Skip to main content

Recorded Future v2

This Integration is part of the RecordedFuture v2 Pack.#

Unique threat intel technology that automatically serves up relevant insights in real time. This integration was integrated and tested with version 1.0 of Recorded Future v2

Configure Recorded Future v2 on Cortex XSOAR#

Information#

A valid API Token for XSOAR from Recorded Future needed to fetch information. Get help with Recorded Future for Cortex XSOAR.

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Recorded Future v2.
  3. Click Add instance to create and configure a new integration instance.

Configuration#

ParameterDescription
Server URLThe URL to the Recorded Future ConnectAPI
API TokenValid API Token from Recorded Future
File/IP/Domain/URL/CVE ThresholdMinimum risk score from Recorded Future needed to mark IOC as malicious when doing reputation or intelligence lookup
unsecureTrust any certificate (unsecure)
proxyUse system proxy settings
  1. Click Test to validate the URLs, token, and connection.

Several of the outputs below have been reduced in size to improve readability.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

domain#

Get a quick indicator of the risk associated with a domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain to get the reputation ofRequired

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested
DBotScore.TypestringIndicator type
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
Domain.Malicious.VendorstringFor malicious Domains, the vendor that made the decision
Domain.Malicious.DescriptionstringFor malicious Domains, the reason that the vendor made the decision
Domain.NamestringDomain name
RecordedFuture.Domain.riskScorenumberRecorded Future Domain Risk Score
RecordedFuture.Domain.riskLevelstringRecorded Future Domain Risk Level
RecordedFuture.Domain.Evidence.rulestringRecorded Risk Rule Name
RecordedFuture.Domain.Evidence.mitigationstringRecorded Risk Rule Mitigation
RecordedFuture.Domain.Evidence.descriptionstringRecorded Risk Rule description
RecordedFuture.Domain.Evidence.timestampdateRecorded Risk Rule timestamp
RecordedFuture.Domain.Evidence.levelnumberRecorded Risk Rule Level
RecordedFuture.Domain.Evidence.ruleidstringRecorded Risk Rule ID
RecordedFuture.Domain.namestringDomain name
RecordedFuture.Domain.maxRulesnumberMaximum count of Recorded Future Domain Risk Rules
RecordedFuture.Domain.ruleCountnumberNumber of triggered Recorded Future Domain Risk Rules
RecordedFuture.Domain.rulesstringAll the rules concatenated by comma

Command Example#

!domain domain="google.com"

Context Example#

{
"DBotScore": {
"Indicator": "google.com",
"Score": 2,
"Type": "domain",
"Vendor": "Recorded Future"
},
"Domain": {
"Name": "google.com"
},
"RecordedFuture": {
"Domain": {
"Evidence": [
{
"description": "Previous sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between May 28, 2020, and May 29, 2020.",
"level": 1,
"rule": "Historically Reported in Threat List",
"ruleid": "historicalThreatListMembership",
"timestamp": "2020-06-12 16:23:41"
}
],
"description": "",
"id": "idn:google.com",
"maxRules": 40,
"name": "google.com",
"riskLevel": 1,
"riskScore": 24,
"ruleCount": 4
}
}
}

Human Readable Output#

Recorded Future Domain reputation for google.com#

Risk score: 24 Risk Summary: 4 out of 40 Risk Rules currently observed Criticality: Informational

Intelligence Card

Risk Rules Triggered#

CriticalityRuleEvidenceTimestamp
InformationalHistorically Reported in Threat ListPrevious sightings on 1 source: Recorded Future Analyst Community Trending Indicators. Observed between May 28, 2020, and May 29, 2020.2020-06-12 16:23:41

ip#

Get a quick indicator of the risk associated with an IP.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to get the reputation ofRequired

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested
DBotScore.TypestringIndicator type
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
IP.Malicious.VendorstringFor malicious IP addresses, the vendor that made the decision
IP.Malicious.DescriptionstringFor malicious IP addresses, the reason that the vendor made the decision
IP.AddressstringIP address
RecordedFuture.IP.riskScorenumberRecorded Future IP Risk Score
RecordedFuture.IP.riskLevelstringRecorded Future IP Risk Level
RecordedFuture.IP.Evidence.rulestringRecorded Risk Rule Name
RecordedFuture.IP.Evidence.mitigationstringRecorded Risk Rule Mitigation
RecordedFuture.IP.Evidence.descriptionstringRecorded Risk Rule Description
RecordedFuture.IP.Evidence.timestampdateRecorded Risk Rule Timestamp
RecordedFuture.IP.Evidence.levelnumberRecorded Risk Rule Level
RecordedFuture.IP.Evidence.ruleidstringRecorded Risk Rule ID
RecordedFuture.IP.namestringIP Address
RecordedFuture.IP.maxRulesnumberMaximum count of Recorded Future IP Risk Rules
RecordedFuture.IP.ruleCountnumberNumber of triggered Recorded Future IP Risk Rules
RecordedFuture.IP.rulesstringAll the rules concatenated by comma

Command Example#

!ip ip="8.8.8.8"

Context Example#

{
"DBotScore": {
"Indicator": "8.8.8.8",
"Score": 0,
"Type": "ip",
"Vendor": "Recorded Future"
},
"IP": {
"Address": "8.8.8.8"
},
"RecordedFuture": {
"IP": {
"Evidence": [],
"description": "",
"id": "ip:8.8.8.8",
"maxRules": 51,
"name": "8.8.8.8",
"riskLevel": 0,
"riskScore": 0,
"ruleCount": 0
}
}
}

Human Readable Output#

Recorded Future IP reputation for 8.8.8.8#

Risk score: 0 Risk Summary: 0 out of 51 Risk Rules currently observed Criticality: Unknown

Intelligence Card

file#

Get a quick indicator of the risk associated with a file.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileFile hash to check the reputation of (MD5, SHA-1, SHA-256, SHA-512, CRC32, CTPH)Required

Context Output#

PathTypeDescription
File.SHA256stringFile SHA-256
File.SHA512stringFile SHA-512
File.SHA1stringFile SHA-1
File.MD5stringFile MD5
File.CRC32stringFile CRC32
File.CTPHstringFile CTPH
File.Malicious.VendorstringFor malicious files, the vendor that made the decision
File.Malicious.DescriptionstringFor malicious files, the reason that the vendor made the decision
DBotScore.IndicatorstringThe indicator that was tested
DBotScore.TypestringIndicator type
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
RecordedFuture.File.riskScorenumberRecorded Future Hash Risk Score
RecordedFuture.File.riskLevelstringRecorded Future Hash Risk Level
RecordedFuture.File.Evidence.rulestringRecorded Risk Rule Name
RecordedFuture.File.Evidence.mitigationstringRecorded Risk Rule Mitigation
RecordedFuture.File.Evidence.descriptionstringRecorded Risk Rule description
RecordedFuture.File.Evidence.timestampdateRecorded Risk Rule timestamp
RecordedFuture.File.Evidence.levelnumberRecorded Risk Rule Level
RecordedFuture.File.Evidence.ruleidstringRecorded Risk Rule ID
RecordedFuture.File.namestringHash
RecordedFuture.File.maxRulesnumberMaximum count of Recorded Future Hash Risk Rules
RecordedFuture.File.ruleCountnumberNumber of triggered Recorded Future Hash Risk Rules
RecordedFuture.File.rulesstringAll the rules concatenated by comma

Command Example#

!file file="027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"

Context Example#

{
"DBotScore": {
"Indicator": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
"Score": 3,
"Type": "file",
"Vendor": "Recorded Future"
},
"File": {
"Malicious": {
"Description": "Score above 65",
"Vendor": "Recorded Future"
},
"SHA256": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
},
"RecordedFuture": {
"File": {
"Evidence": [
{
"description": "20 sightings on 1 source: VirusTotal. 3 related cyber vulnerabilities: CVE-2017-0147, ETERNALBLUE, CWE-200. Most recent link (May 3, 2020): https://www.virustotal.com/gui/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
"level": 2,
"rule": "Linked to Vulnerability",
"ruleid": "linkedToVuln",
"timestamp": "2020-05-03 14:07:48"
}
],
"description": "",
"id": "hash:027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
"maxRules": 12,
"name": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
"riskLevel": 3,
"riskScore": 89,
"ruleCount": 6
}
}
}

Human Readable Output#

Recorded Future File reputation for 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745#

Risk score: 89 Risk Summary: 6 out of 12 Risk Rules currently observed Criticality: Malicious

Intelligence Card

Risk Rules Triggered#

CriticalityRuleEvidenceTimestamp
MaliciousPositive Malware Verdict24 sightings on 4 sources: VirusTotal, Malwr.com, Recorded Future Malware Detonation, ReversingLabs. Most recent link (May 3, 2020): https://www.virustotal.com/gui/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a7452020-06-11 17:53:54

cve#

Get a quick indicator of the risk associated with a CVE.

Base Command#

cve

Input#

Argument NameDescriptionRequired
cveCVE to get the reputation ofRequired

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested
DBotScore.TypestringIndicator type
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
CVE.IDstringVulnerability name
RecordedFuture.CVE.riskScorenumberRecorded Future Vulnerability Risk Score
RecordedFuture.CVE.riskLevelstringRecorded Future Vulnerability Risk Level
RecordedFuture.CVE.Evidence.rulestringRecorded Risk Rule Name
RecordedFuture.CVE.Evidence.mitigationstringRecorded Risk Rule Mitigation
RecordedFuture.CVE.Evidence.descriptionstringRecorded Risk Rule description
RecordedFuture.CVE.Evidence.timestampdateRecorded Risk Rule timestamp
RecordedFuture.CVE.Evidence.levelnumberRecorded Risk Rule Level
RecordedFuture.CVE.Evidence.ruleidstringRecorded Risk Rule ID
RecordedFuture.CVE.namestringCVE
RecordedFuture.CVE.maxRulesnumberMaximum count of Recorded Future Vulnerability Risk Rules
RecordedFuture.CVE.ruleCountnumberNumber of triggered Recorded Future Vulnerability Risk Rules
RecordedFuture.CVE.rulesstringAll the rules concatenated by comma

Command Example#

!cve cve="CVE-2011-3874"

Context Example#

{
"CVE": {
"Description": "Stack-based buffer overflow in libsysutils in Android 2.2.x through 2.2.2 and 2.3.x through 2.3.6 allows user-assisted remote attackers to execute arbitrary code via an application that calls the FrameworkListener::dispatchCommand method with the wrong number of arguments, as demonstrated by zergRush to trigger a use-after-free error.",
"ID": "CVE-2011-3874"
},
"DBotScore": {
"Indicator": "CVE-2011-3874",
"Score": 0,
"Type": "cve",
"Vendor": null
},
"RecordedFuture": {
"CVE": {
"Evidence": [
{
"description": "1 sighting on 1 source: Recorded Future Malware Hunting. Activity seen on 1 out of the last 28 days with 24 all-time daily sightings. Exploited in the wild by 1 malware family: DroidRt. Last observed on May 23, 2020. Sample hash: ffd0d7e6ba12ed20bc17f9ea1a1323a04cbf2e03bcaec0fa9ea574d9a7fb4881.",
"level": 5,
"rule": "Exploited in the Wild by Recently Active Malware",
"ruleid": "recentMalwareActivity",
"timestamp": "2020-05-23 00:00:00"
}
],
"description": "Stack-based buffer overflow in libsysutils in Android 2.2.x through 2.2.2 and 2.3.x through 2.3.6 allows user-assisted remote attackers to execute arbitrary code via an application that calls the FrameworkListener::dispatchCommand method with the wrong number of arguments, as demonstrated by zergRush to trigger a use-after-free error.",
"id": "KIHnRI",
"maxRules": 22,
"name": "CVE-2011-3874",
"riskLevel": 5,
"riskScore": 99,
"ruleCount": 4
}
}
}

Human Readable Output#

Recorded Future CVE reputation for CVE-2011-3874#

Risk score: 99 Risk Summary: 4 out of 22 Risk Rules currently observed Criticality: Very Malicious

NVD Vulnerability Description: Stack-based buffer overflow in libsysutils in Android 2.2.x through 2.2.2 and 2.3.x through 2.3.6 allows user-assisted remote attackers to execute arbitrary code via an application that calls the FrameworkListener::dispatchCommand method with the wrong number of arguments, as demonstrated by zergRush to trigger a use-after-free error.

Intelligence Card

Risk Rules Triggered#

CriticalityRuleEvidenceTimestamp
Very MaliciousExploited in the Wild by Recently Active Malware1 sighting on 1 source: Recorded Future Malware Hunting. Activity seen on 1 out of the last 28 days with 24 all-time daily sightings. Exploited in the wild by 1 malware family: DroidRt. Last observed on May 23, 2020. Sample hash: ffd0d7e6ba12ed20bc17f9ea1a1323a04cbf2e03bcaec0fa9ea574d9a7fb4881.2020-05-23 00:00:00

url#

Get a quick indicator of the risk associated with a URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to get the reputation ofRequired

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested
DBotScore.TypestringIndicator type
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
URL.Malicious.VendorstringFor malicious URLs, the vendor that made the decision
URL.Malicious.DescriptionstringFor malicious URLs, the reason that the vendor made the decision
URL.DatastringURL name
RecordedFuture.URL.riskScorenumberRecorded Future URL Risk Score
RecordedFuture.URL.riskLevelstringRecorded Future URL Risk Level
RecordedFuture.URL.Evidence.rulestringRecorded Risk Rule Name
RecordedFuture.URL.Evidence.mitigationstringRecorded Risk Rule Mitigation
RecordedFuture.URL.Evidence.descriptionstringRecorded Risk Rule description
RecordedFuture.URL.Evidence.timestampdateRecorded Risk Rule timestamp
RecordedFuture.URL.Evidence.levelnumberRecorded Risk Rule Level
RecordedFuture.URL.Evidence.ruleidstringRecorded Risk Rule ID
RecordedFuture.URL.namestringURL
RecordedFuture.URL.maxRulesnumberMaximum count of Recorded Future URL Risk Rules
RecordedFuture.URL.ruleCountnumberNumber of triggered Recorded Future URL Risk Rules
RecordedFuture.URL.rulesstringAll the rules concatenated by comma

Command Example#

!url url="https://google.com"

Context Example#

{
"DBotScore": {
"Indicator": "https://google.com",
"Score": 2,
"Type": "url",
"Vendor": "Recorded Future"
},
"RecordedFuture": {
"URL": {
"Evidence": [
{
"description": "13 sightings on 5 sources: Geeks To Go, AbuseIP Database, PasteBin, Malwarebytes Unpacked, PSBDMP Dumps. Most recent link (Dec 16, 2018): https://pastebin.com/2Brry0ZQ",
"level": 1,
"rule": "Historically Reported as a Defanged URL",
"ruleid": "defangedURL",
"timestamp": "2018-12-16 22:31:25"
}
],
"description": "",
"id": "url:https://google.com",
"maxRules": 27,
"name": "https://google.com",
"riskLevel": 1,
"riskScore": 24,
"ruleCount": 1
}
},
"URL": {
"Data": "https://google.com"
}
}

Human Readable Output#

Recorded Future URL reputation for https://google.com#

Risk score: 24 Risk Summary: 1 out of 27 Risk Rules currently observed Criticality: Informational

Intelligence Card

Risk Rules Triggered#

CriticalityRuleEvidenceTimestamp
InformationalHistorically Reported as a Defanged URL13 sightings on 5 sources: Geeks To Go, AbuseIP Database, PasteBin, Malwarebytes Unpacked, PSBDMP Dumps. Most recent link (Dec 16, 2018): https://pastebin.com/2Brry0ZQ2018-12-16 22:31:25

recordedfuture-threat-assessment#

Get an indicator of the risk based on context. This is not affected by the thresholds configured in the app, instead these are controlled by Recorded Future. The verdict output is determined by algorithms inside the API.

Base Command#

recordedfuture-threat-assessment

Input#

Argument NameDescriptionRequired
contextContext to use for verdictRequired
ipIPs to check if they are related to the selected context.Optional
domainDomains to check if they are related to the selected context.Optional
fileFile hashes to check if they are related to the selected context.Optional
urlURLs to check if they are related to the selected context.Optional
cveCVEs to check if they are related to the selected context.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested
DBotScore.TypestringIndicator type
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
File.SHA256stringFile SHA-256
File.SHA512stringFile SHA-512
File.SHA1stringFile SHA-1
File.MD5stringFile MD5
File.CRC32stringFile CRC32
File.CTPHstringFile CTPH
IP.AddressstringIP address
IP.Geo.CountrystringIP Geolocation Country
IP.ASNstringASN
Domain.NamestringDomain name
URL.DatastringURL name
CVE.IDstringVulnerability name
RecordedFuture.verdictbooleanRecorded Future verdict
RecordedFuture.contextstringThreat Assessment Context
RecordedFuture.riskScorenumberRecorded Future Max Score
RecordedFuture.Entities.idstringEntity ID
RecordedFuture.Entities.namestringEntity Name
RecordedFuture.Entities.typestringEntity Type
RecordedFuture.Entities.scorestringEntity Score
RecordedFuture.Entities.contextstringContains the current context if there is evidence
RecordedFuture.Entities.Evidence.ruleidstringRecorded Future Risk Rule ID
RecordedFuture.Entities.Evidence.timestampdateRecorded Future Evidence Timestamp
RecordedFuture.Entities.Evidence.mitigationstringRecorded Future Evidence Mitigation
RecordedFuture.Entities.Evidence.descriptionstringRecorded Future Evidence Description
RecordedFuture.Entities.Evidence.rulestringRecorded Future Risk Rule
RecordedFuture.Entities.Evidence.levelnumberRecorded Future Risk Rule Level

Command Example#

!recordedfuture-threat-assessment context="c2" ip="8.8.8.8"

Context Example#

{
"DBotScore": {
"Indicator": "8.8.8.8",
"Score": 0,
"Type": "ip",
"Vendor": "Recorded Future"
},
"IP": {
"Address": "8.8.8.8"
},
"RecordedFuture": {
"Entities": [
{
"Evidence": [],
"id": "ip:8.8.8.8",
"name": "8.8.8.8",
"score": 0,
"type": "IpAddress"
}
],
"context": "c2",
"riskScore": 0,
"verdict": false
}
}

Human Readable Output#

Recorded Future Threat Assessment with regards to c2#

Verdict: Non-malicious Max/Min Score: 0/0

Entities#

Entity: 8.8.8.8 Score: 0 Rule count: 0 out of 2

Evidence#

No entries.

recordedfuture-alert-rules#

Search for alert rule IDs.

Base Command#

recordedfuture-alert-rules

Input#

Argument NameDescriptionRequired
rule_nameRule name to search, can be a partial nameOptional
limitNumber of rules to returnOptional

Context Output#

PathTypeDescription
RecordedFuture.AlertRule.idstringAlert rule ID
RecordedFuture.AlertRule.namestringAlert rule name

Command Example#

!recordedfuture-alert-rules limit=1

Context Example#

{
"RecordedFuture": {
"AlertRule": {
"id": "d55BDp",
"name": "Supplier and Partner Trends, Trending Partners in Watch List"
}
}
}

Human Readable Output#

Recorded Future Alerting Rules#

idname
d55BDpSupplier and Partner Trends, Trending Partners in Watch List

recordedfuture-alerts#

Get details on alerts configured and generated by Recorded Future by alert rule ID and/or time range.

Base Command#

recordedfuture-alerts

Input#

Argument NameDescriptionRequired
rule_idAlert rule IDOptional
limitNumber of alerts to returnOptional
triggered_timeAlert triggered time, e.g., "1 hour" or "2 days"Optional
assigneeAlert assignee's email addressOptional
statusAlert review statusOptional
freetextFree text searchOptional
offsetAlerts from offsetOptional
orderbyAlerts sort orderOptional
directionAlerts sort directionOptional

Context Output#

PathTypeDescription
RecordedFuture.Alert.idstringAlert ID
RecordedFuture.Alert.namestringAlert name
RecordedFuture.Alert.typestringAlert type
RecordedFuture.Alert.triggereddateAlert triggered time
RecordedFuture.Alert.statusstringAlert status
RecordedFuture.Alert.assigneestringAlert assignee
RecordedFuture.Alert.rulestringAlert rule name

Command Example#

!recordedfuture-alerts limit=1

Context Example#

{
"RecordedFuture": {
"Alert": {
"Alert Title": "Global Trends, Trending Targets - Spike: Enel SPA, Knoxville and Alabama",
"assignee": null,
"email": null,
"id": "eK8voo",
"name": "Global Trends, Trending Targets - Spike: Enel SPA, Knoxville and Alabama",
"rule": "Global Trends, Trending Targets",
"status": "no-action",
"triggered": "2020-06-12 14:37:13",
"type": "ENTITY"
}
}
}

Human Readable Output#

Recorded Future Alerts#

Alert Title
Global Trends, Trending Targets - Spike: Enel SPA, Knoxville and Alabama

recordedfuture-alert-set-status#

Set status for the alert in Recorded Future

Base Command#

recordedfuture-alert-set-status

Input#

Argument NameDescriptionRequired
alert_idThe alert id that should be moved in selected statusRequired
statusThe status string that represents status of alert in Recorded Future (e.g. unassigned, assigned, pending, dismiss, no-action, actionable, tuning)Required

Context Output#

PathTypeDescription
RecordedFuture.Alerts.idStringRecorded Future alert id
RecordedFuture.Alerts.statusStringRecorded Future alert status
RecordedFuture.Alerts.note.textStringRecorded Future alert note text
RecordedFuture.Alerts.note.authorStringRecorded Future alert note author id
RecordedFuture.Alerts.note.dateStringRecorded Future alert note date
RecordedFuture.Alerts.reviewDateStringRecorded Future alert get date

Command Example#

!recordedfuture-alert-set-status alert_id="asdy3l" status="no-action"

Context Example#

{
"RecordedFuture": {
"Alerts": [{
"id": "jrhq5t",
"note": {
"author": "NUbI50w62k"
"date": "2021-08-31T14:04:31Z"
"text": "testing"
}
"reviewDate": "2021-09-01T10:09:32Z"
"status": "no-action"
}]
}
}

Human Readable Output#

Status no-action for Alert jrhrfx was successfully set#

recordedfuture-alert-set-note#

Add note to alert in Recorded Future

Base Command#

recordedfuture-alert-set-note

Input#

Argument NameDescriptionRequired
alert_idThe alert id that should be moved in selected statusRequired
noteThe note string that will be added to alert in Recorded FutureRequired

Context Output#

PathTypeDescription
RecordedFuture.Alerts.idStringRecorded Future alert id
RecordedFuture.Alerts.statusStringRecorded Future alert status
RecordedFuture.Alerts.note.textStringRecorded Future alert note text
RecordedFuture.Alerts.note.authorStringRecorded Future alert note author id
RecordedFuture.Alerts.note.dateStringRecorded Future alert note date
RecordedFuture.Alerts.reviewDateStringRecorded Future alert get date

Command Example#

!recordedfuture-alert-set-note alert_id="asdy3l" note="This is a note we would like to show you"

Context Example#

{
"RecordedFuture": {
"Alerts": [{
"id": "jrhq5t",
"note": {
"author": "NUbI50w62k"
"date": "2021-08-31T14:04:31Z"
"text": "testing"
}
"reviewDate": "2021-09-01T10:09:32Z"
"status": "no-action"
}]
}
}

Human Readable Output#

Note for Alert jrhrfx was successfully set#

recordedfuture-intelligence#

Get threat intelligence for an IP, Domain, CVE, URL or File.

Base Command#

recordedfuture-intelligence

Input#

Argument NameDescriptionRequired
entity_typeThe type of entity to fetch context for. (Should be provided with its value in entityValue argument)Required
entityThe value of the entity to fetch context for. (Should be provided with its type in entity_type argument, Hash types supported: MD5, SHA-1, SHA-256, SHA-512, CRC32, CTPH). Vulnerability supports CVEs.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested
DBotScore.TypestringIndicator type
DBotScore.VendorstringVendor used to calculate the score
DBotScore.ScorenumberThe actual score
File.SHA256stringFile SHA-256
File.SHA512stringFile SHA-512
File.SHA1stringFile SHA-1
File.MD5stringFile MD5
File.CRC32stringFile CRC32
File.CTPHstringFile CTPH
IP.AddressstringIP address
IP.ASNstringASN
IP.Geo.CountrystringIP Geolocation Country
Domain.NamestringDomain name
URL.DatastringURL name
CVE.IDstringVulnerability name
RecordedFuture.IP.criticalitynumberRisk Criticality
RecordedFuture.IP.criticalityLabelstringRisk Criticality Label
RecordedFuture.IP.riskStringstringRisk String
RecordedFuture.IP.riskSummarystringRisk Summary
RecordedFuture.IP.rulesstringRisk Rules
RecordedFuture.IP.concatRulesstringAll risk rules concatenated by comma
RecordedFuture.IP.scorenumberRisk Score
RecordedFuture.IP.firstSeendateEvidence First Seen
RecordedFuture.IP.lastSeendateEvidence Last Seen
RecordedFuture.IP.intelCardstringRecorded Future Intelligence Card URL
RecordedFuture.IP.typestringEntity Type
RecordedFuture.IP.namestringEntity
RecordedFuture.IP.idstringRecorded Future Entity ID
RecordedFuture.IP.location.asnStringASN number
RecordedFuture.IP.location.cidr.idStringRecorded Future CIDR ID
RecordedFuture.IP.location.cidr.nameStringCIDR
RecordedFuture.IP.location.cidr.typeStringCIDR Type
RecordedFuture.IP.location.location.cityStringIP Geolocation City
RecordedFuture.IP.location.location.continentStringIP Geolocation Continent
RecordedFuture.IP.location.location.countryStringIP Geolocation Country
RecordedFuture.IP.location.organizationStringIP Geolocation Organization
RecordedFuture.IP.metrics.typeStringRecorded Future Metrics Type
RecordedFuture.IP.metrics.valueNumberRecorded Future Metrics Value
RecordedFuture.IP.threatLists.descriptionStringRecorded Future Threat List Description
RecordedFuture.IP.threatLists.idStringRecorded Future Threat List ID
RecordedFuture.IP.threatLists.nameStringRecorded Future Threat List Name
RecordedFuture.IP.threatLists.typeStringRecorded Future Threat List Type
RecordedFuture.IP.relatedEntities.RelatedAttacker.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedAttacker.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedAttacker.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedAttacker.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedTarget.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedTarget.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedTarget.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedTarget.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedThreatActor.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedThreatActor.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedThreatActor.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedThreatActor.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedMalware.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedMalware.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedMalware.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedMalware.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedCyberVulnerability.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedCyberVulnerability.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedCyberVulnerability.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedCyberVulnerability.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedIpAddress.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedIpAddress.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedIpAddress.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedIpAddress.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedInternetDomainName.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedInternetDomainName.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedInternetDomainName.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedInternetDomainName.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedProduct.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedProduct.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedProduct.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedProduct.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedCountries.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedCountries.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedCountries.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedCountries.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedHash.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedHash.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedHash.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedHash.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedTechnology.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedTechnology.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedTechnology.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedTechnology.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedEmailAddress.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedEmailAddress.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedEmailAddress.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedEmailAddress.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedAttackVector.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedAttackVector.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedAttackVector.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedAttackVector.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedMalwareCategory.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedMalwareCategory.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedMalwareCategory.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedMalwareCategory.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedOperations.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedOperations.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedOperations.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedOperations.typeStringRecorded Future Related Type
RecordedFuture.IP.relatedEntities.RelatedCompany.countNumberRecorded Future Related Count
RecordedFuture.IP.relatedEntities.RelatedCompany.idStringRecorded Future Related ID
RecordedFuture.IP.relatedEntities.RelatedCompany.nameStringRecorded Future Related Name
RecordedFuture.IP.relatedEntities.RelatedCompany.typeStringRecorded Future Related Type
RecordedFuture.Domain.criticalitynumberRisk Criticality
RecordedFuture.Domain.criticalityLabelstringRisk Criticality Label
RecordedFuture.Domain.riskStringstringRisk String
RecordedFuture.Domain.riskSummarystringRisk Summary
RecordedFuture.Domain.rulesstringRisk Rules
RecordedFuture.Domain.concatRulesstringAll risk rules concatenated by comma
RecordedFuture.Domain.scorenumberRisk Score
RecordedFuture.Domain.firstSeendateEvidence First Seen
RecordedFuture.Domain.lastSeendateEvidence Last Seen
RecordedFuture.Domain.intelCardstringRecorded Future Intelligence Card URL
RecordedFuture.Domain.typestringEntity Type
RecordedFuture.Domain.namestringEntity
RecordedFuture.Domain.idstringRecorded Future Entity ID
RecordedFuture.Domain.location.asnStringASN number
RecordedFuture.Domain.location.cidr.idStringRecorded Future CIDR ID
RecordedFuture.Domain.location.cidr.nameStringCIDR
RecordedFuture.Domain.location.cidr.typeStringCIDR Type
RecordedFuture.Domain.location.location.cityStringIP Geolocation City
RecordedFuture.Domain.location.location.continentStringIP Geolocation Continent
RecordedFuture.Domain.location.location.countryStringIP Geolocation Country
RecordedFuture.Domain.location.organizationStringIP Geolocation Organization
RecordedFuture.Domain.metrics.typeStringRecorded Future Metrics Type
RecordedFuture.Domain.metrics.valueNumberRecorded Future Metrics Value
RecordedFuture.Domain.threatLists.descriptionStringRecorded Future Threat List Description
RecordedFuture.Domain.threatLists.idStringRecorded Future Threat List ID
RecordedFuture.Domain.threatLists.nameStringRecorded Future Threat List Name
RecordedFuture.Domain.threatLists.typeStringRecorded Future Threat List Type
RecordedFuture.Domain.relatedEntities.RelatedAttacker.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedAttacker.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedAttacker.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedAttacker.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedTarget.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedTarget.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedTarget.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedTarget.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedThreatActor.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedThreatActor.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedThreatActor.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedThreatActor.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedMalware.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedMalware.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedMalware.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedMalware.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedCyberVulnerability.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedCyberVulnerability.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedCyberVulnerability.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedCyberVulnerability.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedIpAddress.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedIpAddress.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedIpAddress.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedIpAddress.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedInternetDomainName.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedInternetDomainName.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedInternetDomainName.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedInternetDomainName.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedProduct.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedProduct.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedProduct.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedProduct.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedCountries.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedCountries.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedCountries.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedCountries.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedHash.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedHash.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedHash.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedHash.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedTechnology.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedTechnology.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedTechnology.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedTechnology.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedEmailAddress.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedEmailAddress.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedEmailAddress.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedEmailAddress.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedAttackVector.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedAttackVector.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedAttackVector.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedAttackVector.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedMalwareCategory.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedMalwareCategory.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedMalwareCategory.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedMalwareCategory.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedOperations.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedOperations.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedOperations.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedOperations.typeStringRecorded Future Related Type
RecordedFuture.Domain.relatedEntities.RelatedCompany.countNumberRecorded Future Related Count
RecordedFuture.Domain.relatedEntities.RelatedCompany.idStringRecorded Future Related ID
RecordedFuture.Domain.relatedEntities.RelatedCompany.nameStringRecorded Future Related Name
RecordedFuture.Domain.relatedEntities.RelatedCompany.typeStringRecorded Future Related Type
RecordedFuture.CVE.criticalitynumberRisk Criticality
RecordedFuture.CVE.criticalityLabelstringRisk Criticality Label
RecordedFuture.CVE.riskStringstringRisk String
RecordedFuture.CVE.riskSummarystringRisk Summary
RecordedFuture.CVE.rulesstringRisk Rules
RecordedFuture.CVE.concatRulesstringAll risk rules concatenated by comma
RecordedFuture.CVE.scorenumberRisk Score
RecordedFuture.CVE.firstSeendateEvidence First Seen
RecordedFuture.CVE.lastSeendateEvidence Last Seen
RecordedFuture.CVE.intelCardstringRecorded Future Intelligence Card URL
RecordedFuture.CVE.typestringEntity Type
RecordedFuture.CVE.namestringEntity
RecordedFuture.CVE.idstringRecorded Future Entity ID
RecordedFuture.CVE.location.asnStringASN number
RecordedFuture.CVE.location.cidr.idStringRecorded Future CIDR ID
RecordedFuture.CVE.location.cidr.nameStringCIDR
RecordedFuture.CVE.location.cidr.typeStringCIDR Type
RecordedFuture.CVE.location.location.cityStringIP Geolocation City
RecordedFuture.CVE.location.location.continentStringIP Geolocation Continent
RecordedFuture.CVE.location.location.countryStringIP Geolocation Country
RecordedFuture.CVE.location.organizationStringIP Geolocation Organization
RecordedFuture.CVE.metrics.typeStringRecorded Future Metrics Type
RecordedFuture.CVE.metrics.valueNumberRecorded Future Metrics Value
RecordedFuture.CVE.threatLists.descriptionStringRecorded Future Threat List Description
RecordedFuture.CVE.threatLists.idStringRecorded Future Threat List ID
RecordedFuture.CVE.threatLists.nameStringRecorded Future Threat List Name
RecordedFuture.CVE.threatLists.typeStringRecorded Future Threat List Type
RecordedFuture.CVE.relatedEntities.RelatedAttacker.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedAttacker.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedAttacker.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedAttacker.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedTarget.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedTarget.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedTarget.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedTarget.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedThreatActor.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedThreatActor.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedThreatActor.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedThreatActor.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedMalware.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedMalware.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedMalware.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedMalware.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedCyberVulnerability.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedCyberVulnerability.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedCyberVulnerability.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedCyberVulnerability.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedIpAddress.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedIpAddress.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedIpAddress.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedIpAddress.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedInternetDomainName.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedInternetDomainName.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedInternetDomainName.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedInternetDomainName.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedProduct.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedProduct.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedProduct.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedProduct.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedCountries.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedCountries.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedCountries.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedCountries.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedHash.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedHash.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedHash.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedHash.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedTechnology.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedTechnology.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedTechnology.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedTechnology.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedEmailAddress.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedEmailAddress.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedEmailAddress.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedEmailAddress.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedAttackVector.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedAttackVector.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedAttackVector.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedAttackVector.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedMalwareCategory.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedMalwareCategory.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedMalwareCategory.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedMalwareCategory.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedOperations.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedOperations.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedOperations.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedOperations.typeStringRecorded Future Related Type
RecordedFuture.CVE.relatedEntities.RelatedCompany.countNumberRecorded Future Related Count
RecordedFuture.CVE.relatedEntities.RelatedCompany.idStringRecorded Future Related ID
RecordedFuture.CVE.relatedEntities.RelatedCompany.nameStringRecorded Future Related Name
RecordedFuture.CVE.relatedEntities.RelatedCompany.typeStringRecorded Future Related Type
RecordedFuture.CVE.cpeStringRecorded Future CPE information
RecordedFuture.CVE.relatedLinksStringRecorded Future CVE Related Links
RecordedFuture.File.criticalitynumberRisk Criticality
RecordedFuture.File.criticalityLabelstringRisk Criticality Label
RecordedFuture.File.riskStringstringRisk String
RecordedFuture.File.riskSummarystringRisk Summary
RecordedFuture.File.rulesstringRisk Rules
RecordedFuture.File.concatRulesstringAll risk rules concatenated by comma
RecordedFuture.File.scorenumberRisk Score
RecordedFuture.File.firstSeendateEvidence First Seen
RecordedFuture.File.lastSeendateEvidence Last Seen
RecordedFuture.File.intelCardstringRecorded Future Intelligence Card URL
RecordedFuture.File.hashAlgorithmstringHash Algorithm
RecordedFuture.File.typestringEntity Type
RecordedFuture.File.namestringEntity
RecordedFuture.File.idstringRecorded Future Entity ID
RecordedFuture.File.metrics.typeStringRecorded Future Metrics Type
RecordedFuture.File.metrics.valueNumberRecorded Future Metrics Value
RecordedFuture.File.threatLists.descriptionStringRecorded Future Threat List Description
RecordedFuture.File.threatLists.idStringRecorded Future Threat List ID
RecordedFuture.File.threatLists.nameStringRecorded Future Threat List Name
RecordedFuture.File.threatLists.typeStringRecorded Future Threat List Type
RecordedFuture.File.relatedEntities.RelatedAttacker.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedAttacker.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedAttacker.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedAttacker.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedTarget.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedTarget.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedTarget.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedTarget.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedThreatActor.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedThreatActor.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedThreatActor.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedThreatActor.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedMalware.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedMalware.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedMalware.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedMalware.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedCyberVulnerability.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedCyberVulnerability.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedCyberVulnerability.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedCyberVulnerability.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedIpAddress.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedIpAddress.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedIpAddress.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedIpAddress.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedInternetDomainName.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedInternetDomainName.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedInternetDomainName.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedInternetDomainName.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedProduct.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedProduct.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedProduct.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedProduct.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedCountries.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedCountries.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedCountries.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedCountries.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedHash.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedHash.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedHash.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedHash.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedTechnology.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedTechnology.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedTechnology.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedTechnology.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedEmailAddress.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedEmailAddress.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedEmailAddress.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedEmailAddress.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedAttackVector.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedAttackVector.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedAttackVector.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedAttackVector.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedMalwareCategory.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedMalwareCategory.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedMalwareCategory.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedMalwareCategory.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedOperations.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedOperations.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedOperations.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedOperations.typeStringRecorded Future Related Type
RecordedFuture.File.relatedEntities.RelatedCompany.countNumberRecorded Future Related Count
RecordedFuture.File.relatedEntities.RelatedCompany.idStringRecorded Future Related ID
RecordedFuture.File.relatedEntities.RelatedCompany.nameStringRecorded Future Related Name
RecordedFuture.File.relatedEntities.RelatedCompany.typeStringRecorded Future Related Type
RecordedFuture.URL.criticalitynumberRisk Criticality
RecordedFuture.URL.criticalityLabelstringRisk Criticality Label
RecordedFuture.URL.riskStringstringRisk String
RecordedFuture.URL.riskSummarystringRisk Summary
RecordedFuture.URL.rulesstringRisk Rules
RecordedFuture.URL.concatRulesstringAll risk rules concatenated by comma
RecordedFuture.URL.scorenumberRisk Score
RecordedFuture.URL.firstSeendateEvidence First Seen
RecordedFuture.URL.lastSeendateEvidence Last Seen
RecordedFuture.URL.intelCardstringRecorded Future Intelligence Card URL
RecordedFuture.URL.typestringEntity Type
RecordedFuture.URL.namestringEntity
RecordedFuture.URL.idstringRecorded Future Entity ID
RecordedFuture.URL.location.asnStringASN number
RecordedFuture.URL.location.cidr.idStringRecorded Future CIDR ID
RecordedFuture.URL.location.cidr.nameStringCIDR
RecordedFuture.URL.location.cidr.typeStringCIDR Type
RecordedFuture.URL.location.location.cityStringIP Geolocation City
RecordedFuture.URL.location.location.continentStringIP Geolocation Continent
RecordedFuture.URL.location.location.countryStringIP Geolocation Country
RecordedFuture.URL.location.organizationStringIP Geolocation Organization
RecordedFuture.URL.metrics.typeStringRecorded Future Metrics Type
RecordedFuture.URL.metrics.valueNumberRecorded Future Metrics Value
RecordedFuture.URL.threatLists.descriptionStringRecorded Future Threat List Description
RecordedFuture.URL.threatLists.idStringRecorded Future Threat List ID
RecordedFuture.URL.threatLists.nameStringRecorded Future Threat List Name
RecordedFuture.URL.threatLists.typeStringRecorded Future Threat List Type
RecordedFuture.URL.relatedEntities.RelatedAttacker.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedAttacker.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedAttacker.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedAttacker.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedTarget.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedTarget.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedTarget.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedTarget.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedThreatActor.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedThreatActor.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedThreatActor.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedThreatActor.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedMalware.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedMalware.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedMalware.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedMalware.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedCyberVulnerability.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedCyberVulnerability.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedCyberVulnerability.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedCyberVulnerability.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedIpAddress.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedIpAddress.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedIpAddress.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedIpAddress.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedInternetDomainName.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedInternetDomainName.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedInternetDomainName.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedInternetDomainName.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedProduct.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedProduct.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedProduct.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedProduct.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedCountries.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedCountries.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedCountries.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedCountries.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedHash.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedHash.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedHash.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedHash.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedTechnology.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedTechnology.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedTechnology.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedTechnology.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedEmailAddress.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedEmailAddress.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedEmailAddress.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedEmailAddress.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedAttackVector.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedAttackVector.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedAttackVector.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedAttackVector.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedMalwareCategory.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedMalwareCategory.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedMalwareCategory.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedMalwareCategory.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedOperations.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedOperations.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedOperations.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedOperations.typeStringRecorded Future Related Type
RecordedFuture.URL.relatedEntities.RelatedCompany.countNumberRecorded Future Related Count
RecordedFuture.URL.relatedEntities.RelatedCompany.idStringRecorded Future Related ID
RecordedFuture.URL.relatedEntities.RelatedCompany.nameStringRecorded Future Related Name
RecordedFuture.URL.relatedEntities.RelatedCompany.typeStringRecorded Future Related Type

Command Example#

!recordedfuture-intelligence entity_type="ip" entity="8.8.8.8"

Context Example#

{
"DBotScore": [
{
"Indicator": "8.8.8.8",
"Score": 0,
"Type": "ip",
"Vendor": "Recorded Future"
},
{
"Indicator": "8.8.8.4",
"Score": 2,
"Type": "ip",
"Vendor": "Recorded Future"
},
{
"Indicator": "8.8.8.5",
"Score": 2,
"Type": "ip",
"Vendor": "Recorded Future"
}
],
"IP": [
{
"ASN": "AS15169",
"Address": "8.8.8.8",
"Geo": {
"Country": "United States"
}
},
{
"Address": "8.8.8.4"
},
{
"Address": "8.8.8.5"
}
],
"RecordedFuture": {
"IP": {
"criticality": 0,
"criticalityLabel": "None",
"evidenceDetails": [],
"firstSeen": "2010-04-27T12:46:51.000Z",
"id": "ip:8.8.8.8",
"intelCard": "https://app.recordedfuture.com/live/sc/entity/ip%3A8.8.8.8",
"lastSeen": "2020-06-12T16:25:09.211Z",
"location": {
"asn": "AS15169",
"cidr": {
"id": "ip:8.8.8.0/24",
"name": "8.8.8.0/24",
"type": "IpAddress"
},
"location": {
"city": "Mountain View",
"continent": "North America",
"country": "United States"
},
"organization": "GOOGLE"
},
"metrics": [
{
"type": "pasteHits",
"value": 324743
},
{
"type": "darkWebHits",
"value": 53564
},
{
"type": "criticality",
"value": 0
},
{
"type": "publicSubscore",
"value": 0
},
{
"type": "undergroundForumHits",
"value": 1837
},
{
"type": "maliciousHits",
"value": 462511
},
{
"type": "technicalReportingHits",
"value": 9074924
},
{
"type": "infoSecHits",
"value": 9065751
},
{
"type": "totalHits",
"value": 9576010
},
{
"type": "sixtyDaysHits",
"value": 96554
},
{
"type": "oneDayHits",
"value": 169
},
{
"type": "c2Subscore",
"value": 0
},
{
"type": "phishingSubscore",
"value": 0
},
{
"type": "socialMediaHits",
"value": 71547
},
{
"type": "sevenDaysHits",
"value": 5819
}
],
"name": "8.8.8.8",
"relatedEntities": [
{
"RelatedMalwareCategory": [
{
"count": 143770,
"id": "0efpT",
"name": "Trojan",
"type": "MalwareCategory"
},
{
"count": 100993,
"id": "J31vQ6",
"name": "Banking Trojan",
"type": "MalwareCategory"
}
]
},
{
"RelatedCyberVulnerability": [
{
"count": 11,
"id": "LBbHYm",
"name": "CWE-78",
"type": "CyberVulnerability"
},
{
"count": 11,
"id": "LpTCYV",
"name": "CVE-2014-6271",
"type": "CyberVulnerability"
}
]
},
{
"RelatedHash": [
{
"count": 573,
"id": "hash:00e9fb5ad26e87ce2abc2a7de0789ebb1a38bf0d28ae175662f67d4b16237b67",
"name": "00e9fb5ad26e87ce2abc2a7de0789ebb1a38bf0d28ae175662f67d4b16237b67",
"type": "Hash"
},
{
"count": 148,
"id": "hash:cef615ee419d513c68e67780a08fd52a6e9c23d189cf4b85d3ba5efbee7a48e6",
"name": "cef615ee419d513c68e67780a08fd52a6e9c23d189cf4b85d3ba5efbee7a48e6",
"type": "Hash"
}
]
},
{
"RelatedIpAddress": [
{
"count": 1352680,
"id": "ip:8.8.4.4",
"name": "8.8.4.4",
"type": "IpAddress"
},
{
"count": 158918,
"id": "ip:66.171.248.178",
"name": "66.171.248.178",
"type": "IpAddress"
}
]
},
{
"RelatedThreatActor": [
{
"count": 159,
"id": "I2QcS_",
"name": "Anonymous",
"type": "Organization"
}
]
},
],
"riskString": "0/51",
"riskSummary": "No Risk Rules are currently observed.",
"riskyCIDRIPs": [
{
"ip": {
"id": "ip:8.8.8.4",
"name": "8.8.8.4",
"type": "IpAddress"
},
"score": 24
},
{
"ip": {
"id": "ip:8.8.8.5",
"name": "8.8.8.5",
"type": "IpAddress"
},
"score": 24
}
],
"rules": 0,
"score": 0,
"threatLists": [
{
"description": "This list consists of DNS public or open DNS servers and is an absolute allow list for Risk Scoring.",
"id": "report:Uz6vFG",
"name": "DNS Server List (White List)",
"type": "EntityList"
}
],
"type": "IpAddress"
}
}
}

Human Readable Output#

Recorded Future IP Intelligence for 8.8.8.8#

Risk Score: 0 Summary: No Risk Rules are currently observed. Criticality label: None Total references to this entity: 9576010 ASN and Geolocation AS Number: AS15169 AS Name: GOOGLE CIDR: 8.8.8.0/24 Geolocation (city): Mountain View Geolocation (country): United States First reference collected on: 2010-04-27 12:46:51 Latest reference collected on: 2020-06-12 16:25:09 Intelligence Card

Triggered Risk Rules#

No entries.

Threat Lists#

Threat List NameDescription
DNS Server List (White List)This list consists of DNS public or open DNS servers and is an absolute allow list for Risk Scoring.

recordedfuture-links#

Get Insikt Group Research Links for an IP, Domain, CVE, URL or File.

Base Command#

recordedfuture-links

Input#

Argument NameDescriptionRequired
entity_typeThe type of entity to fetch links for. (Should be provided with its value in entityValue argument)Required
entityThe value of the entity to fetch links for. (Should be provided with its type in entity_type argument, Hash types supported: MD5, SHA-1, SHA-256, SHA-512, CRC32, CTPH). Vulnerability supports CVEs.Required

Context Output#

PathTypeDescription
RecordedFuture.Links.categoryStringRecorded Future Links Category
RecordedFuture.Links.typeStringRecorded Future Links Type
RecordedFuture.Links.lists.entity_typeStringRecorded Future Links Entity Type
RecordedFuture.Links.lists.entities.nameStringRecorded Future Link Entity Name
RecordedFuture.Links.lists.entities.typeStringRecorded Future Link Entity Type
RecordedFuture.Links.lists.entities.scoreNumberRecorded Future Link Entity Risk Score

Command Example#

!recordedfuture-links entity="152.169.22.67" entity_type="ip"

Context Example#

{
"RecordedFuture": {
"Links": {
"Insikt Group Research Links": [
{
"category": "Actors, Tools & TTPs",
"lists": [
{
"entities": [
{
"name": "Zero Day Exploit",
"score": null,
"type": "AttackVector",
}
]
"entity_type": "Attack Vector",
}
]
},
{
"category":"Indicators & Detection Rules",
"lists": [
{
"entity_type":"IP address",
"entities": [
{
"name": "125.62.192.220",
"score": 69,
"type": "IpAddress",
},
{
"name": "22.33.66.85",
"score": 33,
"type": "IpAddress",
}
]
}
]
}
],
"Technical Links": [
{
"category": "Actors, Tools & TTPs",
"lists": [
{
"entities": [
{
"name": "TA0011",
"score": null,
"type": "MitreAttackIdentifier",
}
]
"entity_type": "MITRE ATT&CK Identifier",
},
]
},
]
}
}
}

Human Readable Output#

Insikt Group Research Links for: 152.169.22.67#

Category Actors, Tools & TTPs#

Attack Vector
Zero Day Exploit

Indicators & Detection Rules#

IP address
125.62.192.220
22.33.66.85

Fetch Incidents#

You can fetch Recorded Future Alerts and work with them as XSOAR Incidents. When pulling the alert we set it status to pending and we only pull alerts with status no-acction("New" in UI). There are three parameters that you can specify.

Argument NameFormatDescriptionRequiredDefault value
First fetch time[number][time unit], e.g. 12 hours, 7 days, 3 months, 1 yearFirst period to fetch alerts fromNot Required24 hours
Max number of incident to pull in one callNumber e.g 1 , 3 , 4Specify how much alerts to pull in one runNot Required50
Incidents Fetch Interval[number][time unit][number][time unit] e.g. 1 hour 30 minutesSpecify time interval between every pullRequired1 minute

Fetched Incidents Data#

"data": {
"rule": {
"url": "https://app.recordedfuture.com/live/sc/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%22Y8d2JN%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22DJIA+Cyber%22%7D&state.bNavbar=false",
"name": "DJIA Cyber",
"id": "Y8d2JN"
},
"type": "EVENT",
"entities": [
{
"entity": null,
"risk": {},
"trend": {},
"documents": [
{
"references": [
{
"fragment": "This malware can steal passwords, credit card info in Chrome, Safari.",
"entities": [
{
"id": "czhXN",
"name": "PT Reliance Securities Tbk",
"type": "Company"
},
{
"id": "B_sMd",
"name": "Apple Safari",
"type": "Product"
},
{
"id": "B_tZO",
"name": "Palo Alto Networks",
"type": "Company"
},
{
"id": "GARXk",
"name": "MSMEs",
"type": "Company"
},
{
"id": "B_LyO",
"name": "Apple",
"type": "Company"
},
{
"id": "B_HE4",
"name": "Google",
"type": "Company"
}
],
"language": "eng"
}
],
"source": {
"id": "KFGeiP",
"name": "CanIndia NEWS",
"type": "Source"
},
"url": "http://www.canindia.com/this-malware-can-steal-passwords-credit-card-info-in-chrome-safari/",
"title": "This malware can steal passwords, credit card info in Chrome, Safari"
},
{
"references": [
{
"fragment": "Malicious code hidden in the Windows registry.",
"entities": [
{
"id": "B_Hs5",
"name": "F5 Networks",
"type": "Company"
},
{
"id": "B_E-R",
"name": "Twitter",
"type": "Company"
},
{
"id": "J0LOpv",
"name": "Malicious code",
"type": "AttackVector"
},
{
"id": "Y97Q48",
"name": "HTML Signature Solutions",
"type": "Company"
},
{
"id": "CBJSs",
"name": "LinkedIn",
"type": "Company"
},
{
"id": "B_HOS",
"name": "Microsoft Windows",
"type": "Product"
}
],
"language": "eng"
}
],
"source": {
"id": "RrKkHT",
"name": "F5 Networks",
"type": "Source"
},
"url": "https://www.f5.com/labs/articles/threat-intelligence/gozi-adds-evasion-techniques-to-its-growing-bag-of-tricks",
"title": null
},
{
"references": [
{
"fragment": "The company noted in a blog post the ransomware had infected more than 100 Windows servers by exploiting several web application vulnerabilities, and the number of victims was rising.",
"entities": [
{
"id": "Cq3eF",
"name": "Web application vulnerabilities",
"type": "IndustryTerm"
},
{
"id": "J0Nl-p",
"name": "Ransomware",
"type": "MalwareCategory"
},
{
"id": "B_HOS",
"name": "Microsoft Windows",
"type": "Product"
}
],
"language": "eng"
},
{
"fragment": "The company noted in a blog post the ransomware had infected more than 100 Windows servers by exploiting several web application vulnerabilities, and the number of victims was rising.",
"entities": [
{
"id": "Cq3eF",
"name": "Web application vulnerabilities",
"type": "IndustryTerm"
},
{
"id": "J0Nl-p",
"name": "Ransomware",
"type": "MalwareCategory"
},
{
"id": "B_HOS",
"name": "Microsoft Windows",
"type": "Product"
}
],
"language": "eng"
}
],
"source": {
"id": "idn:8btc.com",
"name": "8btc.com",
"type": "InternetDomainName"
},
"url": "https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
"title": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days | NEWS.8BTC.COM."
},
{
"references": [
{
"fragment": "example.gmail.com|1qazse4r",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|snapy573",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|ric290888",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|cumicumi49",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|20may1993",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|04041995",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|lk63864551",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|mememesheryl",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|danubrata45",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|miracles7",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|albert",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|14Oktober1998",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|1234qwer",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|dwitamaalfred",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|oliviaagnes",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|5148520362",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|kucit11",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|n1kuailema",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|limajuli",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|tasyakevinrio",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|747474",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|sanurlovers",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|bologe10101994",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|flymuc12",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|donnie",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|g153ll3",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|kolonel8",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|Na11032009",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|gogle05",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|my9snapy",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|bani2005",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|mala2581998",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|961501",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|april322912",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|dalshabet2012",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|vicha1002",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|0811570188",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|amidala7",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|janand",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|cheptie",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|Dealova33",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|jss231094",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|arschgeil00",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|burlgoat97",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|Ahau7296",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|gilaabis",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|123456",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|Tiffani16694",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
},
{
"fragment": "example.gmail.com|4ndr15ukm4v4r094",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
}
],
"source": {
"id": "Jv_xrR",
"name": "PasteBin",
"type": "Source"
},
"url": "https://pastebin.com/20WrvAKf",
"title": "5K empas Indo + Bonus"
},
{
"references": [
{
"fragment": "| [+] E-mail Found: example.gmail.com",
"entities": [
{
"id": "email:example.gmail.com",
"name": "example.gmail.com",
"type": "EmailAddress"
}
],
"language": "eng"
}
],
"source": {
"id": "Jv_xrR",
"name": "PasteBin",
"type": "Source"
},
"url": "https://pastebin.com/Ntk14mse",
"title": "Anonymous JTSEC #OpIsis Full Recon #11"
},
{
"references": [
{
"fragment": "I remember reading that it was made loose on purpose so cords don't bring your Mac down if they're tripped over.",
"entities": [
{
"id": "BBh7yv",
"name": "Mac",
"type": "Product"
}
],
"language": "eng"
}
],
"source": {
"id": "TiY1wz",
"name": "Apple devices",
"type": "Source"
},
"url": "https://www.reddit.com/r/apple/comments/aljr4z/apple_testing_iphones_with_usbc_port/efi3j06/",
"title": "/u/ccrama on Apple testing iPhones with USB-C port"
},
{
"references": [
{
"fragment": "App Store, iTunes Store, Apple Music been down for several hours now! @AppleSupport.",
"entities": [
{
"id": "JZHhWg",
"name": "Apple iTunes",
"type": "Product"
},
{
"id": "QGkOLY",
"name": "@AppleSupport",
"type": "Username"
},
{
"id": "B_LyO",
"name": "Apple",
"type": "Company"
}
],
"language": "eng"
}
],
"source": {
"id": "BV5",
"name": "Twitter",
"type": "Source"
},
"url": "https://twitter.com/PRHTH/statuses/1091215388086394880",
"title": "App Store, iTunes Store , Apple Music down พร้อมกันหมดเลยจ้า หลายชั่วโมงแล้ว \n\nApp Store, iTunes Store, Apple Music been down for several hours now! @AppleSupport"
},
{
"references": [
{
"fragment": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days - 8BTC via BTCnews #Bitcoin https://t.co/1YEkzEdO92.",
"entities": [
{
"id": "B75KVV",
"name": "via",
"type": "IndustryTerm"
},
{
"id": "url:https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
"name": "https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
"type": "URL"
},
{
"id": "IH6pHd",
"name": "Bitcoin",
"type": "Technology"
},
{
"id": "Kei3LZ",
"name": "#Bitcoin",
"type": "Hashtag"
},
{
"id": "SePISm",
"name": "Satan",
"type": "Malware"
},
{
"id": "B_FNa",
"name": "China",
"type": "Country"
},
{
"id": "J0Nl-p",
"name": "Ransomware",
"type": "MalwareCategory"
},
{
"id": "B_HOS",
"name": "Microsoft Windows",
"type": "Product"
}
],
"language": "eng"
}
],
"source": {
"id": "BV5",
"name": "Twitter",
"type": "Source"
},
"url": "https://twitter.com/btcnewsapp/statuses/1091268383180537856",
"title": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days - 8BTC via BTCnews #Bitcoin https://t.co/1YEkzEdO92"
},
{
"references": [
{
"fragment": "@Apple Flaw that allows hacker to access target mic, camera, location, memory.",
"entities": [
{
"id": "P_iscR",
"name": "@Apple",
"type": "Username"
}
],
"language": "eng"
}
],
"source": {
"id": "BV5",
"name": "Twitter",
"type": "Source"
},
"url": "https://twitter.com/ganag92444992/statuses/1091257432662134784",
"title": "@Apple Flaw that allows hacker to access target mic, camera, location, memory.\nAny remedy for that? Targetted due to that flaw\nSo not #iOS #Apple #iphone #hacker #HackerNews #cybersecurity #privacy #HumanRights #surveillance #DataSecurity #DataProtection"
}
]
}
],
"review": {
"noteDate": null,
"note": null,
"noteAuthor": null,
"assignee": null,
"status": "no-action"
},
"url": "https://app.recordedfuture.com/live/sc/notification/?id=Y9-jli",
"triggered": "2019-02-01T09:58:13.564Z",
"title": "DJIA Cyber - New references in 9 documents",
"counts": {
"references": 58,
"entities": 0,
"documents": 9
},
"id": "Y9-jli"
}
}
Edit this page
Report an Issue