Skip to main content

Recorded Future RiskList Feed

This Integration is part of the Recorded Future Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Ingests indicators from Recorded Future feeds into Cortex XSOAR. This integration was integrated and tested with Recorded Future Feed

Configure Recorded Future Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Recorded Future Feed.

  3. Click Add instance to create and configure a new integration instance.

    Fetch indicatorsFalse
    Indicator ReputationIndicators from this integration instance will be marked with this reputationFalse
    Source ReliabilityReliability of the source providing the intelligence dataTrue
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feedFalse
    Feed Fetch IntervalFalse
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Indicator TypeType of the indicator in the feed.True
    API tokenTrue
    Risk RuleA comma-separated list of risk rules which limits the indicators list to a specific risk rule. For example: 'dhsAis,phishingUrl'. If more than one risk rule is set, the indicators fetching and the 'rf-feed-get-indicators' command will be executed for each risk rule. To see available risk rules run the rf-feed-get-risk-rules command. This parameter will only be used for the 'connectApi' service. Using the 'large' risk rule is not recommended.False
    Fusion File PathLoad a custom risklist from a specified Recorded Future file path.
    If no file path is specified, the default risklist file is used. This parameter
    will only be used for the 'fusion' service.
    TagsSupports CSV values.False
    Request TimeoutTime in seconds before HTTP requests timeout.True
    Malicious ThresholdThe minimum score from the feed in order to to determine whether the indicator is malicious. Default is "65". For more information about Recorded Future scoring go to integration details.False
    IOC Risk Score ThresholdIf selected, will be used to filter out the ingested indicators, and only indicators with equivalent and higher risk score will be ingested into XSOAR.False
  4. Click Test to validate the URLs, token, and connection.


  1. It is highly recommended to not create multiple instances of the same indicator type, even when fetching both from fusion and connectApi. Creating multiple instances with same indicator type will lead to duplicate indicators being fetched which can cause performance issues for the server.

  2. Because of restrictions on the API side, it is strongly advisable to maintain the number of indicators below 100,000 per instance. Exceeding this limit may result in unforeseen expiration of indicators beyond that threshold.

  3. Recommended interval for fetching indicators according to Recorded Future documentation:

    Indicator TypeRecommended Fetch Interval
    IP1 Hour.
    Domain2 Hours.
    Hash1 Day.
    URL2 Hours.
    Vulnerability2 Hours.
  4. Per instance configuration, it is recommended to use either connectApi or fusion as a service for chosen indicator type, and not both, as most of the data between both services is duplicated.

  5. The feed size can be changed according to the chosen indicator type:

    • IP - As of September 24, 2020, this risk list includes over 5.9k records.
    • Domain - Due to additional sources of malicious domains added recently, the number of high risk domains collected and analyzed in Recorded Future has dramatically increased. As a result, now cap this risklist at 100,000 domains.
    • Hash - In the second half of 2018, improvements and enhancements to our hash collection and analysis processes led to a dramatic increase in risky hashes that meet the above criteria. As a result, now cap this risklist at 100,000 hashes.
    • URL - This risk list includes 100,000 records.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Gets indicators from the feed.

Base Command#



Argument NameDescriptionRequired
limitThe maximum number of results to return. The default value is 10. Default is 10.Required
indicator_typeThe indicator type. Can be "ip", "domain", "hash", "vulnerability" or "url". Possible values are: ip, domain, hash, url, vulnerability.Optional

Context Output#

There is no context output for this command.


Get a list of the risk rules available for an indicator, To limit the 'connectApi' service indicators list.

Base Command#



Argument NameDescriptionRequired
indicator_typeThe indicator type. Possible values are: ip, domain, hash, url, vulnerability.Required

Context Output#

RecordedFutureFeed.RiskRule.NameStringThe risk rule name.
RecordedFutureFeed.RiskRule.DescriptionStringThe risk rule description.
RecordedFutureFeed.RiskRule.CriticalityStringThe risk rule criticality.


If indicators expire unexpectedly, ensure that the feed is not receiving more than 100,000 indicators per fetch. As it is discouraged to use "large" as a risk rule, we currently receive indicators in a single large CSV file containing up to 100,000 indicators. If Recorded Future has additional indicators to send, the CSV will be sorted in descending order based on the highest score. Consequently, some indicators may not pass through, leading to their expiration, particularly if the expiration is configured as "When removed from the feed" and they were present in our system from previous fetches.