Recorded Future Identity
Recorded Future Identity Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Unique threat intel technology that automatically serves up relevant insights in real time. Recorded Future Identity
#
Configure Recorded Future Identity on Cortex XSOAR#
InformationA valid API Token for Recorded Future Identity Intelligence needed to fetch information. Get help with Recorded Future for Cortex XSOAR.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Recorded Future Identity.
- Click Add instance to create and configure a new integration instance.
#
ConfigurationParameter | Description |
---|---|
Server URL | The URL to the Recorded Future ConnectAPI |
API Token | Valid API Token from Recorded Future |
unsecure | Trust any certificate (unsecure) |
proxy | Use system proxy settings |
Password properties | Password properties that are used as a filter |
Limit Identities | Limit of identities to get min is 0 and max is 10 000 |
Domains | List of domains to use in search and lookup commands(e.g. mycompany.com, nextcompany.com ) |
- Click Test to validate the URLs, token, and connection.
Several of the outputs below have been reduced in size to improve readability.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
recordedfuture-identity-searchGet a list of identities for the specified period of time.
#
Base Commandrecordedfuture-identity-search
#
InputArgument Name | Description | Required |
---|---|---|
latest-downloaded | Time frame for the leaked identities | Optional |
domain-type | Type of the domain(Email, Authorization, All) | Optional |
domains | Domains separated by comma (if not specified, domains from app instance will be used) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
RecordedFuture.Credentials.SearchIdentities | List | List of Identities that were found in search command |
#
Command Example!recordedfuture-identity-search latest-downloaded="All time" domain-type=Authorization
#
Context Example#
Human Readable Output#
This is search results for fakeyahoo.com, fake.com :
- 30fake in domain fakeyahoo.com
- 3072882fake in domain fakeyahoo.com
- fake3@fake.com
- test@fakeyahoo.com
#
recordedfuture-identity-lookupGet a detailed info regarding identities.
#
Base Commandrecordedfuture-identity-lookup
#
InputArgument Name | Description | Required |
---|---|---|
identities | String of identities separated by comma | Required |
first-downloaded | Time frame for the leaked identities | Optional |
domains | Domains separated by comma | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
RecordedFuture.Credentials.Identities.identity.subjects | string | Identity value |
RecordedFuture.Credentials.Identities.count | number | Leaked credentials count number |
RecordedFuture.Credentials.Identities.credentials.subject | string | Identity value |
RecordedFuture.Credentials.Identities.credentials.dumps.name | string | Dump name |
RecordedFuture.Credentials.Identities.credentials.dumps.description | string | Dump description |
RecordedFuture.Credentials.Identities.credentials.dumps.downloaded | string | Datetime string that show the day when dump was downloaded |
RecordedFuture.Credentials.Identities.credentials.type | string | Dump type |
RecordedFuture.Credentials.Identities.credentials.breaches.name | string | Breach name |
RecordedFuture.Credentials.Identities.credentials.breaches.domain | string | Breach domain |
RecordedFuture.Credentials.Identities.credentials.breaches.type | string | Breach type |
RecordedFuture.Credentials.Identities.credentials.breaches.breached | string | Datetime string that show the day when breach happened |
RecordedFuture.Credentials.Identities.credentials.breaches.description | string | Breach description |
RecordedFuture.Credentials.Identities.credentials.breaches.site_description | string | Breach site description |
RecordedFuture.Credentials.Identities.credentials.first_downloaded | string | Datetime string representing firs time downloaded |
RecordedFuture.Credentials.Identities.credentials.latest_downloaded | string | Datetime string representing last time downloaded |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.type | string | Exposed secret type |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.hashes.algorithm | string | Exposed secret hash algorithm |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.hashes.hash | string | Exposed secret hash value |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.effectively_clear | boolean | Exposed secret clear or not |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.properties | string | Exposed secret properties |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.clear_text_hint | string | Exposed secret text hint |
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.rank | string | Rank for the exposed password |
#
Command Example!recordedfuture-identity-lookup identities="fake@fakeyahoo.com,real@notfake.com" first-downloaded="3 Months ago"
#
Context Example#
Human Readable Output#
Credentials Lookup
fake1@fake.com:#
Results for
fake1@fake.com:#
Results for
__fake1@fake.com__:#
Results for
fake1@fake.com:#
Results for
fake1@fake.com:#
Results for
#
We found 1 passwords that were leaked for this identity:
#
Password 1:
Rank: TopMillionCommonPasswords
Properties: Letter, Number, LowerCase, AtLeast8Characters
Type: clear
Effectively Clear: True
Clear Text Hint: wa
Algorithm: SHA1 Hash:21b1ee2d6764b61b038605378f361599a8b503ed
Algorithm: SHA256 Hash:99dbda619dfd82cf9dae074b5c3168e75961b642f3245fe7f400ad03940a0bd8
Algorithm: NTLM Hash:da89071afe87527dc0e89a09d35cb9c0
Algorithm: MD5 Hash:a0b1c21221b29780fc5e3373e626ab9b
Authorization service url: https://signup.norsegods.online/signup Authorization service url: https://signup.norsegods.online/signup Authorization service url: https://signup.norsegods.online/signup Authorization service url: https://signup.norsegods.online/signup Authorization service url: https://signup.norsegods.online/signup
Domain: norsegods.online
First Downloaded: Nov 2022
Last Downloaded: Nov 2022
Exfiltration date: N/A
Malware Family: RedLine Stealer
#
Information about dumps where we found for Password 1:
Stealer Malware Logs 2022-11-03, Nov 2022
Description: This credential data was derived from stealer malware logs. Dump type: N/A
Compromised Host Operating System: Windows 10 Enterprise x64
IP Address: 138.255.250.246
Country: DO
Postal Code: 11403
recordedfuture-password-lookup
#
InputArgument Name | Description | Required |
---|---|---|
password-hash | Hash representation of password | Required |
hash-algorithm | Hash algorithm for the password(MD5, NTLM, SHA1, SHA256) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
RecordedFuture.Credentials.Password.Password.Hash | String | Recorded Future password hash value. |
RecordedFuture.Credentials.Password.Password.Algorithm | String | Recorded Future password hash algorithm. |
RecordedFuture.Credentials.Password.ExposureStatus | String | Recorded Future password exposure status. One of Common, UnCommon, NeverExposed |
#
Command Example!recordedfuture-password-lookup password-hash="0e44ce7308af2b3de5232e4616403ce7d49ba2aec83f79c196409556422a4927" hash-algorithm="SHA256"
exposure_status:NeverExposed algorithm:SHA256 hash:da6a0f1c706df7e864f9d6f9431de9950450880e
#
Context Example#
Human Readable Output#
This is search results for password you provided:
Password hash: 0e44ce7308af2b3de5232e4616403ce7d49ba2aec83f79c196409556422a4927
Password hash algorithm: SHA256
Password status: Common