Recorded Future Identity
This Integration is part of the Recorded Future Identity Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Unique threat intel technology that automatically serves up relevant insights in real time. Recorded Future Identity
Configure Recorded Future Identity on Cortex XSOAR#
Information#
A valid API Token for Recorded Future Identity Intelligence needed to fetch information. Get help with Recorded Future for Cortex XSOAR.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Recorded Future Identity.
- Click Add instance to create and configure a new integration instance.
Configuration#
| Parameter | Description |
|---|---|
| Server URL | The URL to the Recorded Future ConnectAPI |
| API Token | Valid API Token from Recorded Future |
| unsecure | Trust any certificate (unsecure) |
| proxy | Use system proxy settings |
| Password properties | Password properties that are used as a filter |
| Limit Identities | Limit of identities to get min is 0 and max is 10 000 |
| Domains | List of domains to use in search and lookup commands(e.g. mycompany.com; nextcompany.com ) |
- Click Test to validate the URLs, token, and connection.
Several of the outputs below have been reduced in size to improve readability.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
recordedfuture-identity-search#
Get a list of identities for the specified period of time.
Base Command#
recordedfuture-identity-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| latest-downloaded | Time frame for the leaked identities | Optional |
| domain-type | Type of the domain(Email, Authorization, All) | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| RecordedFuture.Credentials.SearchIdentities | List | List of Identities that were found in search command |
Command Example#
!recordedfuture-identity-search latest-downloaded="All time" domain-type=Authorization
Context Example#
Human Readable Output#
This is search results for fakeyahoo.com, fake.com :#
- 30fake in domain fakeyahoo.com
- 3072882fake in domain fakeyahoo.com
- fake3@fake.com
- test@fakeyahoo.com
recordedfuture-identity-lookup#
Get a detailed info regarding identities.
Base Command#
recordedfuture-identity-lookup
Input#
| Argument Name | Description | Required |
|---|---|---|
| identities | String of identities separated by semicolon | Required |
| first-downloaded | Time frame for the leaked identities | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| RecordedFuture.Credentials.Identities.identity.subjects | string | Identity value |
| RecordedFuture.Credentials.Identities.count | number | Leaked credentials count number |
| RecordedFuture.Credentials.Identities.credentials.subject | string | Identity value |
| RecordedFuture.Credentials.Identities.credentials.dumps.name | string | Dump name |
| RecordedFuture.Credentials.Identities.credentials.dumps.description | string | Dump description |
| RecordedFuture.Credentials.Identities.credentials.dumps.downloaded | string | Datetime string that show the day when dump was downloaded |
| RecordedFuture.Credentials.Identities.credentials.type | string | Dump type |
| RecordedFuture.Credentials.Identities.credentials.breaches.name | string | Breach name |
| RecordedFuture.Credentials.Identities.credentials.breaches.domain | string | Breach domain |
| RecordedFuture.Credentials.Identities.credentials.breaches.type | string | Breach type |
| RecordedFuture.Credentials.Identities.credentials.breaches.breached | string | Datetime string that show the day when breach happened |
| RecordedFuture.Credentials.Identities.credentials.breaches.description | string | Breach description |
| RecordedFuture.Credentials.Identities.credentials.breaches.site_description | string | Breach site description |
| RecordedFuture.Credentials.Identities.credentials.first_downloaded | string | Datetime string representing firs time downloaded |
| RecordedFuture.Credentials.Identities.credentials.latest_downloaded | string | Datetime string representing last time downloaded |
| RecordedFuture.Credentials.Identities.credentials.exposed_secret.type | string | Exposed secret type |
| RecordedFuture.Credentials.Identities.credentials.exposed_secret.hashes.algorithm | string | Exposed secret hash algorithm |
| RecordedFuture.Credentials.Identities.credentials.exposed_secret.hashes.hash | string | Exposed secret hash value |
| RecordedFuture.Credentials.Identities.credentials.exposed_secret.effectively_clear | boolean | Exposed secret clear or not |
| RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.properties | string | Exposed secret properties |
| RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.clear_text_hint | string | Exposed secret text hint |
| RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.rank | string | Rank for the exposed password |
Command Example#
!recordedfuture-identity-lookup identities="fake@fakeyahoo.com;real@notfake.com" first-downloaded="3 Months ago"
Context Example#
Human Readable Output#
Credentials Lookup#
Identity __fake1@fake.com__:#
Exposed Password Data#
Password 1: OL (clear)
Breaches#
Cit0day, Sep 2020, Password 1 In September 2020, the website became inaccessible to users, and was replaced with a seizure notice allegedly.
Dumps#
Dark Web Dump March 2021, Mar 2021, Password 1 This combo list of email addresses and clear passwords is not associated with any specific breach. Cit0day Dump November 2020 - Full, Nov 2020, Password 1 After the 2020 closure of the underground site Cit0day, threat actors began to share leaked databases.