Recorded Future Identity

This Integration is part of the Recorded Future Identity Pack.

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Recorded Future Identity Integration

Overview

This integration allows you to leverage Recorded Future's identity-related threat intelligence within Cortex XSOAR. It provides commands to search and lookup identity data, fetch playbook alerts, and manage incident statuses, enhancing your security operations with actionable intelligence.

Setup

A valid API Token for Recorded Future Identity Intelligence needed to fetch information. Get help with Recorded Future for Cortex XSOAR.

Configuration

1. Navigate to Integrations:

   • Go to Settings > Integrations > Servers & Services.

2. Search for Recorded Future Identity:

   • In the search bar, type Recorded Future Identity.

3. Add a New Instance:

   • Click Add instance to create and configure a new integration instance.

4. Enter Configuration Parameters:

   • Fill in the required parameters such as Server URL and API Token.
   • Adjust optional settings like proxy usage and incident fetching as needed.

5. Test the Configuration:

   • Click Test to ensure the settings are correct and that the connection to Recorded Future is successful.

Configuration Parameters

Parameter	Description	Required
Server URL	The URL to the Recorded Future ConnectAPI.	True
API Token	Valid API Token from Recorded Future.	True
Trust any certificate	Trust any certificate (not secure).	False
Use system proxy settings	Use system proxy settings.	False
Fetch incidents	Enable fetching incidents.	False
First Incident Fetch: Time Range	Limit incidents to include in the first fetch by time range. Input format: "NN hours" or "NN days".	False
Maximum number of incidents per fetch	Limit the number of incidents returned per single fetch. Default value: 50.	False
Incident type	The type of incidents to fetch.	False
Password properties	Password properties that are used as a filter.	False
Limit Identities	Limit of identities to get, minimum is 0 and maximum is 10,000.	False
Domains	List of domains to use in search and lookup commands (e.g., mycompany.com, nextcompany.com).	True
Playbook Alerts: Fetched Statuses	Choose what statuses are included in the fetch (New, In Progress, Dismissed, Resolved).	False
Playbook Alerts: Fetched Priorities Threshold	Choose the priority threshold to fetch alerts of the selected priority and higher (Informational < Moderate < High).	False

6. Click Test to validate the URLs, token, and connection.

Pre-Process Rule

The integration pulls in Playbook alerts from Recorded Future based on its updates, creating the need for a preprocessing rule that updates existing incidents instead of creating duplicates. Follow the guidelines below to configure the preprocessing rule.

1. Navigate to Settings > Objects Setup > Pre-Process Rules.
2. Click New Rule.
3. Name the rule appropriately.
4. In the Conditions for Incoming Incident section, enter:
   • Name - Includes - Recorded Future Playbook Alert
5. In the Action section, select Drop and update.
6. In the Update section, enter
   • Link to - Oldest incident - Created within the last - Your desired timeframe
   • DbotMirrorId - Is identical (Incoming Incident) - to incoming incident

The configuration of the preprocessing rule is optional, but highly recommended.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After executing a command, a DBot message appears in the War Room with the command details.

recordedfuture-identity-search

Search for identities in the Recorded Future dataset.

Base Command

recordedfuture-identity-search

Input

Argument Name	Description	Required
first-downloaded	Time period for "first_downloaded_gte" filter (e.g., "7 days ago", "Three months ago", "Last Year", "All time"). Default value: "All time".	Optional
latest-downloaded	Time period for "last_downloaded_gte" filter (e.g., "7 days ago", "Three months ago", "Last Year", "All time"). Default value: "All time".	Optional
exfiltration-date	Time period for "exfiltration_date_gte" filter (e.g., "7 days ago", "Three months ago", "Last Year", "All time"). Default value: "All time".	Optional
domain-type	Type of the domain (Email, Authorization, All).	Optional
domains	Domains separated by comma (if not specified, domains from app instance will be used).	Optional

Context Output

Path	Type	Description
RecordedFuture.Credentials.SearchIdentities	List	List of Identities that were found in search command

Command Example

!recordedfuture-identity-search latest-downloaded="All time" domain-type=Authorization

Context Example

{

"RecordedFuture": {

"Credentials": {

"SearchIdentities": [

{

"login": "30fake",

"domain": "fakeyahoo.com"

},

{

"login": "3072882fake",

"domain": "fakeyahoo.com"

},

"fake3@fake.com",

"test@fakeyahoo.com"

]

}

}

}

Human Readable Output

This is search results for fakeyahoo.com, fake.com :

• 30fake in domain fakeyahoo.com
• 3072882fake in domain fakeyahoo.com
• fake3@fake.com
• test@fakeyahoo.com

recordedfuture-identity-lookup

Get detailed information regarding identities.

Base Command

recordedfuture-identity-lookup

Input

Argument Name	Description	Required
identities	String of identities separated by comma.	Required
first-downloaded	Time period for "first_downloaded_gte" filter (e.g., "7 days ago", "Three months ago", "Last Year", "All time"). Default value: "All time".	Optional
latest-downloaded	Time period for "last_downloaded_gte" filter (e.g., "7 days ago", "Three months ago", "Last Year", "All time"). Default value: "All time".	Optional
exfiltration-date	Time period for "exfiltration_date_gte" filter (e.g., "7 days ago", "Three months ago", "Last Year", "All time"). Default value: "All time".	Optional
domains	Domains separated by comma.	Optional

Context Output

Path	Type	Description
RecordedFuture.Credentials.Identities.identity.subjects	string	Identity value
RecordedFuture.Credentials.Identities.count	number	Leaked credentials count number
RecordedFuture.Credentials.Identities.credentials.subject	string	Identity value
RecordedFuture.Credentials.Identities.credentials.dumps.name	string	Dump name
RecordedFuture.Credentials.Identities.credentials.dumps.description	string	Dump description
RecordedFuture.Credentials.Identities.credentials.dumps.downloaded	string	Datetime string that show the day when dump was downloaded
RecordedFuture.Credentials.Identities.credentials.type	string	Dump type
RecordedFuture.Credentials.Identities.credentials.breaches.name	string	Breach name
RecordedFuture.Credentials.Identities.credentials.breaches.domain	string	Breach domain
RecordedFuture.Credentials.Identities.credentials.breaches.type	string	Breach type
RecordedFuture.Credentials.Identities.credentials.breaches.breached	string	Datetime string that show the day when breach happened
RecordedFuture.Credentials.Identities.credentials.breaches.description	string	Breach description
RecordedFuture.Credentials.Identities.credentials.breaches.site_description	string	Breach site description
RecordedFuture.Credentials.Identities.credentials.first_downloaded	string	Datetime string representing firs time downloaded
RecordedFuture.Credentials.Identities.credentials.latest_downloaded	string	Datetime string representing last time downloaded
RecordedFuture.Credentials.Identities.credentials.exposed_secret.type	string	Exposed secret type
RecordedFuture.Credentials.Identities.credentials.exposed_secret.hashes.algorithm	string	Exposed secret hash algorithm
RecordedFuture.Credentials.Identities.credentials.exposed_secret.hashes.hash	string	Exposed secret hash value
RecordedFuture.Credentials.Identities.credentials.exposed_secret.effectively_clear	boolean	Exposed secret clear or not
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.properties	string	Exposed secret properties
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.clear_text_hint	string	Exposed secret text hint
RecordedFuture.Credentials.Identities.credentials.exposed_secret.details.rank	string	Rank for the exposed password

Command Example

!recordedfuture-identity-lookup identities="fake@fakeyahoo.com,real@notfake.com" first-downloaded="3 Months ago"

Context Example

{

"RecordedFuture": {

"Credentials": {

"Identities": [

{

"identity":{

"subjects":[

"fake@yahoo.com"

]

},

"count":4,

"credentials":[

{

"subject":"fake@yahoo.com",

"dumps":[

{

"name":"FAKE Dump November 2020",

"description":"This SQL Dump linked to the 2020",

"downloaded":"2020-11-05T00:00:00.000Z",

"type":"SQL Dump",

"breaches":[

{

"name":"FAKE",

"domain":"fake.com",

"type":"breach",

"breached":"2020-10-01T00:00:00.000Z",

"description":"In October 2020, fake suffered a breach that exposed a portion of their backup data from November 2017. The exposed data included",

"site_description":"Fale provides backup and related services for mobile devices."

}

]

}

],

"first_downloaded":"2020-11-05T00:00:00.000Z",

"latest_downloaded":"2020-11-05T00:00:00.000Z",

"exposed_secret":{

"type":"pbkdf2_sha256",

"hashes":[

{

"algorithm":"PBKDF2_SHA256",

"hash":"12000$IWIs9x2tM7U3afasdasd3d23nRfo0sFRjpkMlim2GA2+p/2Y7RQLpODP4S0="

}

],

"effectively_clear":false

}

},

{

"subject":"fake@yahoo.com",

"dumps":[

{

"name":"Dark Web Dump October 2019",

"description":"This combo list of email addresses and clear passwords is not associated with any specific breach",

"downloaded":"2019-10-31T00:00:00.000Z",

"type":"Combo List"

},

{

"name":"Dark Web Dump September 2019",

"description":"This combo list of email addresses and clear passwords is not associated with any specific breach..",

"downloaded":"2019-09-02T00:00:00.000Z",

"type":"Combo List"

}

],

"first_downloaded":"2019-09-02T00:00:00.000Z",

"latest_downloaded":"2019-10-31T00:00:00.000Z",

"exposed_secret":{

"type":"clear",

"hashes":[

{

"algorithm":"SHA1",

"hash":"bbebf4e24e6631570cd8f60e1b0f77c"

},

{

"algorithm":"SHA256",

"hash":"7bf5626ca4944595aa89bf5fdsdfsdf9c9a1e9b014356d9b10ef31c9e9aadc7835e4"

},

{

"algorithm":"NTLM",

"hash":"1b408e981311312e21eefc0f5e37a20808"

},

{

"algorithm":"MD5",

"hash":"a6b9607b296pfk941dd390d9e690ade8e"

}

],

"details":{

"properties":[

"Letter",

"Number",

"UpperCase",

"LowerCase",

"AtLeast8Characters"

],

"clear_text_hint":"oo"

},

"effectively_clear":true

}

}

]

},

{

"identity":{

"subjects":[

"007"

]

},

"count":1,

"credentials":[

{

"subject":"007",

"dumps":[

{

"name":"Dark Web Password Dump 2020-11-07"

},

{

"name":"Dark Web Password Dump 2020-09-28"

}

],

"first_downloaded":"2020-09-28T15:52:05.000Z",

"latest_downloaded":"2020-11-07T08:38:56.000Z",

"exposed_secret":{

"type":"clear",

"hashes":[

{

"algorithm":"SHA1",

"hash":"6204f1659eb8dasdas871be7f4b3ee560207bda2c5"

},

{

"algorithm":"SHA256",

"hash":"2fff03500b9335t4g5427fa105aa0bb0d5b3e770d314352aef010b6ae0dff7ab9a"

},

{

"algorithm":"NTLM",

"hash":"a2abf21c7669d58137kffsa83381d55cc"

},

{

"algorithm":"MD5",

"hash":"c399d3ec33214df310b11dcb30b1b5e03"

}

],

"details":{

"properties":[

"Letter",

"LowerCase"

],

"clear_text_hint":"lo"

},

"effectively_clear":true

},

"compromise":{

"exfiltration_date":"2020-11-07T08:38:56.000Z"

},

"authorization_service":{

"url":"https://login.fakeyahoo.com/",

"domain":"fakeyahoo.com"

}

}

]

}

]

}

}

}

Human Readable Output

Credentials Lookup

---

Results for fake1@fake.com:

We found 1 passwords that were leaked for this identity:

---

Password 1:

Rank: TopMillionCommonPasswords

Properties: Letter, Number, LowerCase, AtLeast8Characters

Type: clear

Effectively Clear: True

Clear Text Hint: wa

Algorithm: SHA1 Hash:21b1ee2d6764b61b038605378f361599a8b503ed

Algorithm: SHA256 Hash:99dbda619dfd82cf9dae074b5c3168e75961b642f3245fe7f400ad03940a0bd8

Algorithm: NTLM Hash:da89071afe87527dc0e89a09d35cb9c0

Algorithm: MD5 Hash:a0b1c21221b29780fc5e3373e626ab9b

Authorization service url: https://signup.norsegods.online/signup Authorization service url: https://signup.norsegods.online/signup Authorization service url: https://signup.norsegods.online/signup Authorization service url: https://signup.norsegods.online/signup Authorization service url: https://signup.norsegods.online/signup

Domain: norsegods.online

First Downloaded: Nov 2022

Last Downloaded: Nov 2022

Exfiltration date: N/A

Malware Family: RedLine Stealer

Information about dumps where we found for Password 1:

---

Stealer Malware Logs 2022-11-03, Nov 2022

Description: This credential data was derived from stealer malware logs. Dump type: N/A

Compromised Host Operating System: Windows 10 Enterprise x64

OS User Name: gabi2

File Path Location: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Time Zone: UTC+01:00

Name of the Machine: N/A

User Account Control Setting: AllowAll

Antivirus: Windows Defender

IP Address: 138.255.250.246

Country: DO

Postal Code: 11403

recordedfuture-password-lookup

Lookup for password in Recorded Future Dataset.

Base Command

recordedfuture-password-lookup

Input

Argument Name	Description	Required
password-hash	Password hash value.	Required
hash-algorithm	Password hash algorithm (e.g., SHA1, SHA256, NTLM, MD5). Default value: "SHA256".	Required

Context Output

Path	Type	Description
RecordedFuture.Credentials.Password.Hash	String	Recorded Future password hash value.
RecordedFuture.Credentials.Password.Algorithm	String	Recorded Future password hash algorithm.
RecordedFuture.Credentials.Password.ExposureStatus	String	Recorded Future password exposure status. One of Common, UnCommon, NeverExposed

Command Example

!recordedfuture-password-lookup password-hash="0e44ce7308af2b3de5232e4616403ce7d49ba2aec83f79c196409556422a4927" hash-algorithm="SHA256"

Context Example

{

"RecordedFuture": {

"Credentials": {

"Password": [

{

"password": {

"algorithm": "SHA256"

"hash": "da6a0f1c706df7e864f9d6f9431de9950450880e"

}

"exposure_status": NeverExposed

},

{

"password": {

"algorithm": "SHA256"

"hash": "0e44ce7308af2b3de5232e4616403ce7d49ba2aec83f79c196409556422a"

}

"exposure_status": Common

},

]

}

}

}

Human Readable Output

This is search results for password you provided:

Password hash: 0e44ce7308af2b3de5232e4616403ce7d49ba2aec83f79c196409556422a4927

Password hash algorithm: SHA256

Password status: Common

recordedfuture-identity-playbook-alerts-search

Search Playbook alerts based on filters.

Base Command

recordedfuture-identity-playbook-alerts-search

Input

Argument Name	Description	Required
limit	Limits the number of alerts to fetch. Default: 10.	Optional
time_since_update	Time between now and e.g. "2 hours" or "7 days" ago. Default: "24 hours".	Optional
playbook_alert_status	Filter what statuses are fetched, defaults to only new status if not specified. Possible values are: new, in-progress, dismissed, resolved.	Optional
priority	Actions priority assigned in Recorded Future. Possible values are: high, moderate, informational.	Optional
order_search_by	Actions priority assigned in Recorded Future. Possible values are: updated, created.	Optional

Context Output

Path	Type	Description
IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id	String	Unique id of the playbook alert
IdentityRecordedFuture.PlaybookAlerts.category	String	Playbook alert category
IdentityRecordedFuture.PlaybookAlerts.priority	String	Recommended Priority of the alert
IdentityRecordedFuture.PlaybookAlerts.status	String	Current alert status in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.title	String	Title of the alert
IdentityRecordedFuture.PlaybookAlerts.updated	date	Date of last update
IdentityRecordedFuture.PlaybookAlerts.created	date	Date of creation
IdentityRecordedFuture.PlaybookAlerts.organization_id	String	Organization uhash
IdentityRecordedFuture.PlaybookAlerts.organization_name	String	Plaintext Organization name
IdentityRecordedFuture.PlaybookAlerts.assignee_id	String	uhash of the assigned user
IdentityRecordedFuture.PlaybookAlerts.assignee_name	unknown	name of the assigned user
IdentityRecordedFuture.PlaybookAlerts.owner_id	String	uhash of the enterprise that owns the alert
IdentityRecordedFuture.PlaybookAlerts.owner_name	String	Name of the enterprise that owns the alert

Command Example

!recordedfuture-identity-playbook-alerts-search

!recordedfuture-identity-playbook-alerts-search

!recordedfuture-identity-playbook-alerts-search limit=10

!recordedfuture-identity-playbook-alerts-search playbook_alert_status=in-progress

!recordedfuture-identity-playbook-alerts-search priority=high

!recordedfuture-identity-playbook-alerts-search order_search_by=updated

recordedfuture-identity-playbook-alerts-details

Get Playbook alert details by ID.

Base Command

recordedfuture-identity-playbook-alerts-details

Input

Argument Name	Description	Required
alert_ids	IDs of the playbook alert that should be fetched.	Required
detail_sections	What evidence sections to include in the fetch, fetches all available if not specified.	Optional

Context Output

Path	Type	Description
IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id	String	Unique id of the playbook alert
IdentityRecordedFuture.PlaybookAlerts.category	String	Playbook alert category
IdentityRecordedFuture.PlaybookAlerts.priority	String	Recommended Priority of the alert
IdentityRecordedFuture.PlaybookAlerts.status	String	Current alert status in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.title	String	Title of the alert
IdentityRecordedFuture.PlaybookAlerts.updated	date	Date of last update
IdentityRecordedFuture.PlaybookAlerts.created	date	Date of creation
IdentityRecordedFuture.PlaybookAlerts.organization_id	String	Organization uhash
IdentityRecordedFuture.PlaybookAlerts.organization_name	String	Plaintext Organization name
IdentityRecordedFuture.PlaybookAlerts.assignee_id	String	uhash of the assigned user
IdentityRecordedFuture.PlaybookAlerts.assignee_name	String	name of the assigned user
IdentityRecordedFuture.PlaybookAlerts.owner_id	String	uhash of the enterprise that owns the alert
IdentityRecordedFuture.PlaybookAlerts.owner_name	String	Name of the enterprise that owns the alert
IdentityRecordedFuture.PlaybookAlerts.panel_status.playbook_alert_id	String	Unique id of the playbook alert
IdentityRecordedFuture.PlaybookAlerts.panel_status.category	String	Playbook alert category
IdentityRecordedFuture.PlaybookAlerts.panel_status.priority	String	Recommended Priority of the alert
IdentityRecordedFuture.PlaybookAlerts.panel_status.status	String	Current alert status in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.panel_status.title	String	Title of the alert
IdentityRecordedFuture.PlaybookAlerts.panel_status.updated	date	Date of last update
IdentityRecordedFuture.PlaybookAlerts.panel_status.created	date	Date of creation
IdentityRecordedFuture.PlaybookAlerts.panel_status.organization_id	String	Organization uhash
IdentityRecordedFuture.PlaybookAlerts.panel_status.organization_name	String	Plaintext Organization name
IdentityRecordedFuture.PlaybookAlerts.panel_status.assignee_id	String	uhash of the assigned user
IdentityRecordedFuture.PlaybookAlerts.panel_status.assignee_name	unknown	name of the assigned user
IdentityRecordedFuture.PlaybookAlerts.panel_status.owner_id	String	uhash of the enterprise that owns the alert
IdentityRecordedFuture.PlaybookAlerts.panel_status.owner_name	String	Name of the enterprise that owns the alert
IdentityRecordedFuture.PlaybookAlerts.panel_status.case_rule_id	String	Id of the playbook alert category
IdentityRecordedFuture.PlaybookAlerts.panel_status.case_rule_label	String	Name of the playbook alert category
IdentityRecordedFuture.PlaybookAlerts.panel_status.context_list.context	Array	Context of entity connected to the Playbook alert.
IdentityRecordedFuture.PlaybookAlerts.panel_status.created	String	Date marking the creation of the Playbook alert in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_criticality	String	Criticality of the Playbook alert
IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_id	String	Id of the entity in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.panel_status.entity_name	String	Name of the entity
IdentityRecordedFuture.PlaybookAlerts.panel_status.risk_score	String	Risk score of the entity in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.panel_status.targets	Array	List of targets of the Playbook alert
IdentityRecordedFuture.PlaybookAlerts.panel_status.lifecycle_stage	String	Indicates what lifecycle the vulerability is in
IdentityRecordedFuture.PlaybookAlerts.panel_summary.explanation	String	Entails the explanation to the triggering of the Playbook alert
IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.context_list.context	String	Context of entity connected to the Playbook alert.
IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.criticality	String	Level of criticality
IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.entity	String	ID of the entitiy in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.record_type	String	Type of record A, CNAME or MX
IdentityRecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.risk_score	String	Risk score of the entity in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.description	String	Description of the image
IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.image_id	String	ID of the screenshot in recorded future
IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.tag	String	Image Analisys tag
IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.created	String	When the image was created
IdentityRecordedFuture.PlaybookAlerts.panel_summary.screenshots.base64	String	The image binary encoded as a base64 string
IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.targets.name	String	Target affected by the vulnerability
IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.lifecycle_stage	String	The current lifecycle stage of the Playbook Alert
IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.riskrules.rule	String	Name of the rule that triggered
IdentityRecordedFuture.PlaybookAlerts.panel_summary.summary.riskrules.description	String	Short description of the trigger (E.g 13 sightings on 1 source..)
IdentityRecordedFuture.PlaybookAlerts.panel_summary.affected_products.name	String	Name of of affected product
IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.id	String	The id of the Insikt note
IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.title	String	The title of the Insikt note
IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.topic	String	The topic of the Insikt note
IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.published	String	The time at which the Insikt note was published
IdentityRecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.fragment	String	A fragment of the Insikt note text
IdentityRecordedFuture.PlaybookAlerts.panel_log.id	String	Log id in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.panel_log.actor_id	String	Id of the actor
IdentityRecordedFuture.PlaybookAlerts.panel_log.created	String	When was the log created
IdentityRecordedFuture.PlaybookAlerts.panel_log.modified	String	When was the log last modified
IdentityRecordedFuture.PlaybookAlerts.panel_log.action_priority	String	The priority of the Playbook alert
IdentityRecordedFuture.PlaybookAlerts.panel_log.message	String	Log message
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.old	String	Previous assignee
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.new	String	New assignee
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.type	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.old	String	Previous status
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.new	String	New status
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.status_change.type	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.old	String	Previous title
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.new	String	New title
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.title_change.type	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.old	String	Previous priority
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.new	String	New priority
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.type	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.old	String	Previous reopen strategy
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.new	String	New reopen strategy
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.type	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.removed	String	Removed entity
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.added	String	Added entity
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.type	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_change.removed	String	Removed related entity
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_change.added	String	Added related entity
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_changetype	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.old	String	Previous description
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.new	String	New description
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.description_change.type	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.old	String	Previous external ID
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.new	String	New external ID
IdentityRecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.type	String	Type of change
IdentityRecordedFuture.PlaybookAlerts.panel_action.action	String	The name of the action
IdentityRecordedFuture.PlaybookAlerts.panel_action.updated	String	When was the action last updated
IdentityRecordedFuture.PlaybookAlerts.panel_action.assignee_name	String	Full name of the assignee
IdentityRecordedFuture.PlaybookAlerts.panel_action.assignee_id	String	ID of the assignee
IdentityRecordedFuture.PlaybookAlerts.panel_action.status	String	The status of the action
IdentityRecordedFuture.PlaybookAlerts.panel_action.description	String	A short description of the action
IdentityRecordedFuture.PlaybookAlerts.panel_action.link	String	A link associated with the action
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.record	String	The DNS record
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.risk_score	String	Risk score associated with the record
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.criticality	String	The level of criticality
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.record_type	String	Type of record A, CNAME or MX
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ip_list.context_list.context	String	Labels of malicious behavior types that can be associated with an entity.
IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.record	String	The DNS record
IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.risk_score	String	Risk score associated with the record
IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.criticality	String	The level of criticality
IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.record_type	String	Type of record A, CNAME or MX
IdentityRecordedFuture.PlaybookAlerts.panel_dns.mx_list.context_list.context	String	Labels of malicious behavior types that can be associated with an entity.
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.record	String	The DNS record
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.risk_score	String	Risk score associated with the record
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.criticality	String	The level of criticality
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.record_type	String	Type of record A, CNAME or MX
IdentityRecordedFuture.PlaybookAlerts.panel_dns.ns_list.context_list.context	String	Labels of malicious behavior types that can be associated with an entity.
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.added	String	When the whois information was added
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.attribute	String	Attribute, either whois or whoisContancts
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.entity	String	Id of whois entity
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.provider	String	Name of provider
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.createdDate	String	When was it created
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.nameServers	Array	List of name server IDs
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.privateRegistration	Bool	Boolean indicating private registration
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.registrarName	String	Name of the registrar
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.status	String	Status of registrar
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.city	String	Contact located in this city
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.country	String	Contact located in this city
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.name	String	Name of contact
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.organization	String	Name of contact organization
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.postalCode	String	Postal code of contact organization
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.state	String	Contact located in state
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.street1	String	Street name of contact
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.telephone	String	Phone number of contact
IdentityRecordedFuture.PlaybookAlerts.panel_whois.body.value.type	String	Type of contact

Command Example

!recordedfuture-identity-playbook-alerts-details alert_ids="12312312-1231-1231-1231-123123123123" detail_sections="status,log"

recordedfuture-identity-playbook-alerts-update

Update the status of one or multiple Playbook alerts.

Base Command

recordedfuture-identity-playbook-alerts-update

Input

Argument Name	Description	Required
alert_ids	IDs of the playbook alerts that will be updated.	Required
new_status	New status to set for all alerts in alert_ids (e.g., new, in-progress, dismissed, resolved).	Required
add_actions_taken	Add 'actions taken' to all alerts in alert_ids. Can be used only with 'new_status=resolved' or 'new_status=dismissed'. Possible values: enforced_password_reset, placed_in_risky_group, reviewed_incident_report, account_disabled_or_terminated, account_remediated, other.	Optional
remove_actions_taken	Remove 'actions taken' from all alerts in alert_ids. You can specify multiple values by providing a quoted string with values separated by commas. Possible values: enforced_password_reset, placed_in_risky_group, reviewed_incident_report, account_disabled_or_terminated, account_remediated, other.	Optional
comment	Add a comment to all alerts in alert_ids.	Optional

Context Output

Path	Type	Description
IdentityRecordedFuture.PlaybookAlerts.playbook_alert_id	string	Unique id of the playbook alert in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.current_status	string	Current status of playbook alert in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.title	string	Title of the playbook alert in Recorded Future
IdentityRecordedFuture.PlaybookAlerts.status_message	string	Message describing the outcome of the update

Command Example

!recordedfuture-identity-playbook-alerts-update alert_ids="12312312-1231-1231-1231-123123123123" new_status="in-progress"

!recordedfuture-identity-playbook-alerts-update alert_ids="12312312-1231-1231-1231-123123123123" new_status="resolved" comment="Resolved in XSOAR" add_actions_taken=""

---