Fortinet black logo

Recorded Future

Recorded Future v1.0.1

1.0.1
Copy Link
Copy Doc ID b5bda430-c198-4fdc-b228-f9e72806c275:1

About the connector

Recorded Future's unique technology automatically serves up relevant insights in real time and at unparalleled scale. Recorded Future's flexible software lets you put any type of threat intelligence where you need it — centralizing sources of threat data, enabling collaboration on analysis, and integrating with your security infrastructure.

This document provides information about the Recorded Future connector, which facilitates automated interactions, with a Recorded Future server using FortiSOAR™ playbooks. Add the Recorded Future connector as a step in FortiSOAR™ playbooks and perform automated operations, such as looking up threat context and retrieving reputation for domains, IP addresses, files etc, and getting risk lists for domains, IP addresses, files etc based on risk list rules.

Version information

Connector Version: 1.0.1

FortiSOAR™ Version Tested on: 4.12.0-746

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

Following enhancements have been made to the Recorded Future connector in version 1.0.1:

  • Enhanced the descriptions for all the actions supported in the Recorded Future connector.
  • Renamed some of the sample playbooks such as, the Get Alert playbook has been renamed to Alert: Get Alert and the Search Alerts playbook has been renamed to Alert: Search Alerts.

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the URL of the Recorded Future server on which you will perform the automated operations.
  • You must have the API key that is configured for your Recorded Future account.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Recorded Future connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the Recorded Future server from where the connector gets notifications.
API Key API Key that is configured for you to authenticate your Recorded Future account
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Domain Reputation Looks up the intel threat context for a domain and retrieves its reputation from Recorded future, based on the domain name you have specified. get_domain_reputation
Investigation
Get Domain Risk List Retrieves the risk list information for the domain(s) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search Domain Searches for and retrieves information about intel threat context for all domains or specific domain(s) (based on the filter criteria you have specified) from Recorded Future. search_domain
Investigation
Get IP Reputation Looks up the intel threat context for an IP address and retrieves its reputation from Recorded Future, based on the IP address you have specified. get_ip_reputation
Investigation
Get IP Risk List Retrieves the risk list information for the IP address(es) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search IP Searches for and retrieves information about intel threat context for all IP addresses or specific IP address(es) (based on the filter criteria you have specified) from Recorded Future. search_ip
Investigation
Get File Reputation Looks up the intel threat context for a file identity hash (MD5, SHA-1 or SHA-256) and retrieves its reputation from Recorded future, based on the file hash you have specified. get_file_reputation
Investigation
Get File Risk List Retrieves the risk list information for the file(s) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search Filehash Searches for and retrieves information about intel threat context for all filehashes or specific filehash(es) (based on the filter criteria you have specified) from Recorded Future. search_filehash
Investigation
Lookup Vulnerability Looks up the intel threat context for a vulnerability and retrieves its information from Recorded future, based on the CVE Identifier ID or Recorded Future ID you have specified. get_vulnerability
Investigation
Get Vulnerability Risk List Retrieves the risk list information for the vulnerability(ies) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search Vulnerabilities Searches for and retrieves information about intel threat context for all vulnerabilities or specific vulnerabilities(ies) (based on the filter criteria you have specified) from Recorded Future. search_vulnerability
Investigation
Lookup URL Looks up the intel threat context for a URL and retrieves its information from Recorded future, based on the URL you have specified. get_url_reputation
Investigation
Get URL Risk List Retrieves the risk list information for the URL(s) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search URL Searches for and retrieves information about intel threat context for all URLs or specific URL(s) (based on the filter criteria you have specified) from Recorded Future. search_url
Investigation
Lookup Malware Looks up the intel threat context for a Malware and retrieves its information from Recorded future, based on the Malware ID you have specified. lookup_malware
Investigation
Search Malware Searches for and retrieves information about intel threat context for all Malwares or specific Malware(s) (based on the filter criteria you have specified) from Recorded Future. search_malware
Investigation
Get Alert Retrieves details for an alert which is generated in Recorded Future, based on the alert ID you have specified. get_alert
Investigation
Search Alerts Searches for and retrieves notification information for all alerts or specific alert(s) (based on the filter criteria you have specified) generated on Recorded Future. search_alerts
Investigation
Search Alert Rules Searches for and retrieves information about all alert rules or specific alert rule(s) (based on the filter criteria you have specified) from Recorded Future. search_alert_rule
Investigation
Get Risk Rules Retrieves the risk rules for IP, Domain, URL, File or Vulnerability from Recorded Future, based on the filter criteria you have specified. get_riskrules
Investigation

operation: Get Domain Reputation

Input parameters

Parameter Description
Domain Name of the domain for which you want to retrieve reputation from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains the reputation information for the domain retrieved from Recorded Future, based on the domain name you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"threatLists": [],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
]
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"analystNotes": []
}
}

operation: Get Domain Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for domain (s) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, C&C Nameserver, C&C DNS Name, C&C URL, Compromised URL, Recently Resolved to Host of Many DDNS Names, Historically Reported as a Defanged DNS Names, Recent Fast Flux DNS Name, Historically Reported in Threat List, Historically Linked to Cyber Attack, Historical Malware Analysis DNS Name, Blacklisted DNS Name, Active Phishing URL, Ransomware Distribution URL, Ransomware Payment DNS Name, Recently Reported by Insikt Group, Recently Reported as a Defanged DNS Names, Recently Linked to Cyber Attack, Recent Malware Analysis DNS Name, Recent Threat Researcher, Recent Typosquat Similarity - DNS Sandwich, Recent Typosquat Similarity - Typo or Homograph, Recently Resolved to Malicious IP, Recently Resolved to Suspicious IP, Recently Resolved to Unusual IP, Recently Resolved to Very Malicious IP, Trending in Recorded Future Analyst Community, Historical Threat Researcher, Historical Typosquat Similarity - DNS Sandwich, or Historical Typosquat Similarity - Typo or Homograph.

Output

The JSON output contains the risk list information for the domain(s) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:stixCommon": "",
"@version": "",
"@xmlns": "",
"@timestamp": "",
"stix:Indicators": {
"stix:Indicator": [
{
"@id": "",
"indicator:Observable": {
"@id": "",
"cybox:Object": {
"@id": "",
"cybox:Properties": {
"DomainNameObj:Value": {
"@condition": "",
"#text": ""
},
"@type": "",
"@xsi:type": ""
}
}
},
"@xsi:type": "",
"@timestamp": "",
"indicator:Producer": {
"stixCommon:References": {
"stixCommon:Reference": ""
},
"stixCommon:Description": ""
},
"indicator:Confidence": {
"stixCommon:Value": "",
"stixCommon:Description": ""
},
"indicator:Title": "",
"indicator:Description": "",
"indicator:Indicated_TTP": [
{
"stixCommon:Confidence": {
"stixCommon:Value": {
"#text": "",
"@xsi:type": ""
}
},
"stixCommon:TTP": {
"ttp:Title": "",
"@id": "",
"ttp:Description": "",
"@timestamp": "",
"@xsi:type": ""
}
}
],
"indicator:Type": {
"#text": "",
"@xsi:type": ""
},
"indicator:Valid_Time_Position": {
"indicator:Start_Time": {
"#text": "",
"@precision": ""
},
"indicator:End_Time": {
"#text": "",
"@precision": ""
}
},
"@xmlns:xsi": ""
}
]
},
"@xmlns:stix": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:ttp": "",
"@xmlns:DomainNameObj": "",
"@xmlns:indicator": "",
"@xmlns:stixVocabs": "",
"@id": "",
"@xmlns:cybox": ""
}
}

operation: Search Domain

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Fields Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
Offset Index of the first item to return from the search result.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, idn:ddobnajanu.club
Risk Rule Risk Rule List based on which you want to retrieve risk list information for domain (s) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, C&C Nameserver, C&C DNS Name, C&C URL, Compromised URL, Recently Resolved to Host of Many DDNS Names, Historically Reported as a Defanged DNS Names, Recent Fast Flux DNS Name, Historically Reported in Threat List, Large, Historically Linked to Cyber Attack, Historical Malware Analysis DNS Name, Blacklisted DNS Name, Active Phishing URL, Ransomware Distribution URL, Ransomware Payment DNS Name, Recently Reported by Insikt Group, Recently Reported as a Defanged DNS Names, Recently Linked to Cyber Attack, Recent Malware Analysis DNS Name, Recent Threat Researcher, Recent Typosquat Similarity - DNS Sandwich, Recent Typosquat Similarity - Typo or Homograph, Recently Resolved to Malicious IP, Recently Resolved to Suspicious IP, Recently Resolved to Unusual IP, Recently Resolved to Very Malicious IP, Trending in Recorded Future Analyst Community, Historical Threat Researcher, Historical Typosquat Similarity - DNS Sandwich, or Historical Typosquat Similarity - Typo or Homograph.
Parent Filter domains (including FQDNs) in a parent domain or a subdomain.
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about intel threat context for all domains or specific domain(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"counts": {
"total": "",
"returned": ""
},
"data": {
"results": [
{
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"analystNotes": [],
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"metrics": [
{
"value": "",
"type": ""
}
],
"risk": {
"criticality": "",
"criticalityLabel": "",
"riskString": "",
"rules": "",
"score": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
],
"riskSummary": ""
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"threatLists": [
{
"name": "",
"type": "",
"description": "",
"id": ""
}
]
}
]
}
}

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve reputation from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains the reputation information for the IP address retrieved from Recorded Future, based on the IP address you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"location": {
"location": {
"country": "",
"continent": ""
},
"organization": "",
"cidr": {
"name": "",
"type": "",
"id": ""
},
"asn": ""
},
"threatLists": [],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
]
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"analystNotes": []
}
}

operation: Get IP Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for IP address(es) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, Inside Possible Bogus BGP Route, Historical Botnet Traffic, Nameserver for C&C Server, Historical C&C Server, Cyber Exploit Signal: Important, Cyber Exploit Signal: Medium, Recent Host of Many DDNS Names, Historically Reported as a Defanged IP, Resolution of Fast Flux DNS Name, Historically Reported in Threat List, Historical Honeypot Sighting, Honeypot Host, Recent C&C Server, Historically Linked to Intrusion Method, Historically Linked to APT, Historically Linked to Cyber Attack, Malicious Packet Source, Malware Delivery, Historical Multicategory Blacklist, Historical Open Proxies, Phishing Host, Historical Positive Malware Verdict, Recently Reported by Insikt Group, Recent Botnet Traffic, Current C&C Server, Recently Reported as Defanged IP, Recent Honeypot Sighting, Recently Linked to Intrusion Method, Recently Linked to APT, Recently Linked to Cyber Attack, Recent Multicategory Blacklist, Recent Open Proxies, Recent Positive Malware Verdict, Recent Spam Source, Recent SSH/Dictionary Attacker, Recent Bad SSL Association, Recent Threat Researcher, Trending in Recorded Future Analyst Community, Historical Spam Source, Historical SSH/Dictionary Attacker, Historical Bad SSL Association, Historical Threat Researcher, Tor Node, Unusual IP, or Vulnerable Host.

Output

The JSON output contains the risk list information for the IP address(es) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:stixCommon": "",
"@version": "",
"@xmlns": "",
"@timestamp": "",
"stix:Indicators": {
"stix:Indicator": [
{
"@id": "",
"indicator:Observable": {
"@id": "",
"cybox:Object": {
"@id": "",
"cybox:Properties": {
"AddressObj:Address_Value": {
"@condition": "",
"#text": ""
},
"@category": "",
"@xsi:type": ""
}
}
},
"@xsi:type": "",
"@timestamp": "",
"indicator:Producer": {
"stixCommon:References": {
"stixCommon:Reference": ""
},
"stixCommon:Description": ""
},
"indicator:Confidence": {
"stixCommon:Value": "",
"stixCommon:Description": ""
},
"indicator:Title": "",
"indicator:Description": "",
"indicator:Indicated_TTP": [
{
"stixCommon:Confidence": {
"stixCommon:Value": {
"#text": "",
"@xsi:type": ""
}
},
"stixCommon:TTP": {
"ttp:Title": "",
"@id": "",
"ttp:Description": "",
"@timestamp": "",
"@xsi:type": ""
}
}
],
"indicator:Type": {
"#text": "",
"@xsi:type": ""
},
"indicator:Valid_Time_Position": {
"indicator:Start_Time": {
"#text": "",
"@precision": ""
},
"indicator:End_Time": {
"#text": "",
"@precision": ""
}
},
"@xmlns:xsi": ""
}
]
},
"@xmlns:AddressObj": "",
"@xmlns:stix": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:ttp": "",
"@xmlns:indicator": "",
"@xmlns:stixVocabs": "",
"@id": "",
"@xmlns:cybox": ""
}
}

operation: Search IP

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Fields Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
Range Range of IP addresses from starting IP address to ending IP address or CIDR.
For example, 1.2.3.4/24 or 1.2.3.4-5.6.7.8.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, ip:199.173.128.0/20
Risk Rule Risk Rule List based on which you want to retrieve risk list information for IP address(es) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, Inside Possible Bogus BGP Route, Historical Botnet Traffic, Nameserver for C&C Server, Historical C&C Server, Cyber Exploit Signal: Important, Cyber Exploit Signal: Medium, Recent Host of Many DDNS Names, Historically Reported as a Defanged IP, Resolution of Fast Flux DNS Name, Historically Reported in Threat List, Historical Honeypot Sighting, Honeypot Host, Recent C&C Server, Large, Historically Linked to Intrusion Method, Historically Linked to APT, Historically Linked to Cyber Attack, Malicious Packet Source, Malware Delivery, Historical Multicategory Blacklist, Historical Open Proxies, Phishing Host, Historical Positive Malware Verdict, Recently Reported by Insikt Group, Recent Botnet Traffic, Current C&C Server, Recently Reported as Defanged IP, Recent Honeypot Sighting, Recently Linked to Intrusion Method, Recently Linked to APT, Recently Linked to Cyber Attack, Recent Multicategory Blacklist, Recent Open Proxies, Recent Positive Malware Verdict, Recent Spam Source, Recent SSH/Dictionary Attacker, Recent Bad SSL Association, Recent Threat Researcher, Trending in Recorded Future Analyst Community, Historical Spam Source, Historical SSH/Dictionary Attacker, Historical Bad SSL Association, Historical Threat Researcher, Tor Node, Unusual IP, or Vulnerable Host.
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about intel threat context for all IP addresses or specific IP address(es) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"results": [
{
"analystNotes": [],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"threatLists": [
{
"name": "",
"type": "",
"description": "",
"id": ""
}
],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
],
"riskSummary": ""
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"location": {
"location": {
"country": "",
"continent": ""
},
"organization": "",
"cidr": {
"name": "",
"type": "",
"id": ""
},
"asn": ""
}
}
]
},
"counts": {
"total": "",
"returned": ""
}
}

operation: Get File Reputation

Input parameters

Parameter Description
Filehash Filehash (MD5, SHA-1 or SHA-256) whose reputation you want to retrieve from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains the reputation information for the file retrieved from Recorded Future, based on the filehash you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"hashAlgorithm": "",
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"intelCard": "",
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
]
},
"threatLists": [],
"analystNotes": []
}
}

operation: Get File Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for file(s) from Recorded Future.
You can choose from the following options: Reported by Insikt Group, Historically Reported in Threat List, Linked to Cyber Attack, Linked to Malware, Linked to Attack Vector, Linked to Vulnerability, Malware SSL Certificate Fingerprint, Positive Malware Verdict, Trending in Recorded Future Analyst Community, or Threat Researcher.

Output

The JSON output contains the risk list information for the file(s) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:FileObj": "",
"@xmlns:stixCommon": "",
"@version": "",
"@xmlns": "",
"@timestamp": "",
"stix:Indicators": {
"stix:Indicator": [
{
"@id": "",
"indicator:Observable": {
"@id": "",
"cybox:Object": {
"@id": "",
"cybox:Properties": {
"FileObj:Hashes": {
"cyboxCommon:Hash": {
"cyboxCommon:Simple_Hash_Value": {
"@condition": "",
"#text": ""
},
"cyboxCommon:Type": {
"#text": "",
"@xsi:type": ""
}
}
},
"@xsi:type": ""
}
}
},
"@xsi:type": "",
"@timestamp": "",
"indicator:Producer": {
"stixCommon:References": {
"stixCommon:Reference": ""
},
"stixCommon:Description": ""
},
"indicator:Confidence": {
"stixCommon:Value": "",
"stixCommon:Description": ""
},
"indicator:Title": "",
"indicator:Description": "",
"indicator:Indicated_TTP": [
{
"stixCommon:Confidence": {
"stixCommon:Value": {
"#text": "",
"@xsi:type": ""
}
},
"stixCommon:TTP": {
"ttp:Title": "",
"@id": "",
"ttp:Description": "",
"@timestamp": "",
"@xsi:type": ""
}
}
],
"indicator:Type": {
"#text": "",
"@xsi:type": ""
},
"indicator:Valid_Time_Position": {
"indicator:Start_Time": {
"#text": "",
"@precision": ""
},
"indicator:End_Time": {
"#text": "",
"@precision": ""
}
},
"@xmlns:xsi": ""
}
]
},
"@xmlns:stix": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:ttp": "",
"@xmlns:indicator": "",
"@xmlns:stixVocabs": "",
"@xmlns:cyboxCommon": "",
"@id": "",
"@xmlns:cyboxVocabs": "",
"@xmlns:cybox": ""
}
}

operation: Search Filehash

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Fields Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
Algorithm Filter the search results by the hash algorithm. You can choose from the following options: CRC-32, CTPH, MD5, SHA-1, SHA-256, or SHA-512.
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, hash:1d724f95c61f1055f0d02c2154bbccd3
Risk Rule Risk Rule List based on which you want to retrieve risk list information for filehash(es) from Recorded Future.
You can choose from the following options: Reported by Insikt Group, Historically Reported in Threat List, Linked to Cyber Attack, Linked to Malware, Linked to Attack Vector, Linked to Vulnerability, Malware SSL Certificate Fingerprint, Positive Malware Verdict, Trending in Recorded Future Analyst Community, or Threat Researcher.
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about intel threat context for all filehashes or specific filehash(es) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": [
{
"label": "",
"key": "",
"type": "",
"item": {
"type": "",
"entries": [
{
"label": "",
"key": "",
"type": "",
"item": {
"type": "",
"entries": [
{
"label": "",
"key": "",
"type": ""
}
]
}
}
]
}
}
]
},
"data": {
"results": [
{
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"hashAlgorithm": "",
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"evidenceDetails": [
{
"criticalityLabel": "",
"evidenceString": "",
"criticality": "",
"rule": "",
"timestamp": ""
}
],
"riskSummary": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"value": "",
"type": ""
}
],
"threatLists": [],
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"analystNotes": []
}
]
},
"counts": {
"total": "",
"returned": ""
}
}

operation: Lookup Vulnerability

Input parameters

Parameter Description
CVE/RF ID CVE Identifier ID or Recorded Future ID whose reputation you want to retrieve from Recorded Future.
For example CVE IDs: CVE-2018-8811, CVE-2018-8810
RF ID = Vga53v
Fields (Optional) Fields that you want to include in the output.
You can choose from the following options: National Vulnerability Database description, Analyst Notes, Common Names, Entity, Counts, Common Platform Enumeration, Common Platform Enumeration 2.2 URI, Common Vulnerability Scoring System, Intel Card URL, Metrics, Related Entities, Related Links, Risk, Sightings, Threat Lists, or Event Timestamps.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains intel threat context information for the vulnerability retrieved from Recorded Future, based on the CVE Identifier ID or Recorded Future ID you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"cpe": [],
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"cpe22uri": [],
"cvss": {
"published": "",
"lastModified": ""
},
"entity": {
"name": "",
"type": "",
"description": "",
"id": ""
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"evidenceDetails": [
{
"criticality": "",
"criticalityLabel": "",
"rule": "",
"timestamp": "",
"evidenceString": ""
}
],
"riskSummary": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"commonNames": [],
"nvdDescription": "",
"threatLists": [],
"relatedLinks": [],
"analystNotes": []
}
}

operation: Get Vulnerability Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for vulnerability(ies) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, Web Reporting Prior to CVSS Score, Cyber Exploit Signal: Critical, Cyber Exploit Signal: Important, Cyber Exploit Signal: Medium, Linked to Historical Cyber Exploit, Historically Linked to Exploit Kit, Historically Linked to Malware, Historically Linked to Remote Access Trojan, Historically Linked to Ransomware, Linked to Recent Cyber Exploit, Recently Linked to Exploit Kit, Recently Linked to Malware, Recently Linked to Remote Access Trojan, Recently Linked to Ransomware, NIST Severity: Critical, NIST Severity: High, NIST Severity: Low, NIST Severity: Medium, Web Reporting Prior to NVD Disclosure, Recently Reported by Insikt Group, Recently Linked to Penetration Testing Tools, or Historically Linked to Penetration Testing Tools.

Output

The JSON output contains the risk list information for the vulnerability(ies) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:stix": "",
"@version": "",
"@timestamp": "",
"@xmlns": "",
"stix:Exploit_Targets": {
"stixCommon:Exploit_Target": [
{
"et:Title": "",
"et:Vulnerability": {
"et:Affected_Software": {
"et:Affected_Software": {
"stixCommon:Observable": {
"@id": "",
"cybox:Title": ""
}
}
},
"et:CVE_ID": "",
"et:CVSS_Score": {
"et:Overall_Score": ""
},
"et:Published_DateTime": "",
"et:References": {
"stixCommon:Reference": ""
}
},
"@xmlns:xsi": "",
"@timestamp": "",
"et:Description": "",
"@id": "",
"@xsi:type": ""
}
]
},
"@xmlns:et": "",
"@id": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:stixCommon": "",
"@xmlns:cybox": ""
}
}

operation: Search Vulnerabilities

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Free Text Free text (not regex) string matching which list IDs are returned as the search result.
Fields Fields that you want to include in the output.
You can choose from the following options: National Vulnerability Database description, Analyst Notes, Common Names, Entity, Counts, Common Platform Enumeration, Common Platform Enumeration 2.2 URI, Common Vulnerability Scoring System, Intel Card URL, Metrics, Related Entities, Related Links, Risk, Sightings, Threat Lists, or Event Timestamps.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
CVSS Score Filter the search results by the common vulnerability scoring system score (CVSS score). You can enter a number between 0 to 10 as the CVSS score in the format [0,10]
For example, [2,9.3], (2,9.3), [2,3.6), (6,), (,8) . Working of the CVSS score examples is the same as the risk score examples.
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, PGW3XH
Risk Rule Risk Rule List based on which you want to retrieve risk list information for vulnerability(ies) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, Web Reporting Prior to CVSS Score, Cyber Exploit Signal: Critical, Cyber Exploit Signal: Important, Cyber Exploit Signal: Medium, Large, Linked to Historical Cyber Exploit, Historically Linked to Exploit Kit, Historically Linked to Malware, Historically Linked to Remote Access Trojan, Historically Linked to Ransomware, Linked to Recent Cyber Exploit, Recently Linked to Exploit Kit, Recently Linked to Malware, Recently Linked to Remote Access Trojan, Recently Linked to Ransomware, NIST Severity: Critical, NIST Severity: High, NIST Severity: Low, NIST Severity: Medium, Web Reporting Prior to NVD Disclosure, Recently Reported by Insikt Group, Recently Linked to Penetration Testing Tools, or Historically Linked to Penetration Testing Tools.
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about intel threat context for all vulnerabilities or specific vulnerability(ies) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"results": [
{
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"cpe": [],
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"cpe22uri": [],
"cvss": {
"accessComplexity": "",
"lastModified": "",
"confidentiality": "",
"published": "",
"availability": "",
"score": "",
"authentication": "",
"accessVector": "",
"integrity": ""
},
"entity": {
"name": "",
"type": "",
"description": "",
"id": ""
},
"intelCard": "",
"risk": {
"criticality": "",
"criticalityLabel": "",
"riskString": "",
"rules": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticalityLabel": "",
"evidenceString": "",
"criticality": "",
"rule": "",
"timestamp": ""
}
]
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"commonNames": [],
"nvdDescription": "",
"analystNotes": [
{
"attributes": {
"published": "",
"context_entities": [
{
"name": "",
"type": "",
"id": ""
}
],
"text": "",
"note_entities": [
{
"name": "",
"type": "",
"description": "",
"id": ""
}
],
"validation_urls": [
{
"name": "",
"type": "",
"id": ""
}
],
"title": "",
"validated_on": "",
"topic": {
"name": "",
"type": "",
"id": ""
}
},
"source": "",
"id": ""
}
],
"relatedLinks": [],
"threatLists": []
}
]
},
"counts": {
"total": "",
"returned": ""
}
}

operation: Lookup URL

Input parameters

Parameter Description
URL URL for which you want to retrieve threat information from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analyst Notes, Entity, Counts, Metrics, Related Entities, Risk, Sightings, or Event Timestamps.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains intel threat context information for the URL retrieved from Recorded Future, based on the URL you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [],
"entity": {
"name": "",
"type": "",
"id": ""
},
"sightings": [],
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"timestamp": "",
"criticality": ""
}
]
},
"analystNotes": [
{
"id": "",
"source": "",
"attributes": {
"validation_urls": [
{
"name": "",
"type": "",
"id": ""
}
],
"text": "",
"note_entities": [
{
"name": "",
"type": "",
"id": ""
}
],
"tlp": "",
"published": "",
"title": "",
"validated_on": "",
"topic": {
"name": "",
"type": "",
"id": ""
}
}
}
]
}
}

operation: Get URL Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for URL(s) from Recorded Future.
You can choose from the following options: C&C URL, Compromised URL, Historically Reported as a Defanged URL, Historically Reported in Threat List, Large, Active Phishing URL, Ransomware Distribution URL, or Recently Reported as e Defanged URL.

Output

The JSON output contains the risk list information for the URL(s) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:stixCommon": "",
"@version": "",
"@xmlns": "",
"@timestamp": "",
"stix:Indicators": {
"stix:Indicator": [
{
"@id": "",
"indicator:Observable": {
"@id": "",
"cybox:Object": {
"@id": "",
"cybox:Properties": {
"URIObj:Value": {
"@condition": "",
"#text": ""
},
"@xsi:type": ""
}
}
},
"@xsi:type": "",
"@timestamp": "",
"indicator:Producer": {
"stixCommon:References": {
"stixCommon:Reference": ""
},
"stixCommon:Description": ""
},
"indicator:Confidence": {
"stixCommon:Value": "",
"stixCommon:Description": ""
},
"indicator:Title": "",
"indicator:Description": "",
"indicator:Indicated_TTP": [
{
"stixCommon:Confidence": {
"stixCommon:Value": {
"#text": "",
"@xsi:type": ""
}
},
"stixCommon:TTP": {
"ttp:Title": "",
"@id": "",
"ttp:Description": "",
"@timestamp": "",
"@xsi:type": ""
}
}
],
"indicator:Type": {
"#text": "",
"@xsi:type": ""
},
"indicator:Valid_Time_Position": {
"indicator:Start_Time": {
"#text": "",
"@precision": ""
},
"indicator:End_Time": {
"#text": "",
"@precision": ""
}
},
"@xmlns:xsi": ""
}
]
},
"@xmlns:stix": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:ttp": "",
"@xmlns:indicator": "",
"@xmlns:stixVocabs": "",
"@xmlns:URIObj": "",
"@id": "",
"@xmlns:cybox": ""
}
}

operation: Search URL

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Fields Fields that you want to include in the output. You can choose from the following options: Analyst Notes, Entity, Counts, Metrics, Related Entities, Risk, Sightings, or Event Timestamps.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, url:http://examplendv.com/niugufvt4
Risk Rule Risk Rule List based on which you want to retrieve risk list information for URL(s) from Recorded Future.
You can choose from the following options: C&C URL, Compromised URL, Historically Reported as a Defanged URL, Historically Reported in Threat List, Active Phishing URL, Ransomware Distribution URL, or Recently Reported as e Defanged URL.
Order By Order the search results by this filter criteria.
You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about Intel threat context for all URLs or specific URL(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"counts": {
"total": "",
"returned": ""
},
"data": {
"results": [
{
"relatedEntities": [],
"entity": {
"name": "",
"type": "",
"id": ""
},
"sightings": [],
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"value": "",
"type": ""
}
],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticalityLabel": "",
"evidenceString": "",
"timestamp": "",
"rule": "",
"criticality": ""
}
]
},
"analystNotes": []
}
]
}
}

operation: Lookup Malware

Input parameters

Parameter Description
ID ID of the Malware for which you want to retrieve threat information from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analyst Notes, Entity, Counts, Metrics, Intel Card URL, Related Entities, Sightings, Categories, or Event Timestamps.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains intel threat context information for the Malware retrieved from Recorded Future, based on the Malware ID you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"categories": [
{
"name": "",
"type": "",
"id": ""
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"value": "",
"type": ""
}
],
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"analystNotes": []
}
}

operation: Search Malware

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Free Text Free text (not regex) string matching which list IDs are returned as the search result.
Fields Fields that you want to include in the output. You can choose from the following options: Analyst Notes, Entity, Counts, Metrics, Intel Card URL, Related Entities, Sightings, Categories, or Event Timestamps.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, Ps4Y1A
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on metrics (counts of recent references and metric values for various risk rules).

Output

The JSON output contains information about Intel threat context for all Malwares or specific Malware(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"counts": {
"total": "",
"returned": ""
},
"data": {
"results": [
{
"categories": [],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [],
"metrics": [
{
"value": "",
"type": ""
}
],
"sightings": [],
"relatedEntities": [],
"analystNotes": []
}
]
}
}

operation: Get Alert

Input parameters

Parameter Description
ID ID of the alert generated on Recorded Future for which you want to retrieve information from Recorded Future.

Output

The JSON output contains details for the alert retrieved from Recorded Future, based on the alert ID you have specified.

The output contains a non-dictionary value.

operation: Search Alerts

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Triggered DateTime when the alert was generated on Recorded Future. All Elasticsearch compatible date formats are valid.
Relative time expressions are also supported, such as -2d for two days prior to today and yesterday. As with absolute time references, both ends of the range still need to be specified. For example, to search for alerts that fired within the last 24 hrs, use triggered = [-24h,].
Assignee Filter the search results by the name of the assignee to whom the alert was assigned in Recorded Future, using the email address associated with that user account.
Status Status of the alert. You can choose from the following options: Unassigned, Assigned, Actionable, No Action, or Tuning.
Alert Rule ID Recorded Future's Alert Rule ID that is associated with the alert notification.
Free Text Free text (not regex) string matching which list IDs are returned as the search result.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
List ID Vulnerability ID from Recorded Future.
For example, Ps4Y1A
Order By Order the search results by this filter criteria. Currently, only the Triggered option is available.
Direction Arrange the search results either in the Ascending order or Descending order.

Output

The JSON output contains information about all Alerts or specific Alert(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains a non-dictionary value.

operation: Search Alert Rules

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Free Text Free text (not regex) string matching which list IDs are returned as the search result.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.

Output

The JSON output contains information about all Alert Rules or specific Alert Rule(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains a non-dictionary value.

operation: Get Risk Rules

Input parameters

Parameter Description
Risk Rules for Risk rules have to be retrieved for the selected input from Recorded Future. You can choose from the following options: IP, Domain, URL, File, or Vulnerability.

Output

The JSON output contains information about the risk rules for IP, Domain, URL, File, or Vulnerability (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"data": {
"results": [
{
"description": "",
"criticality": "",
"criticalityLabel": "",
"count": "",
"name": ""
}
]
}
}

Included playbooks

The Sample - Recorded-Future - 1.0.1 playbook collection comes bundled with the Recorded Future connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Recorded Future connector.

  • Alert: Get Alert
  • Alert: Search Alert Rules
  • Alert: Search Alerts
  • Domain : Get Domain Reputation
  • Domain : Get Domain Risk List
  • Domain : Search Domain
  • File : Get File Reputation
  • File : Get File Risk List
  • File : Search Filehash
  • Get Risk Rules
  • IP : Get IP Reputation
  • IP : Get IP Risk List
  • IP : Search IP Addresses
  • Malware : Lookup Malware
  • Malware : Search Malware
  • URL : Get URL Risk List
  • URL : Lookup URL
  • URL : Search URL
  • Vulnerability : Get Vulnerability Risk List
  • Vulnerability : Lookup Vulnerability
  • Vulnerability : Search Vulnerabilities

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

Recorded Future's unique technology automatically serves up relevant insights in real time and at unparalleled scale. Recorded Future's flexible software lets you put any type of threat intelligence where you need it — centralizing sources of threat data, enabling collaboration on analysis, and integrating with your security infrastructure.

This document provides information about the Recorded Future connector, which facilitates automated interactions, with a Recorded Future server using FortiSOAR™ playbooks. Add the Recorded Future connector as a step in FortiSOAR™ playbooks and perform automated operations, such as looking up threat context and retrieving reputation for domains, IP addresses, files etc, and getting risk lists for domains, IP addresses, files etc based on risk list rules.

Version information

Connector Version: 1.0.1

FortiSOAR™ Version Tested on: 4.12.0-746

Authored By: Fortinet

Certified: Yes

Release Notes for version 1.0.1

Following enhancements have been made to the Recorded Future connector in version 1.0.1:

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Recorded Future connector row, and in the Configure tab enter the required configuration details.

Parameter Description
Server URL URL of the Recorded Future server from where the connector gets notifications.
API Key API Key that is configured for you to authenticate your Recorded Future account
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Domain Reputation Looks up the intel threat context for a domain and retrieves its reputation from Recorded future, based on the domain name you have specified. get_domain_reputation
Investigation
Get Domain Risk List Retrieves the risk list information for the domain(s) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search Domain Searches for and retrieves information about intel threat context for all domains or specific domain(s) (based on the filter criteria you have specified) from Recorded Future. search_domain
Investigation
Get IP Reputation Looks up the intel threat context for an IP address and retrieves its reputation from Recorded Future, based on the IP address you have specified. get_ip_reputation
Investigation
Get IP Risk List Retrieves the risk list information for the IP address(es) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search IP Searches for and retrieves information about intel threat context for all IP addresses or specific IP address(es) (based on the filter criteria you have specified) from Recorded Future. search_ip
Investigation
Get File Reputation Looks up the intel threat context for a file identity hash (MD5, SHA-1 or SHA-256) and retrieves its reputation from Recorded future, based on the file hash you have specified. get_file_reputation
Investigation
Get File Risk List Retrieves the risk list information for the file(s) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search Filehash Searches for and retrieves information about intel threat context for all filehashes or specific filehash(es) (based on the filter criteria you have specified) from Recorded Future. search_filehash
Investigation
Lookup Vulnerability Looks up the intel threat context for a vulnerability and retrieves its information from Recorded future, based on the CVE Identifier ID or Recorded Future ID you have specified. get_vulnerability
Investigation
Get Vulnerability Risk List Retrieves the risk list information for the vulnerability(ies) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search Vulnerabilities Searches for and retrieves information about intel threat context for all vulnerabilities or specific vulnerabilities(ies) (based on the filter criteria you have specified) from Recorded Future. search_vulnerability
Investigation
Lookup URL Looks up the intel threat context for a URL and retrieves its information from Recorded future, based on the URL you have specified. get_url_reputation
Investigation
Get URL Risk List Retrieves the risk list information for the URL(s) from Recorded Future, based on the risk rule list you have specified. get_risk_list
Investigation
Search URL Searches for and retrieves information about intel threat context for all URLs or specific URL(s) (based on the filter criteria you have specified) from Recorded Future. search_url
Investigation
Lookup Malware Looks up the intel threat context for a Malware and retrieves its information from Recorded future, based on the Malware ID you have specified. lookup_malware
Investigation
Search Malware Searches for and retrieves information about intel threat context for all Malwares or specific Malware(s) (based on the filter criteria you have specified) from Recorded Future. search_malware
Investigation
Get Alert Retrieves details for an alert which is generated in Recorded Future, based on the alert ID you have specified. get_alert
Investigation
Search Alerts Searches for and retrieves notification information for all alerts or specific alert(s) (based on the filter criteria you have specified) generated on Recorded Future. search_alerts
Investigation
Search Alert Rules Searches for and retrieves information about all alert rules or specific alert rule(s) (based on the filter criteria you have specified) from Recorded Future. search_alert_rule
Investigation
Get Risk Rules Retrieves the risk rules for IP, Domain, URL, File or Vulnerability from Recorded Future, based on the filter criteria you have specified. get_riskrules
Investigation

operation: Get Domain Reputation

Input parameters

Parameter Description
Domain Name of the domain for which you want to retrieve reputation from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains the reputation information for the domain retrieved from Recorded Future, based on the domain name you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"threatLists": [],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
]
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"analystNotes": []
}
}

operation: Get Domain Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for domain (s) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, C&C Nameserver, C&C DNS Name, C&C URL, Compromised URL, Recently Resolved to Host of Many DDNS Names, Historically Reported as a Defanged DNS Names, Recent Fast Flux DNS Name, Historically Reported in Threat List, Historically Linked to Cyber Attack, Historical Malware Analysis DNS Name, Blacklisted DNS Name, Active Phishing URL, Ransomware Distribution URL, Ransomware Payment DNS Name, Recently Reported by Insikt Group, Recently Reported as a Defanged DNS Names, Recently Linked to Cyber Attack, Recent Malware Analysis DNS Name, Recent Threat Researcher, Recent Typosquat Similarity - DNS Sandwich, Recent Typosquat Similarity - Typo or Homograph, Recently Resolved to Malicious IP, Recently Resolved to Suspicious IP, Recently Resolved to Unusual IP, Recently Resolved to Very Malicious IP, Trending in Recorded Future Analyst Community, Historical Threat Researcher, Historical Typosquat Similarity - DNS Sandwich, or Historical Typosquat Similarity - Typo or Homograph.

Output

The JSON output contains the risk list information for the domain(s) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:stixCommon": "",
"@version": "",
"@xmlns": "",
"@timestamp": "",
"stix:Indicators": {
"stix:Indicator": [
{
"@id": "",
"indicator:Observable": {
"@id": "",
"cybox:Object": {
"@id": "",
"cybox:Properties": {
"DomainNameObj:Value": {
"@condition": "",
"#text": ""
},
"@type": "",
"@xsi:type": ""
}
}
},
"@xsi:type": "",
"@timestamp": "",
"indicator:Producer": {
"stixCommon:References": {
"stixCommon:Reference": ""
},
"stixCommon:Description": ""
},
"indicator:Confidence": {
"stixCommon:Value": "",
"stixCommon:Description": ""
},
"indicator:Title": "",
"indicator:Description": "",
"indicator:Indicated_TTP": [
{
"stixCommon:Confidence": {
"stixCommon:Value": {
"#text": "",
"@xsi:type": ""
}
},
"stixCommon:TTP": {
"ttp:Title": "",
"@id": "",
"ttp:Description": "",
"@timestamp": "",
"@xsi:type": ""
}
}
],
"indicator:Type": {
"#text": "",
"@xsi:type": ""
},
"indicator:Valid_Time_Position": {
"indicator:Start_Time": {
"#text": "",
"@precision": ""
},
"indicator:End_Time": {
"#text": "",
"@precision": ""
}
},
"@xmlns:xsi": ""
}
]
},
"@xmlns:stix": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:ttp": "",
"@xmlns:DomainNameObj": "",
"@xmlns:indicator": "",
"@xmlns:stixVocabs": "",
"@id": "",
"@xmlns:cybox": ""
}
}

operation: Search Domain

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Fields Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
Offset Index of the first item to return from the search result.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, idn:ddobnajanu.club
Risk Rule Risk Rule List based on which you want to retrieve risk list information for domain (s) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, C&C Nameserver, C&C DNS Name, C&C URL, Compromised URL, Recently Resolved to Host of Many DDNS Names, Historically Reported as a Defanged DNS Names, Recent Fast Flux DNS Name, Historically Reported in Threat List, Large, Historically Linked to Cyber Attack, Historical Malware Analysis DNS Name, Blacklisted DNS Name, Active Phishing URL, Ransomware Distribution URL, Ransomware Payment DNS Name, Recently Reported by Insikt Group, Recently Reported as a Defanged DNS Names, Recently Linked to Cyber Attack, Recent Malware Analysis DNS Name, Recent Threat Researcher, Recent Typosquat Similarity - DNS Sandwich, Recent Typosquat Similarity - Typo or Homograph, Recently Resolved to Malicious IP, Recently Resolved to Suspicious IP, Recently Resolved to Unusual IP, Recently Resolved to Very Malicious IP, Trending in Recorded Future Analyst Community, Historical Threat Researcher, Historical Typosquat Similarity - DNS Sandwich, or Historical Typosquat Similarity - Typo or Homograph.
Parent Filter domains (including FQDNs) in a parent domain or a subdomain.
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about intel threat context for all domains or specific domain(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"counts": {
"total": "",
"returned": ""
},
"data": {
"results": [
{
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"analystNotes": [],
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"metrics": [
{
"value": "",
"type": ""
}
],
"risk": {
"criticality": "",
"criticalityLabel": "",
"riskString": "",
"rules": "",
"score": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
],
"riskSummary": ""
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"threatLists": [
{
"name": "",
"type": "",
"description": "",
"id": ""
}
]
}
]
}
}

operation: Get IP Reputation

Input parameters

Parameter Description
IP Address IP address for which you want to retrieve reputation from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains the reputation information for the IP address retrieved from Recorded Future, based on the IP address you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"location": {
"location": {
"country": "",
"continent": ""
},
"organization": "",
"cidr": {
"name": "",
"type": "",
"id": ""
},
"asn": ""
},
"threatLists": [],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
]
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"analystNotes": []
}
}

operation: Get IP Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for IP address(es) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, Inside Possible Bogus BGP Route, Historical Botnet Traffic, Nameserver for C&C Server, Historical C&C Server, Cyber Exploit Signal: Important, Cyber Exploit Signal: Medium, Recent Host of Many DDNS Names, Historically Reported as a Defanged IP, Resolution of Fast Flux DNS Name, Historically Reported in Threat List, Historical Honeypot Sighting, Honeypot Host, Recent C&C Server, Historically Linked to Intrusion Method, Historically Linked to APT, Historically Linked to Cyber Attack, Malicious Packet Source, Malware Delivery, Historical Multicategory Blacklist, Historical Open Proxies, Phishing Host, Historical Positive Malware Verdict, Recently Reported by Insikt Group, Recent Botnet Traffic, Current C&C Server, Recently Reported as Defanged IP, Recent Honeypot Sighting, Recently Linked to Intrusion Method, Recently Linked to APT, Recently Linked to Cyber Attack, Recent Multicategory Blacklist, Recent Open Proxies, Recent Positive Malware Verdict, Recent Spam Source, Recent SSH/Dictionary Attacker, Recent Bad SSL Association, Recent Threat Researcher, Trending in Recorded Future Analyst Community, Historical Spam Source, Historical SSH/Dictionary Attacker, Historical Bad SSL Association, Historical Threat Researcher, Tor Node, Unusual IP, or Vulnerable Host.

Output

The JSON output contains the risk list information for the IP address(es) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:stixCommon": "",
"@version": "",
"@xmlns": "",
"@timestamp": "",
"stix:Indicators": {
"stix:Indicator": [
{
"@id": "",
"indicator:Observable": {
"@id": "",
"cybox:Object": {
"@id": "",
"cybox:Properties": {
"AddressObj:Address_Value": {
"@condition": "",
"#text": ""
},
"@category": "",
"@xsi:type": ""
}
}
},
"@xsi:type": "",
"@timestamp": "",
"indicator:Producer": {
"stixCommon:References": {
"stixCommon:Reference": ""
},
"stixCommon:Description": ""
},
"indicator:Confidence": {
"stixCommon:Value": "",
"stixCommon:Description": ""
},
"indicator:Title": "",
"indicator:Description": "",
"indicator:Indicated_TTP": [
{
"stixCommon:Confidence": {
"stixCommon:Value": {
"#text": "",
"@xsi:type": ""
}
},
"stixCommon:TTP": {
"ttp:Title": "",
"@id": "",
"ttp:Description": "",
"@timestamp": "",
"@xsi:type": ""
}
}
],
"indicator:Type": {
"#text": "",
"@xsi:type": ""
},
"indicator:Valid_Time_Position": {
"indicator:Start_Time": {
"#text": "",
"@precision": ""
},
"indicator:End_Time": {
"#text": "",
"@precision": ""
}
},
"@xmlns:xsi": ""
}
]
},
"@xmlns:AddressObj": "",
"@xmlns:stix": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:ttp": "",
"@xmlns:indicator": "",
"@xmlns:stixVocabs": "",
"@id": "",
"@xmlns:cybox": ""
}
}

operation: Search IP

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Fields Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
Range Range of IP addresses from starting IP address to ending IP address or CIDR.
For example, 1.2.3.4/24 or 1.2.3.4-5.6.7.8.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, ip:199.173.128.0/20
Risk Rule Risk Rule List based on which you want to retrieve risk list information for IP address(es) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, Inside Possible Bogus BGP Route, Historical Botnet Traffic, Nameserver for C&C Server, Historical C&C Server, Cyber Exploit Signal: Important, Cyber Exploit Signal: Medium, Recent Host of Many DDNS Names, Historically Reported as a Defanged IP, Resolution of Fast Flux DNS Name, Historically Reported in Threat List, Historical Honeypot Sighting, Honeypot Host, Recent C&C Server, Large, Historically Linked to Intrusion Method, Historically Linked to APT, Historically Linked to Cyber Attack, Malicious Packet Source, Malware Delivery, Historical Multicategory Blacklist, Historical Open Proxies, Phishing Host, Historical Positive Malware Verdict, Recently Reported by Insikt Group, Recent Botnet Traffic, Current C&C Server, Recently Reported as Defanged IP, Recent Honeypot Sighting, Recently Linked to Intrusion Method, Recently Linked to APT, Recently Linked to Cyber Attack, Recent Multicategory Blacklist, Recent Open Proxies, Recent Positive Malware Verdict, Recent Spam Source, Recent SSH/Dictionary Attacker, Recent Bad SSL Association, Recent Threat Researcher, Trending in Recorded Future Analyst Community, Historical Spam Source, Historical SSH/Dictionary Attacker, Historical Bad SSL Association, Historical Threat Researcher, Tor Node, Unusual IP, or Vulnerable Host.
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about intel threat context for all IP addresses or specific IP address(es) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"results": [
{
"analystNotes": [],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"threatLists": [
{
"name": "",
"type": "",
"description": "",
"id": ""
}
],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
],
"riskSummary": ""
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"location": {
"location": {
"country": "",
"continent": ""
},
"organization": "",
"cidr": {
"name": "",
"type": "",
"id": ""
},
"asn": ""
}
}
]
},
"counts": {
"total": "",
"returned": ""
}
}

operation: Get File Reputation

Input parameters

Parameter Description
Filehash Filehash (MD5, SHA-1 or SHA-256) whose reputation you want to retrieve from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains the reputation information for the file retrieved from Recorded Future, based on the filehash you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"hashAlgorithm": "",
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"intelCard": "",
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticality": "",
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"mitigationString": "",
"timestamp": ""
}
]
},
"threatLists": [],
"analystNotes": []
}
}

operation: Get File Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for file(s) from Recorded Future.
You can choose from the following options: Reported by Insikt Group, Historically Reported in Threat List, Linked to Cyber Attack, Linked to Malware, Linked to Attack Vector, Linked to Vulnerability, Malware SSL Certificate Fingerprint, Positive Malware Verdict, Trending in Recorded Future Analyst Community, or Threat Researcher.

Output

The JSON output contains the risk list information for the file(s) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:FileObj": "",
"@xmlns:stixCommon": "",
"@version": "",
"@xmlns": "",
"@timestamp": "",
"stix:Indicators": {
"stix:Indicator": [
{
"@id": "",
"indicator:Observable": {
"@id": "",
"cybox:Object": {
"@id": "",
"cybox:Properties": {
"FileObj:Hashes": {
"cyboxCommon:Hash": {
"cyboxCommon:Simple_Hash_Value": {
"@condition": "",
"#text": ""
},
"cyboxCommon:Type": {
"#text": "",
"@xsi:type": ""
}
}
},
"@xsi:type": ""
}
}
},
"@xsi:type": "",
"@timestamp": "",
"indicator:Producer": {
"stixCommon:References": {
"stixCommon:Reference": ""
},
"stixCommon:Description": ""
},
"indicator:Confidence": {
"stixCommon:Value": "",
"stixCommon:Description": ""
},
"indicator:Title": "",
"indicator:Description": "",
"indicator:Indicated_TTP": [
{
"stixCommon:Confidence": {
"stixCommon:Value": {
"#text": "",
"@xsi:type": ""
}
},
"stixCommon:TTP": {
"ttp:Title": "",
"@id": "",
"ttp:Description": "",
"@timestamp": "",
"@xsi:type": ""
}
}
],
"indicator:Type": {
"#text": "",
"@xsi:type": ""
},
"indicator:Valid_Time_Position": {
"indicator:Start_Time": {
"#text": "",
"@precision": ""
},
"indicator:End_Time": {
"#text": "",
"@precision": ""
}
},
"@xmlns:xsi": ""
}
]
},
"@xmlns:stix": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:ttp": "",
"@xmlns:indicator": "",
"@xmlns:stixVocabs": "",
"@xmlns:cyboxCommon": "",
"@id": "",
"@xmlns:cyboxVocabs": "",
"@xmlns:cybox": ""
}
}

operation: Search Filehash

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Fields Fields that you want to include in the output. You can choose from the following options: Analysis Notes, Entity, Counts, Intel Card URL, Metrics, Related Entities, Risk, Sightings, Threat Lists, and Event Timestamps.
By default, this option is set as Entity.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
Algorithm Filter the search results by the hash algorithm. You can choose from the following options: CRC-32, CTPH, MD5, SHA-1, SHA-256, or SHA-512.
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, hash:1d724f95c61f1055f0d02c2154bbccd3
Risk Rule Risk Rule List based on which you want to retrieve risk list information for filehash(es) from Recorded Future.
You can choose from the following options: Reported by Insikt Group, Historically Reported in Threat List, Linked to Cyber Attack, Linked to Malware, Linked to Attack Vector, Linked to Vulnerability, Malware SSL Certificate Fingerprint, Positive Malware Verdict, Trending in Recorded Future Analyst Community, or Threat Researcher.
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about intel threat context for all filehashes or specific filehash(es) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": [
{
"label": "",
"key": "",
"type": "",
"item": {
"type": "",
"entries": [
{
"label": "",
"key": "",
"type": "",
"item": {
"type": "",
"entries": [
{
"label": "",
"key": "",
"type": ""
}
]
}
}
]
}
}
]
},
"data": {
"results": [
{
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"hashAlgorithm": "",
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"evidenceDetails": [
{
"criticalityLabel": "",
"evidenceString": "",
"criticality": "",
"rule": "",
"timestamp": ""
}
],
"riskSummary": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"value": "",
"type": ""
}
],
"threatLists": [],
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"analystNotes": []
}
]
},
"counts": {
"total": "",
"returned": ""
}
}

operation: Lookup Vulnerability

Input parameters

Parameter Description
CVE/RF ID CVE Identifier ID or Recorded Future ID whose reputation you want to retrieve from Recorded Future.
For example CVE IDs: CVE-2018-8811, CVE-2018-8810
RF ID = Vga53v
Fields (Optional) Fields that you want to include in the output.
You can choose from the following options: National Vulnerability Database description, Analyst Notes, Common Names, Entity, Counts, Common Platform Enumeration, Common Platform Enumeration 2.2 URI, Common Vulnerability Scoring System, Intel Card URL, Metrics, Related Entities, Related Links, Risk, Sightings, Threat Lists, or Event Timestamps.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains intel threat context information for the vulnerability retrieved from Recorded Future, based on the CVE Identifier ID or Recorded Future ID you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"cpe": [],
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"cpe22uri": [],
"cvss": {
"published": "",
"lastModified": ""
},
"entity": {
"name": "",
"type": "",
"description": "",
"id": ""
},
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"evidenceDetails": [
{
"criticality": "",
"criticalityLabel": "",
"rule": "",
"timestamp": "",
"evidenceString": ""
}
],
"riskSummary": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"commonNames": [],
"nvdDescription": "",
"threatLists": [],
"relatedLinks": [],
"analystNotes": []
}
}

operation: Get Vulnerability Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for vulnerability(ies) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, Web Reporting Prior to CVSS Score, Cyber Exploit Signal: Critical, Cyber Exploit Signal: Important, Cyber Exploit Signal: Medium, Linked to Historical Cyber Exploit, Historically Linked to Exploit Kit, Historically Linked to Malware, Historically Linked to Remote Access Trojan, Historically Linked to Ransomware, Linked to Recent Cyber Exploit, Recently Linked to Exploit Kit, Recently Linked to Malware, Recently Linked to Remote Access Trojan, Recently Linked to Ransomware, NIST Severity: Critical, NIST Severity: High, NIST Severity: Low, NIST Severity: Medium, Web Reporting Prior to NVD Disclosure, Recently Reported by Insikt Group, Recently Linked to Penetration Testing Tools, or Historically Linked to Penetration Testing Tools.

Output

The JSON output contains the risk list information for the vulnerability(ies) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:stix": "",
"@version": "",
"@timestamp": "",
"@xmlns": "",
"stix:Exploit_Targets": {
"stixCommon:Exploit_Target": [
{
"et:Title": "",
"et:Vulnerability": {
"et:Affected_Software": {
"et:Affected_Software": {
"stixCommon:Observable": {
"@id": "",
"cybox:Title": ""
}
}
},
"et:CVE_ID": "",
"et:CVSS_Score": {
"et:Overall_Score": ""
},
"et:Published_DateTime": "",
"et:References": {
"stixCommon:Reference": ""
}
},
"@xmlns:xsi": "",
"@timestamp": "",
"et:Description": "",
"@id": "",
"@xsi:type": ""
}
]
},
"@xmlns:et": "",
"@id": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:stixCommon": "",
"@xmlns:cybox": ""
}
}

operation: Search Vulnerabilities

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Free Text Free text (not regex) string matching which list IDs are returned as the search result.
Fields Fields that you want to include in the output.
You can choose from the following options: National Vulnerability Database description, Analyst Notes, Common Names, Entity, Counts, Common Platform Enumeration, Common Platform Enumeration 2.2 URI, Common Vulnerability Scoring System, Intel Card URL, Metrics, Related Entities, Related Links, Risk, Sightings, Threat Lists, or Event Timestamps.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
CVSS Score Filter the search results by the common vulnerability scoring system score (CVSS score). You can enter a number between 0 to 10 as the CVSS score in the format [0,10]
For example, [2,9.3], (2,9.3), [2,3.6), (6,), (,8) . Working of the CVSS score examples is the same as the risk score examples.
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, PGW3XH
Risk Rule Risk Rule List based on which you want to retrieve risk list information for vulnerability(ies) from Recorded Future.
You can choose from the following options: Historically Reported by Insikt Group, Web Reporting Prior to CVSS Score, Cyber Exploit Signal: Critical, Cyber Exploit Signal: Important, Cyber Exploit Signal: Medium, Large, Linked to Historical Cyber Exploit, Historically Linked to Exploit Kit, Historically Linked to Malware, Historically Linked to Remote Access Trojan, Historically Linked to Ransomware, Linked to Recent Cyber Exploit, Recently Linked to Exploit Kit, Recently Linked to Malware, Recently Linked to Remote Access Trojan, Recently Linked to Ransomware, NIST Severity: Critical, NIST Severity: High, NIST Severity: Low, NIST Severity: Medium, Web Reporting Prior to NVD Disclosure, Recently Reported by Insikt Group, Recently Linked to Penetration Testing Tools, or Historically Linked to Penetration Testing Tools.
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about intel threat context for all vulnerabilities or specific vulnerability(ies) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"results": [
{
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"cpe": [],
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"cpe22uri": [],
"cvss": {
"accessComplexity": "",
"lastModified": "",
"confidentiality": "",
"published": "",
"availability": "",
"score": "",
"authentication": "",
"accessVector": "",
"integrity": ""
},
"entity": {
"name": "",
"type": "",
"description": "",
"id": ""
},
"intelCard": "",
"risk": {
"criticality": "",
"criticalityLabel": "",
"riskString": "",
"rules": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticalityLabel": "",
"evidenceString": "",
"criticality": "",
"rule": "",
"timestamp": ""
}
]
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"commonNames": [],
"nvdDescription": "",
"analystNotes": [
{
"attributes": {
"published": "",
"context_entities": [
{
"name": "",
"type": "",
"id": ""
}
],
"text": "",
"note_entities": [
{
"name": "",
"type": "",
"description": "",
"id": ""
}
],
"validation_urls": [
{
"name": "",
"type": "",
"id": ""
}
],
"title": "",
"validated_on": "",
"topic": {
"name": "",
"type": "",
"id": ""
}
},
"source": "",
"id": ""
}
],
"relatedLinks": [],
"threatLists": []
}
]
},
"counts": {
"total": "",
"returned": ""
}
}

operation: Lookup URL

Input parameters

Parameter Description
URL URL for which you want to retrieve threat information from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analyst Notes, Entity, Counts, Metrics, Related Entities, Risk, Sightings, or Event Timestamps.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains intel threat context information for the URL retrieved from Recorded Future, based on the URL you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"relatedEntities": [],
"entity": {
"name": "",
"type": "",
"id": ""
},
"sightings": [],
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"type": "",
"value": ""
}
],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"evidenceString": "",
"criticalityLabel": "",
"rule": "",
"timestamp": "",
"criticality": ""
}
]
},
"analystNotes": [
{
"id": "",
"source": "",
"attributes": {
"validation_urls": [
{
"name": "",
"type": "",
"id": ""
}
],
"text": "",
"note_entities": [
{
"name": "",
"type": "",
"id": ""
}
],
"tlp": "",
"published": "",
"title": "",
"validated_on": "",
"topic": {
"name": "",
"type": "",
"id": ""
}
}
}
]
}
}

operation: Get URL Risk List

Input parameters

Parameter Description
Risk Rule List Risk Rule List based on which you want to retrieve risk list information for URL(s) from Recorded Future.
You can choose from the following options: C&C URL, Compromised URL, Historically Reported as a Defanged URL, Historically Reported in Threat List, Large, Active Phishing URL, Ransomware Distribution URL, or Recently Reported as e Defanged URL.

Output

The JSON output contains the risk list information for the URL(s) retrieved from Recorded Future, based on the risk rule list you have specified.

The output contains the following populated JSON schema:
{
"stix:STIX_Package": {
"@xmlns:RF": "",
"@xmlns:stixCommon": "",
"@version": "",
"@xmlns": "",
"@timestamp": "",
"stix:Indicators": {
"stix:Indicator": [
{
"@id": "",
"indicator:Observable": {
"@id": "",
"cybox:Object": {
"@id": "",
"cybox:Properties": {
"URIObj:Value": {
"@condition": "",
"#text": ""
},
"@xsi:type": ""
}
}
},
"@xsi:type": "",
"@timestamp": "",
"indicator:Producer": {
"stixCommon:References": {
"stixCommon:Reference": ""
},
"stixCommon:Description": ""
},
"indicator:Confidence": {
"stixCommon:Value": "",
"stixCommon:Description": ""
},
"indicator:Title": "",
"indicator:Description": "",
"indicator:Indicated_TTP": [
{
"stixCommon:Confidence": {
"stixCommon:Value": {
"#text": "",
"@xsi:type": ""
}
},
"stixCommon:TTP": {
"ttp:Title": "",
"@id": "",
"ttp:Description": "",
"@timestamp": "",
"@xsi:type": ""
}
}
],
"indicator:Type": {
"#text": "",
"@xsi:type": ""
},
"indicator:Valid_Time_Position": {
"indicator:Start_Time": {
"#text": "",
"@precision": ""
},
"indicator:End_Time": {
"#text": "",
"@precision": ""
}
},
"@xmlns:xsi": ""
}
]
},
"@xmlns:stix": "",
"stix:STIX_Header": {
"stix:Description": ""
},
"@xmlns:ttp": "",
"@xmlns:indicator": "",
"@xmlns:stixVocabs": "",
"@xmlns:URIObj": "",
"@id": "",
"@xmlns:cybox": ""
}
}

operation: Search URL

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Fields Fields that you want to include in the output. You can choose from the following options: Analyst Notes, Entity, Counts, Metrics, Related Entities, Risk, Sightings, or Event Timestamps.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
Risk Score Filter the search results by the risk score, which are integer values from 0 to 100.
For example, Risk Score=[20,90] // same as 20 <= Risk Score <= 90
Risk Score=(20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,90) // same as 20 <= Risk Score <= 90
Risk Score=[20,) // same as 20 <= Risk Score
Risk Score=[,90) // same as Risk Score < 90
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, url:http://examplendv.com/niugufvt4
Risk Rule Risk Rule List based on which you want to retrieve risk list information for URL(s) from Recorded Future.
You can choose from the following options: C&C URL, Compromised URL, Historically Reported as a Defanged URL, Historically Reported in Threat List, Active Phishing URL, Ransomware Distribution URL, or Recently Reported as e Defanged URL.
Order By Order the search results by this filter criteria.
You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on the risk score.

Output

The JSON output contains information about Intel threat context for all URLs or specific URL(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"counts": {
"total": "",
"returned": ""
},
"data": {
"results": [
{
"relatedEntities": [],
"entity": {
"name": "",
"type": "",
"id": ""
},
"sightings": [],
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"value": "",
"type": ""
}
],
"risk": {
"criticality": "",
"rules": "",
"riskString": "",
"criticalityLabel": "",
"score": "",
"riskSummary": "",
"evidenceDetails": [
{
"criticalityLabel": "",
"evidenceString": "",
"timestamp": "",
"rule": "",
"criticality": ""
}
]
},
"analystNotes": []
}
]
}
}

operation: Lookup Malware

Input parameters

Parameter Description
ID ID of the Malware for which you want to retrieve threat information from Recorded Future.
Fields (Optional) Fields that you want to include in the output. You can choose from the following options: Analyst Notes, Entity, Counts, Metrics, Intel Card URL, Related Entities, Sightings, Categories, or Event Timestamps.
Metadata (Optional) Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.

Output

The JSON output contains intel threat context information for the Malware retrieved from Recorded Future, based on the Malware ID you have specified.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"data": {
"categories": [
{
"name": "",
"type": "",
"id": ""
}
],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [
{
"date": "",
"count": ""
}
],
"metrics": [
{
"value": "",
"type": ""
}
],
"sightings": [
{
"type": "",
"source": "",
"published": "",
"title": "",
"fragment": "",
"url": ""
}
],
"relatedEntities": [
{
"type": "",
"entities": [
{
"entity": {
"name": "",
"type": "",
"id": ""
},
"count": ""
}
]
}
],
"analystNotes": []
}
}

operation: Search Malware

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Free Text Free text (not regex) string matching which list IDs are returned as the search result.
Fields Fields that you want to include in the output. You can choose from the following options: Analyst Notes, Entity, Counts, Metrics, Intel Card URL, Related Entities, Sightings, Categories, or Event Timestamps.
Metadata Select this option to annotate the response with additional metadata explaining the response data elements.
By default, this option is set as True.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
First Seen Filter the search results by the first see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
Last Seen Filter the search results by the last see date (all ElasticSearch compatible date formats are valid).
For example, 2017-03-14T18:01:18.750Z, 2017-01-01, 2017/01/01
List ID Vulnerability ID from Recorded Future.
For example, Ps4Y1A
Order By Order the search results by this filter criteria. You can choose from the following options: Created, Criticality, First Seen, Last Seen, Modified, Risk Score, Rules, Seven Days Hits, Sixty Days Hits, or Total Hits.
Direction Arrange the search results either in the Ascending order or Descending order based on metrics (counts of recent references and metric values for various risk rules).

Output

The JSON output contains information about Intel threat context for all Malwares or specific Malware(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"metadata": {
"entries": []
},
"counts": {
"total": "",
"returned": ""
},
"data": {
"results": [
{
"categories": [],
"entity": {
"name": "",
"type": "",
"id": ""
},
"intelCard": "",
"timestamps": {
"lastSeen": "",
"firstSeen": ""
},
"counts": [],
"metrics": [
{
"value": "",
"type": ""
}
],
"sightings": [],
"relatedEntities": [],
"analystNotes": []
}
]
}
}

operation: Get Alert

Input parameters

Parameter Description
ID ID of the alert generated on Recorded Future for which you want to retrieve information from Recorded Future.

Output

The JSON output contains details for the alert retrieved from Recorded Future, based on the alert ID you have specified.

The output contains a non-dictionary value.

operation: Search Alerts

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Triggered DateTime when the alert was generated on Recorded Future. All Elasticsearch compatible date formats are valid.
Relative time expressions are also supported, such as -2d for two days prior to today and yesterday. As with absolute time references, both ends of the range still need to be specified. For example, to search for alerts that fired within the last 24 hrs, use triggered = [-24h,].
Assignee Filter the search results by the name of the assignee to whom the alert was assigned in Recorded Future, using the email address associated with that user account.
Status Status of the alert. You can choose from the following options: Unassigned, Assigned, Actionable, No Action, or Tuning.
Alert Rule ID Recorded Future's Alert Rule ID that is associated with the alert notification.
Free Text Free text (not regex) string matching which list IDs are returned as the search result.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.
From Records from offset.
List ID Vulnerability ID from Recorded Future.
For example, Ps4Y1A
Order By Order the search results by this filter criteria. Currently, only the Triggered option is available.
Direction Arrange the search results either in the Ascending order or Descending order.

Output

The JSON output contains information about all Alerts or specific Alert(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains a non-dictionary value.

operation: Search Alert Rules

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criteria is applied and an unfiltered list is returned.

Input parameters

Parameter Description
Free Text Free text (not regex) string matching which list IDs are returned as the search result.
Limit Maximum number of results that this operation should return.
By default, this option is set as 10.

Output

The JSON output contains information about all Alert Rules or specific Alert Rule(s) (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains a non-dictionary value.

operation: Get Risk Rules

Input parameters

Parameter Description
Risk Rules for Risk rules have to be retrieved for the selected input from Recorded Future. You can choose from the following options: IP, Domain, URL, File, or Vulnerability.

Output

The JSON output contains information about the risk rules for IP, Domain, URL, File, or Vulnerability (based on the filter criteria you have specified) retrieved from Recorded Future.

The output contains the following populated JSON schema:
{
"data": {
"results": [
{
"description": "",
"criticality": "",
"criticalityLabel": "",
"count": "",
"name": ""
}
]
}
}

Included playbooks

The Sample - Recorded-Future - 1.0.1 playbook collection comes bundled with the Recorded Future connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Recorded Future connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next