Skip to main content

Recorded Future - Lists

This Integration is part of the Recorded Future Intelligence Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Search and manage watchlists in Recorded Future This integration was integrated and tested with version 1.1.1 of RecordedFutureLists

Configure Recorded Future - Lists in Cortex#

ParameterDescriptionRequired
API URLDefault URL: https://api.recordedfuture.com/gw/xsoar/True
API TokenTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

recordedfuture-lists-search#


Search for lists in Recorded Future

Base Command#

recordedfuture-lists-search

Input#

Argument NameDescriptionRequired
list_namesFreetext name to search for.Optional
containsFilter lists based on entity types, will only include lists with the entity types specified. Default value "" includes all types. Possible values are: entity, source, text, custom, ip, domain, tech_stack, industry, brand, partner, industry_peer, location, supplier, vulnerability, company, hash, operation, attacker, target, method.Optional
limitLimits the amount of returned results.Optional
includeInclude all search results. Default is to exclude all lists owned by the system user. Possible values are: all.Optional

Context Output#

PathTypeDescription
RecordedFuture.List.idStringUnique id of the list in Recorded Future
RecordedFuture.List.nameStringName of the list in Recorded Future
RecordedFuture.List.typeStringRecorded future entity type
RecordedFuture.List.createdStringTimestamp of creation
RecordedFuture.List.updatedStringTimestamp of last update to the list
RecordedFuture.List.owner_idStringUnique id of the owner in Recorded Future
RecordedFuture.List.owner_nameStringReadable name of list in Recorded Future

recordedfuture-lists-add-entities#


Add entities to a list, separate entities by commas. "NOTE:" if entity type is specified, only one entity type can be added with each action. When adding IDs use the following for Recorded Future light entities:

Base Command#

recordedfuture-lists-add-entities

Input#

Argument NameDescriptionRequired
list_idId of the list that should be added, can be found by running !recordedfuture-lists-search with the corresponding filters or in the Recorded Future portal.Required
entity_idsSpecific ids from Recorded Future separated by comma, For urls containing commas: replace comma with %2C.Optional
freetext_namesFreetext names will be matched to Recorded Future ids separated by comma, this alernative will add the best match in the Recorded Future data. For urls containing commas: escape with %2C.Optional
entity_typeType of the entities that should be added. Use together with freetext_names to improve entity resolution. Possible values are: ip, domain, malware, url, hash, cve, company, person, product, industry, country, attack-vector, operation, mitre-identifier, malware-category.Optional

Context Output#

PathTypeDescription
RecordedFuture.List.Entities.nameStringName of the entity in the list
RecordedFuture.List.Entities.typeStringThe Recorded Future entity type resolved during the action
RecordedFuture.List.Entities.idStringUnique id of the entity in Recorded Future
RecordedFuture.List.Entities.input_valueStringThe value inputted to the command
RecordedFuture.List.Entities.action_resultStringEntity specific result for the action

recordedfuture-lists-remove-entities#


Remove entities from a list. Separate entities with commas. "NOTE:" If entity type is specified, only one entity type can be added with each action. When adding IDs use the following for Recorded Future light entities:

Base Command#

recordedfuture-lists-remove-entities

Input#

Argument NameDescriptionRequired
list_idID of the list that should be removed. Can be found by running !recordedfuture-lists-search with the corresponding filters or in the Recorded Future portal.Required
entity_idsA comma-separated list of specific IDs from Recorded Future. For URLs containing commas, replace comma with %2C.Optional
freetext_namesA comma-separated list of freetext names to be matched to Recorded Future IDs. This will remove the best match in the Recorded Future data. For URLs containing commas, escape with %2C.Optional
entity_typeType of the entities that should be removed. Use together with freetext_names to improve entity resolution. Possible values are: ip, domain, malware, url, hash, cve, company, person, product, industry, country, attack-vector, operation, mitre-identifier, malware-category.Optional

Context Output#

PathTypeDescription
RecordedFuture.List.Entities.nameStringName of the entity in the list
RecordedFuture.List.Entities.typeStringThe Recorded Future entity type resolved during the action.
RecordedFuture.List.Entities.idStringUnique ID of the entity in Recorded Future.
RecordedFuture.List.Entities.input_valueStringThe value inputted to the command.
RecordedFuture.List.Entities.action_resultStringEntity specific result for the action.

recordedfuture-lists-entities#


Get the entities that are currently in the given lists.

Base Command#

recordedfuture-lists-entities

Input#

Argument NameDescriptionRequired
list_idsA comma-separated list of Recorded Future list IDs.Required

Context Output#

PathTypeDescription
RecordedFuture.List.idStringUnique ID of the list in Recorded Future.
RecordedFuture.List.nameStringName of the list in Recorded Future.
RecordedFuture.List.typeStringRecorded Future entity type.
RecordedFuture.List.Entities.nameStringName of the entity in the list.
RecordedFuture.List.Entities.typeStringThe Recorded Future entity type resolved during the action.
RecordedFuture.List.Entities.idStringUnique ID of the entity in Recorded Future.