPAddress.Count | number | URL related entity count (IP) |
| URL.RecordedFuture.RelatedEntities.IPAddress.ID | string | URL related entity ID (IP) |
| URL.RecordedFuture.RelatedEntities.IPAddress.Name | string | URL related entity name (IP) |
| URL.RecordedFuture.RelatedEntities.Hash.Count | number | URL related entity count (Hash) |
| URL.RecordedFuture.RelatedEntities.Hash.ID | string | URL related entity ID (Hash) |
| URL.RecordedFuture.RelatedEntities.Hash.Name | string | URL related entity name (Hash) |
| URL.RecordedFuture.RelatedEntities.Domain.Count | number | URL related entity count (Domain) |
| URL.RecordedFuture.RelatedEntities.Domain.ID | string | URL related entity ID (Domain) |
| URL.RecordedFuture.RelatedEntities.Domain.Name | string | URL related entity name (Domain) |
| URL.RecordedFuture.RelatedEntities.Attacker.Count | number | URL related entity count (Attacker) |
| URL.RecordedFuture.RelatedEntities.Attacker.ID | string | URL related entity ID (Attacker) |
| URL.RecordedFuture.RelatedEntities.Attacker.Name | string | URL related entity name (Attacker) |
| URL.RecordedFuture.RelatedEntities.Malware.Count | number | URL related entity count (Malware) |
| URL.RecordedFuture.RelatedEntities.Malware.ID | string | URL related entity ID (Malware) |
| URL.RecordedFuture.RelatedEntities.Malware.Name | string | URL related entity name (Malware) |
| URL.RecordedFuture.RelatedEntities.URL.Count | number | URL related entity count (URL) |
| URL.RecordedFuture.RelatedEntities.URL.ID | string | URL related entity ID (URL) |
| URL.RecordedFuture.RelatedEntities.URL.Data | string | URL related entity name (URL) |
Command Example
!recorded-future-get-related-entities entityType=domain entityValue=www.google.com resultEntityType=Malware
Context Example
{
"Domain": {
"Name": "www.google.com",
"RecordedFuture": {
"RelatedEntities": {
"Malware": [
{
"Count": 5150,
"ID": "KeKudK",
"Name": "Mydoom"
},
{
"Count": 1757,
"ID": "J21f9C",
"Name": "Zeus"
},
{
"Count": 1230,
"ID": "eKnXx",
"Name": "FakeAV"
},
{
"Count": 877,
"ID": "Kj0AOY",
"Name": "Adload"
},
{
"Count": 839, ...
Human Readable Output
6. Get hash threats
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following argument `entity_type=file` and `entity=hash_value`.
You can find context differences here
Returns hash threats from Recorded Future.
Base Command
recorded-future-get-threats-hash
Input
| Argument Name | Description | Required |
|---|---|---|
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
| limit | Number of results to return | Optional |
| risk_lower | Minimum threshold score to return results for | Optional |
| risk_higher | Maximum threshold score to return results for | Optional |
| orderby | Category to sort results by | Optional |
| direction | Sort direction | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | File SHA-256 |
| File.SHA512 | string | File SHA-512 |
| File.SHA1 | string | File SHA-1 |
| File.MD5 | string | File MD5 |
| File.CRC32 | string | File CRC-32 |
| File.CTPH | string | File CTPH |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision |
| DBotScore.Indicator | string | The indicator that was tested |
| DBotScore.Type | string | Indicator type |
| DBotScore.Vendor | string | Vendor used to calculate the score |
| DBotScore.Score | number | The actual score |
| File.RecordedFuture.Criticality | string | Risk criticality label |
| File.RecordedFuture.FirstSeen | date | Risk first seen timestamp |
| File.RecordedFuture.LastSeen | date | Risk last seen timestamp |
Command Example
!recorded-future-get-threats-hash detailed=true orderby=sevendayshits
Context Example
{
"DBotScore": {
"Vendor": "Recorded Future",
"Indicator": "c4efca7808662973b7dc5ec04f82ea232b5f8fa4bb9bdd45cdfadc815c9ceeb9",
"Score": 3,
"Type": "file"
},
"File": {
"Malicious": {
"Vendor": "Recorded Future",
"Description": "Score above 65"
},
"SHA256": "c4efca7808662973b7dc5ec04f82ea232b5f8fa4bb9bdd45cdfadc815c9ceeb9",
"RecordedFuture": {
"FirstSeen": "2018-09-12T05:39:01.057Z",
"Criticality": "Malicious",
"LastSeen": "2019-02-01T06:39:01.306Z"
}
}
}
Human Readable Output
7. Get IP threats
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following argument `entity_type=ip` and entity=ip_value.
You can find context differences here .
Returns IP threats from Recorded Future
Base Command
recorded-future-get-threats-ip
Input
| Argument Name | Description | Required |
|---|---|---|
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
| limit | Number of results to return | Optional |
| risk_lower | Minimum threshold score to return results for | Optional |
| risk_higher | Maximum threshold score to return results for | Optional |
| orderby | Category to sort by | Optional |
| direction | Sort direction | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested |
| DBotScore.Type | string | Indicator type |
| DBotScore.Vendor | string | Vendor used to calculate the score |
| DBotScore.Score | number | The actual score |
| IP.Malicious.Vendor | string | For malicious IP addresses, the vendor that made the decision |
| IP.Malicious.Description | string | For malicious IP addresses, the reason that the vendor made the decision |
| IP.Address | string | IP address |
| IP.RecordedFuture.Criticality | string | Risk criticality label |
| IP.RecordedFuture.FirstSeen | string | Risk first seen timestamp |
| IP.RecordedFuture.LastSeen | date | Risk last seen timestamp |
Command Example
!recorded-future-get-threats-ip detailed=true orderby=sevendayshits
Context Example
{
"IP": {
"RecordedFuture": {
"FirstSeen": "2012-12-26T11:01:01.939Z",
"Criticality": "Malicious",
"LastSeen": "2019-02-03T17:37:08.283Z"
},
"Malicious": {
"Vendor": "Recorded Future",
"Description": "Score above 74"
},
"Address": "1.2.0.1"
},
"DBotScore": {
"Vendor": "Recorded Future",
"Indicator": "1.2.0.1",
"Score": 3,
"Type": "ip"
}
}
Human Readable Output
8. Get URL threats
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following arguments `entity_type=url` and `entity=url_value`.
You can find context differences here .
Returns URL threats from Recorded Future
Base Command
recorded-future-get-threats-url
Input
| Argument Name | Description | Required |
|---|---|---|
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
| limit | Number of results to return | Optional |
| risk_lower | Minimum threshold score to return results for | Optional |
| risk_higher | Maximum threshold score to return results for | Optional |
| orderby | Category to sort by | Optional |
| direction | Sort direction | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested |
| DBotScore.Type | string | Indicator type |
| DBotScore.Vendor | string | Vendor used to calculate the score |
| DBotScore.Score | number | The actual score |
| URL.Data | string | URL name |
| URL.RecordedFuture.Criticality | string | URL criticality label |
| URL.RecordedFuture.FirstSeen | date | Risk first seen timestamp |
| URL.RecordedFuture.LastSeen | date | Risk last seen timestamp |
Command Example
!recorded-future-get-threats-url detailed=true orderby=sevendayshits
Context Example
{
"URL": {
"Malicious": {
"Vendor": "Recorded Future",
"Description": "Score above 65"
},
"Data": "obfuscated.com",
"RecordedFuture": {
"FirstSeen": "2019-02-03T00:00:00.000Z",
"Criticality": "Malicious",
"LastSeen": "2019-02-03T23:59:59.000Z"
}
},
"DBotScore": {
"Vendor": "Recorded Future",
"Indicator": "https://obfuscated.com",
"Score": 3,
"Type": "url"
}
}
Human Readable Output
9. Get domain threats
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following arguments `entity_type=domain` and `entity=domain_value`.
You can find context differences here .
Returns domain threats from Recorded Future.
Base Command
recorded-future-get-threats-domain
Input
| Argument Name | Description | Required |
|---|---|---|
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
| limit | Limit number of results returned | Optional |
| risk_lower | Minimum threshold score to return results for | Optional |
| risk_higher | Maximum threshold score to return results for | Optional |
| orderby | Category to sort by | Optional |
| direction | Sort direction | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested |
| DBotScore.Type | string | Indicator type |
| DBotScore.Vendor | string | Vendor used to calculate the score |
| DBotScore.Score | number | The actual score |
| Domain.Name | string | Domain name |
| Domain.RecordedFuture.Criticality | string | Domain criticality label |
| Domain.RecordedFuture.FirstSeen | date | Risk first seen timestamp |
| Domain.RecordedFuture.LastSeen | date | Risk last seen timestamp |
Command Example
!recorded-future-get-threats-domain detailed=true
Context Example
{
"DBotScore": {
"Vendor": "Recorded Future",
"Indicator": "obfuscated.com",
"Score": 3,
"Type": "domain"
},
"Domain": {
"Malicious": {
"Vendor": "Recorded Future",
"Description": "Score above 94"
},
"Name": "obfuscated.com",
"RecordedFuture": {
"FirstSeen": "2016-09-16T21:06:34.240Z",
"Criticality": "Very Malicious",
"LastSeen": "2019-02-03T16:09:03.653Z"
}
}
}
Human Readable Output
10. Get vulnerability threats
This command is deprecated.
Use `recordedfuture-intelligence` command from Recorded Future v2 with the following arguments `entity_type=cve` and `entity=cve_value`.
You can find context differences here .
Returns vulnerability threats from Recorded Future.
Base Command
recorded-future-get-threats-vulnerabilities
Input
| Argument Name | Description | Required |
|---|---|---|
| limit | Number of results to return | Optional |
| risk_lower | Minimum threshold score to return results for | Optional |
| risk_higher | Maximum threshold score to return results for | Optional |
| detailed | If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. | Optional |
| orderby | Category to sort by | Optional |
| direction | Sort direction | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| CVE.ID | string | Vulnerability CVE ID |
| CVE.RecordedFuture.Criticality | string | CVE criticality label |
| CVE.RecordedFuture.FirstSeen | date | Risk first seen timestamp |
| CVE.RecordedFuture.LastSeen | date | Risk last seen timestamp |
Command Example
!recorded-future-get-threats-vulnerabilities detailed=true
Context Example
{
"CVE": {
"ID": "CVE-2017-0147",
"RecordedFuture": {
"FirstSeen": "2017-03-14T16:59:26.413Z",
"Criticality": "Very Critical",
"LastSeen": "2019-02-03T17:19:59.183Z"
}
}
}
Human Readable Output
11. Get the domain risk list
This command is deprecated and will not be supported in Recorded Future v2.
Gets the domain risk list as a CSV file from Recorded Future.
Base Command
recorded-future-get-domain-risklist
Input
| Argument Name | Description | Required |
|---|---|---|
| list | Specify a domain list by a risk rule name, which can be retrieved by the get-domain-riskrules command. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name |
| InfoFile.EntryID | string | The EntryID of the file |
| InfoFile.Size | number | File size |
| InfoFile.Type | string | File type, e.g., “PE” |
| InfoFile.Info | string | Basic information of the file |
| InfoFile.Extension | string | File extension |
Command Example
!recorded-future-get-domain-risklist list=historicalThreatListMembership
Context Example
{
"InfoFile": {
"Info": "text/csv; charset=utf-8",
"Name": "domain_risk_list.csv",
"Extension": "csv",
"EntryID": "72047@cc00e449-9e7b-4609-8a68-1c8c01114562",
"Type": "ASCII text, with very long lines\n",
"Size": 2803398
}
}
Human Readable Output
12. Get the URL risk list
This command is deprecated and will not be supported in Recorded Future v2.
Gets the URL risk list as a CSV file from Recorded Future.
Base Command
recorded-future-get-url-risklist
Input
| Argument Name | Description | Required |
|---|---|---|
| list | Specify a URL list by a risk rule name, which can be retrieved from the get-url-riskrules command. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name |
| InfoFile.EntryID | string | The EntryID of the file |
| InfoFile.Size | number | File size |
| InfoFile.Type | string | File type, e.g., “PE” |
| InfoFile.Info | string | Basic information of the file |
| InfoFile.Extension | string | File extension |
Command Example
!recorded-future-get-url-risklist list=ransomwareDistribution
Context Example
{
"InfoFile": {
"Info": "text/csv; charset=utf-8",
"Name": "url_risk_list.csv",
"Extension": "csv",
"EntryID": "72055@cc00e449-9e7b-4609-8a68-1c8c01114562",
"Type": "ASCII text, with very long lines\n",
"Size": 2990
}
}
Human Readable Output
13. Get the IP address risk list
This command is deprecated and will not be supported in Recorded Future v2.
Gets the IP risk list as a CSV file from Recorded Future.
Base Command
recorded-future-get-ip-risklist
Input
| Argument Name | Description | Required |
|---|---|---|
| list | Specify an IP list by a risk rule name, which can be retrieved from the get-ip-riskrules command. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name |
| InfoFile.EntryID | string | The EntryID of the file |
| InfoFile.Size | number | File size |
| InfoFile.Type | string | File type, e.g., “PE” |
| InfoFile.Info | string | Basic information of the file |
| InfoFile.Extension | string | File extension |
Command Example
!recorded-future-get-ip-risklist list=malwareDelivery
Context Example
{
"InfoFile": {
"Info": "text/csv; charset=utf-8",
"Name": "ip_risk_list.csv",
"Extension": "csv",
"EntryID": "72063@cc00e449-9e7b-4609-8a68-1c8c01114562",
"Type": "UTF-8 Unicode text, with very long lines\n",
"Size": 254932
}
}
Human Readable Output
14. Get the vulnerability risk list
This command is deprecated and will not be supported in Recorded Future v2.
Gets the vulnerability (CVE) risk list from Recorded Future.
Base Command
recorded-future-get-vulnerability-risklist
Input
| Argument Name | Description | Required |
|---|---|---|
| list | Specify a vulnerability list by a risk rule name, which can be retrieved from the get-vulnerability-riskrules command. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name |
| InfoFile.EntryID | string | File entry ID |
| InfoFile.Size | number | File size |
| InfoFile.Type | string | File type, e.g., “PE” |
| InfoFile.Info | string | Basic information of the file |
| InfoFile.Extension | string | File extension |
Command Example
!recorded-future-get-vulnerability-risklist list=cyberSignalCritical
Context Example
{
"InfoFile": {
"Info": "text/csv; charset=utf-8",
"Name": "cve_risk_list.csv",
"Extension": "csv",
"EntryID": "72073@cc00e449-9e7b-4609-8a68-1c8c01114562",
"Type": "UTF-8 Unicode text, with very long lines\n",
"Size": 3611
}
}
Human Readable Output
15. Get the hash risk list
This command is deprecated and will not be supported in Recorded Future v2.
Gets the hash risk list from Recorded Future.
Base Command
recorded-future-get-hash-risklist
Input
| Argument Name | Description | Required |
|---|---|---|
| list | Specify a hash list by a riskrule name, which can be retrieved from the get-hash-riskrules command. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name |
| InfoFile.EntryID | string | File entry ID |
| InfoFile.Size | number | File size |
| InfoFile.Type | string | File type, e.g., “PE” |
| InfoFile.Info | string | Basic information of the file |
| InfoFile.Extension | string | File extension |
Command Example
!recorded-future-get-hash-risklist list=historicalThreatListMembership
Context Example
{
"InfoFile": {
"Info": "text/csv; charset=utf-8",
"Name": "hash_list.csv",
"Extension": "csv",
"EntryID": "72081@cc00e449-9e7b-4609-8a68-1c8c01114562",
"Type": "ASCII text, with very long lines\n",
"Size": 8995
}
}
Human Readable Output
16. Get the domain risk rules
This command is deprecated and will not be supported in Recorded Future v2.
Gets the risk rules for domain data.
Base Command
recorded-future-get-domain-riskrules
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| RecordedFuture.RiskRule.Domain.Name | string | Risk rule name |
| RecordedFuture.RiskRule.Domain.Description | string | Risk rule description |
| RecordedFuture.RiskRule.Domain.Count | number | Risk rule indicator count |
| RecordedFuture.RiskRule.Domain.Criticality | string | Risk rule criticality |
Command Example
!recorded-future-get-domain-riskrules
Context Example
{
"RecordedFuture": {
"RiskRule": {
"Domain": [
{
"Count": 1263174,
"Description": "Linked to Cyber Attack",
"Criticality": "Suspicious",
"Name": "linkedToCyberAttack"
},
{
"Count": 118450670,
"Description": "Linked to Malware",
"Criticality": "Suspicious",
"Name": "linkedToMalware"
},
{
"Count": 1542009,
"Description": "Linked to Attack Vector",
"Criticality": "Suspicious",
"Name": "linkedToVector"
},
{
"Count": 342012,
"Description": "Linked to Vulnerability",
"Criticality": "Suspicious",
"Name": "linkedToVuln"
},
{
"Count": 2615,
"Description": "Malware SSL Certificate Fingerprint",
"Criticality": "Malicious",
"Name": "malwareSsl"
},
{
"Count": 171016408,
"Description": "Positive Malware Verdict",
"Criticality": "Malicious",
"Name": "positiveMalwareVerdict"
},
{
"Count": 48382,
"Description": "Threat Researcher",
"Criticality": "Unusual",
"Name": "threatResearcher"
},
{
"Count": 2136,
"Description": "Reported by Insikt Group",
"Criticality": "Unusual",
"Name": "analystNote"
},
{
"Count": 5,
"Description": "Trending in Recorded Future Analyst Community",
"Criticality": "Unusual",
"Name": "rfTrending"
},
{
"Count": 1018,
"Description": "Historically Reported in Threat List",
"Criticality": "Unusual",
"Name": "historicalThreatListMembership"
}
]
}
}
}
Human Readable Output
17. Get the has risk rules
This command is deprecated and will not be supported in Recorded Future v2.
Gets the risk rules for hash data.
Base Command
recorded-future-get-hash-riskrules
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| RecordedFuture.RiskRule.Hash.Name | string | Risk rule name |
| RecordedFuture.RiskRule.Hash.Description | string | Risk rule description |
| RecordedFuture.RiskRule.Hash.Count | number | Risk rule indicator count |
| RecordedFuture.RiskRule.Hash.Criticality | string | Risk rule criticality |
Command Example
!recorded-future-get-hash-riskrules
Context Example
{
"RecordedFuture": {
"RiskRule": {
"Hash": [
{
"Count": 1263174,
"Description": "Linked to Cyber Attack",
"Criticality": "Suspicious",
"Name": "linkedToCyberAttack"
},
{
"Count": 118449991,
"Description": "Linked to Malware",
"Criticality": "Suspicious",
"Name": "linkedToMalware"
},
{
"Count": 1542002,
"Description": "Linked to Attack Vector",
"Criticality": "Suspicious",
"Name": "linkedToVector"
},
{
"Count": 342012,
"Description": "Linked to Vulnerability",
"Criticality": "Suspicious",
"Name": "linkedToVuln"
},
{
"Count": 2615,
"Description": "Malware SSL Certificate Fingerprint",
"Criticality": "Malicious",
"Name": "malwareSsl"
},
{
"Count": 171015323,
"Description": "Positive Malware Verdict",
"Criticality": "Malicious",
"Name": "positiveMalwareVerdict"
},
{
"Count": 48382,
"Description": "Threat Researcher",
"Criticality": "Unusual",
"Name": "threatResearcher"
},
{
"Count": 2136,
"Description": "Reported by Insikt Group",
"Criticality": "Unusual",
"Name": "analystNote"
},
{
"Count": 5,
"Description": "Trending in Recorded Future Analyst Community",
"Criticality": "Unusual",
"Name": "rfTrending"
},
{
"Count": 1018,
"Description": "Historically Reported in Threat List",
"Criticality": "Unusual",
"Name": "historicalThreatListMembership"
}
]
}
}
}
Human Readable Output
18. Get the IP address risk rules
This command is deprecated and will not be supported in Recorded Future v2.
Gets the risk rules for IP data.
Base Command
recorded-future-get-ip-riskrules
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| RecordedFuture.RiskRule.IP.Name | string | Risk rule name |
| RecordedFuture.RiskRule.IP.Description | string | Risk rule description |
| RecordedFuture.RiskRule.IP.Count | number | Risk rule indicator count |
| RecordedFuture.RiskRule.IP.Criticality | string | Risk rule criticality |
Command Example
!recorded-future-get-ip-riskrules
Context Example
{
"RecordedFuture": {
"RiskRule": {
"IP": [
{
"Count": 1187,
"Description": "Recently Defaced Site",
"Criticality": "Suspicious",
"Name": "recentlyDefaced"
},
{
"Count": 233465,
"Description": "Historically Reported by DHS AIS",
"Criticality": "Unusual",
"Name": "dhsAis"
},
{
"Count": 76,
"Description": "Recently Reported by DHS AIS",
"Criticality": "Suspicious",
"Name": "recentDhsAis"
},
{
"Count": 65391,
"Description": "Historical Botnet Traffic",
"Criticality": "Unusual",
"Name": "botnet"
}, ...
Human Readable Output
19. Get the URL risk rules
This command is deprecated and will not be supported in Recorded Future v2.
Gets the risk rules for URL data.
Base Command
recorded-future-get-url-riskrules
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| RecordedFuture.RiskRule.URL.Name | string | Risk rule name |
| RecordedFuture.RiskRule.URL.Description | string | Risk rule description |
| RecordedFuture.RiskRule.URL.Count | number | Risk rule indicator count |
| RecordedFuture.RiskRule.URL.Criticality | string | Risk rule criticality |
Command Example
!recorded-future-get-url-riskrules
Context Example
{
"RecordedFuture": {
"RiskRule": {
"URL": [
{
"Count": 151947,
"Description": "Historically Reported as a Defanged URL",
"Criticality": "Suspicious",
"Name": "defangedURL"
},
{
"Count": 2389,
"Description": "Recently Reported as a Defanged URL",
"Criticality": "Malicious",
"Name": "recentDefangedURL"
},
{
"Count": 2242,
"Description": "Compromised URL",
"Criticality": "Malicious",
"Name": "compromisedUrl"
},
{
"Count": 2259,
"Description": "Active Phishing URL",
"Criticality": "Malicious",
"Name": "phishingUrl"
},
{
"Count": 88,
"Description": "C&C URL",
"Criticality": "Very Malicious",
"Name": "cncUrl"
},
{
"Count": 9,
"Description": "Ransomware Distribution URL",
"Criticality": "Very Malicious",
"Name": "ransomwareDistribution"
},
{
"Count": 176069,
"Description": "Historically Reported in Threat List",
"Criticality": "Unusual",
"Name": "historicalThreatListMembership"
}
]
}
}
}
Human Readable Output
20. Get the vulnerability risk rules
This command is deprecated and will not be supported in Recorded Future v2.
Gets the risk rules for vulnerability data.
Base Command
recorded-future-get-vulnerability-riskrules
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| RecordedFuture.RiskRule.Vulnerability.Name | string | Risk rule name |
| RecordedFuture.RiskRule.Vulnerability.Description | string | Risk rule description |
| RecordedFuture.RiskRule.Vulnerability.Count | number | Risk rule indicator count |
| RecordedFuture.RiskRule.Vulnerability.Criticality | string | Risk rule criticality |
Command Example
!recorded-future-get-vulnerability-riskrules
Context Example
{
"RecordedFuture": {
"RiskRule": {
"Vulnerability": [
{
"Count": 1,
"Description": "Cyber Exploit Signal: Critical",
"Criticality": "Critical",
"Name": "cyberSignalCritical"
},
{
"Count": 4,
"Description": "Cyber Exploit Signal: Important",
"Criticality": "High",
"Name": "cyberSignalHigh"
},
{
"Count": 105,
"Description": "Cyber Exploit Signal: Medium",
"Criticality": "Medium",
"Name": "cyberSignalMedium"
},
{
"Count": 22203,
"Description": "Linked to Historical Cyber Exploit",
"Criticality": "Low",
"Name": "linkedToCyberExploit"
}, ...
Human Readable Output
21. Get a list of alert rules
This command is deprecated.
Use `recordedfuture-alert-rules` command from Recorded Future v2 instead.
You can find context differences here .
Gets Recorded Future alert rules.
Base Command
recorded-future-get-alert-rules
Input
| Argument Name | Description | Required |
|---|---|---|
| rule_name | Rule name to search, can be a partial name | Optional |
| limit | Number of rules to return | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| RecordedFuture.AlertRule.ID | string | Alert rule ID |
| RecordedFuture.AlertRule.Name | string | Alert rule name |
Command Example
!recorded-future-get-alert-rules rule_name="Global Trends"
Context Example
{
"RecordedFuture": {
"AlertRule": [
{
"ID": "Y8wa3G",
"Name": "Global Trends, Trending Vulnerabilities"
},
{
"ID": "Y8wa3F",
"Name": "Global Trends, Trending Attackers"
}
]
}
Human Readable Output
22. Get a list of alerts
This command is deprecated.
Use `recordedfuture-alerts` command from Recorded Future v2 instead.
You can find context differences here .
Gets alerts from Recorded Future.
Base Command
recorded-future-get-alerts
Input
| Argument Name | Description | Required |
|---|---|---|
| rule_id | Alert rule ID | Optional |
| limit | Number of alerts to return | Optional |
| triggered_time | Alert triggered time, e.g., “1 hour” or “2 days” | Optional |
| assignee | Alert assignee’s email address | Optional |
| status | Alert review status | Optional |
| freetext | Free text search | Optional |
| offset | Alerts from offset | Optional |
| orderby | Alerts sort order | Optional |
| direction | Alerts sort direction | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| RecordedFuture.Alert.ID | string | Alert ID |
| RecordedFuture.Alert.Name | string | Alert name |
| RecordedFuture.Alert.Type | string | Alert type |
| RecordedFuture.Alert.Triggered | date | Alert triggered time |
| RecordedFuture.Alert.Status | string | Alert status |
| RecordedFuture.Alert.Assignee | string | Alert assignee |
| RecordedFuture.Alert.Rule | string | Alert rule name |
Command Example
!recorded-future-get-alerts triggered_time="24 hours"
Context Example
{
"RecordedFuture": {
"Alert": [
{
"Status": "no-action",
"Name": "DJIA Cyber - New references in 10 documents",
"Triggered": "2019-02-04T10:06:28.619Z",
"Rule": "DJIA Cyber",
"Assignee": null,
"Type": "EVENT",
"ID": "Y_7dPz"
},
{
"Status": "no-action",
"Name": "DJIA Cyber - New references in 6 documents",
"Triggered": "2019-02-04T06:06:59.791Z",
"Rule": "DJIA Cyber",
"Assignee": null,
"Type": "EVENT",
"ID": "Y_zJEj"
},
{
"Status": "no-action",
"Name": "DJIA Cyber - New references in 1 document",
"Triggered": "2019-02-04T02:05:50.210Z",
"Rule": "DJIA Cyber",
"Assignee": null,
"Type": "EVENT",
"ID": "Y_s-Pu"
},
{
"Status": "no-action",
"Name": "DJIA Cyber - New references in 12 documents",
"Triggered": "2019-02-03T22:05:45.377Z",
"Rule": "DJIA Cyber",
"Assignee": null,
"Type": "EVENT",
"ID": "Y_lnjO"
},
{
"Status": "no-action",
"Name": "DJIA Cyber - New references in 11 documents",
"Triggered": "2019-02-03T18:05:36.142Z",
"Rule": "DJIA Cyber",
"Assignee": null,
"Type": "EVENT",
"ID": "Y_esMY"
},
{
"Status": "no-action",
"Name": "DJIA Cyber - New references in 8 documents",
"Triggered": "2019-02-03T14:05:21.965Z",
"Rule": "DJIA Cyber",
"Assignee": null,
"Type": "EVENT",
"ID": "Y_X-vd"
}
]
}
}
Human Readable Output
Additional Information
Important notes regarding Risk Lists:
The risk list commands are wrapped by the following scripts:
RecordedFutureDomainRiskList
RecordedFutureHashRiskList
RecordedFutureIPRiskList
RecordedFutureURLRiskList
RecordedFutureVulnerabilityRiskList
Those scripts perform the same functionality and in addition create indicators in Cortex XSOAR, with the option to specify a threshold and delete the existing indicators -
which will delete ALL the malicious Recorded Future indicators of that type
.
The lists are updated in Recorded Future every hour. It is important to refrain from executing the risk list commands and scripts often, as they are costly, API credits wise. A good practice will be to schedule a job that executes the scripts once a day or a similar timeframe. For more information, see the Recorded Future documentation .
The lists contain a large number of indicators, so extracting them into Cortex XSOAR might take a while. It is possible to specify a risk rule in order to extract a specific list.
Important notes regarding Alerts:
The integration fetches alerts from Recorded Future, which are generated by predefined rules.
It is possible to fetch all the alerts by not specifying any rule names. It is important however to know that each fetched alert costs 1 API credit, so fetching many alerts frequently could result in running out of credits. A good practice would be to specify alert rules or make sure not too many alerts are fetched every time.
Known Limitations
The
Recorded Future API
enforces a quota
For alerts:
(From the Recorded Future support site)