Recorded Future Identity
#
This Integration is part of the Recorded Future Identity Pack.Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Unique threat intel technology that automatically serves up relevant insights in real time. Recorded Future Identity
#
Configure Recorded Future Identity on Cortex XSOAR#
InformationA valid API Token for Recorded Future Identity Intelligence needed to fetch information. Get help with Recorded Future for Cortex XSOAR.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Recorded Future Identity.
- Click Add instance to create and configure a new integration instance.
#
ConfigurationParameter | Description |
---|---|
Server URL | The URL to the Recorded Future ConnectAPI |
API Token | Valid API Token from Recorded Future |
unsecure | Trust any certificate (unsecure) |
proxy | Use system proxy settings |
Password properties | Password properties that are used as a filter |
Limit Identities | Limit of identities to get min is 0 and max is 10 000 |
Domains | List of domains to use in search and lookup commands(e.g. mycompany.com; nextcompany.com ) |
- Click Test to validate the URLs, token, and connection.
Several of the outputs below have been reduced in size to improve readability.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
recordedfuture-identity-searchGet a list of identities for the specified period of time.
#
Base Commandrecordedfuture-identity-search
#
InputArgument Name | Description | Required |
---|---|---|
latest-downloaded | Time frame for the leaked identities | Optional |
domain-type | Type of the domain(Email, Authorization, All) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
RecordedFuture.Credentials.SearchIdentities | List | List of Identities that were found in search command |
#
Command Example!recordedfuture-identity-search latest-downloaded="All time" domain-type=Authorization
#
Context Example#
Human Readable Output#
This is search results for fakeyahoo.com, fake.com :
- 30fake in domain fakeyahoo.com
- 3072882fake in domain fakeyahoo.com
- fake3@fake.com
- test@fakeyahoo.com
#
recordedfuture-identity-lookupGet a detailed info regarding identities.
#
Base Commandrecordedfuture-identity-lookup
#
InputArgument Name | Description | Required |
---|---|---|
identities | String of identities separated by semicolon | Required |
first-downloaded | Time frame for the leaked identities | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
RecordedFuture.Credentials.Identities.identity.subjects | string | Identity value |
RecordedFuture.Credentials.Identities.count | number | Leaked credentials count number |
RecordedFuture.Credentials.Identities.credentials.subject | string | Identity value |
RecordedFuture.Credentials.Identities.credentials.dumps.name | string | Dump name |
RecordedFuture.Credentials.Identities.credentials.dumps.description | string | Dump description |
RecordedFuture.Credentials.Identities.credentials.dumps.downloaded | string | Datetime string that show the day when dump was downloaded |
RecordedFuture.Credentials.Identities.credentials.type | string | Dump type |
RecordedFuture.Credentials.Identities.credentials.breaches.name | string | Breach name |
RecordedFuture.Credentials.Identities.credentials.breaches.domain | string | Breach domain |
RecordedFuture.Credentials.Identities.credentials.breaches.type | string | Breach type |
RecordedFuture.Credentials.Identities.credentials.breaches.breached | string | Datetime string that show the day when breach happened |
RecordedFuture.Credentials.Identities.credentials.breaches.description | string | Breach description |
RecordedFuture.Credentials.Identities.credentials.breaches.site_description | string | Breach site description |
RecordedFuture.Credentials.Identities.credentials.first_downloaded | string | Datetime string representing firs time downloaded |
RecordedFuture.Credentials.Identities.credentials.latest_downloaded | string | Datetime string representing last time downloaded |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.type | string | Exposed secret type |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.hashes.algorithm | string | Exposed secret hash algorithm |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.hashes.hash | string | Exposed secret hash value |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.effectively_clear | boolean | Exposed secret clear or not |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.properties | string | Exposed secret properties |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.clear_text_hint | string | Exposed secret text hint |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.rank | string | Rank for the exposed password |
#
Command Example!recordedfuture-identity-lookup identities="fake@fakeyahoo.com;real@notfake.com" first-downloaded="3 Months ago"
#
Context Example#
Human Readable Output#
Credentials Lookup__fake1@fake.com__:#
Identity#
Exposed Password DataPassword 1: OL (clear)
#
BreachesCit0day, Sep 2020, Password 1 In September 2020, the website became inaccessible to users, and was replaced with a seizure notice allegedly.
#
DumpsDark Web Dump March 2021, Mar 2021, Password 1 This combo list of email addresses and clear passwords is not associated with any specific breach. Cit0day Dump November 2020 - Full, Nov 2020, Password 1 After the 2020 closure of the underground site Cit0day, threat actors began to share leaked databases.