Recorded Future

Recorded Future is a threat intelligence platform, whose indicator and alert data is ingested into Demisto for enrichment.

This integration was integrated and tested with revision r128029 of Recorded Future.

Use Cases

  1. Get reputation of IOCs: IP addresses, domains and files.
  2. Look up threat intelligence context for an IOC.
  3. Ingest indicators from risk lists - important note below.
  4. Fetch alerts by rules - important note below.

Fetched Incidents Data

{
  "data": {
    "rule": {
      "url": "https://app.recordedfuture.com/live/sc/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%22Y8d2JN%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22DJIA+Cyber%22%7D&state.bNavbar=false",
      "name": "DJIA Cyber",
      "id": "Y8d2JN"
    },
    "type": "EVENT",
    "entities": [
      {
        "entity": null,
        "risk": {},
        "trend": {},
        "documents": [
          {
            "references": [
              {
                "fragment": "This malware can steal passwords, credit card info in Chrome, Safari.",
                "entities": [
                  {
                    "id": "czhXN",
                    "name": "PT Reliance Securities Tbk",
                    "type": "Company"
                  },
                  {
                    "id": "B_sMd",
                    "name": "Apple Safari",
                    "type": "Product"
                  },
                  {
                    "id": "B_tZO",
                    "name": "Palo Alto Networks",
                    "type": "Company"
                  },
                  {
                    "id": "GARXk",
                    "name": "MSMEs",
                    "type": "Company"
                  },
                  {
                    "id": "B_LyO",
                    "name": "Apple",
                    "type": "Company"
                  },
                  {
                    "id": "B_HE4",
                    "name": "Google",
                    "type": "Company"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "KFGeiP",
              "name": "CanIndia NEWS",
              "type": "Source"
            },
            "url": "http://www.canindia.com/this-malware-can-steal-passwords-credit-card-info-in-chrome-safari/",
            "title": "This malware can steal passwords, credit card info in Chrome, Safari"
          },
          {
            "references": [
              {
                "fragment": "Malicious code hidden in the Windows registry.",
                "entities": [
                  {
                    "id": "B_Hs5",
                    "name": "F5 Networks",
                    "type": "Company"
                  },
                  {
                    "id": "B_E-R",
                    "name": "Twitter",
                    "type": "Company"
                  },
                  {
                    "id": "J0LOpv",
                    "name": "Malicious code",
                    "type": "AttackVector"
                  },
                  {
                    "id": "Y97Q48",
                    "name": "HTML Signature Solutions",
                    "type": "Company"
                  },
                  {
                    "id": "CBJSs",
                    "name": "LinkedIn",
                    "type": "Company"
                  },
                  {
                    "id": "B_HOS",
                    "name": "Microsoft Windows",
                    "type": "Product"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "RrKkHT",
              "name": "F5 Networks",
              "type": "Source"
            },
            "url": "https://www.f5.com/labs/articles/threat-intelligence/gozi-adds-evasion-techniques-to-its-growing-bag-of-tricks",
            "title": null
          },
          {
            "references": [
              {
                "fragment": "The company noted in a blog post the ransomware had infected more than 100 Windows servers by exploiting several web application vulnerabilities, and the number of victims was rising.",
                "entities": [
                  {
                    "id": "Cq3eF",
                    "name": "Web application vulnerabilities",
                    "type": "IndustryTerm"
                  },
                  {
                    "id": "J0Nl-p",
                    "name": "Ransomware",
                    "type": "MalwareCategory"
                  },
                  {
                    "id": "B_HOS",
                    "name": "Microsoft Windows",
                    "type": "Product"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "The company noted in a blog post the ransomware had infected more than 100 Windows servers by exploiting several web application vulnerabilities, and the number of victims was rising.",
                "entities": [
                  {
                    "id": "Cq3eF",
                    "name": "Web application vulnerabilities",
                    "type": "IndustryTerm"
                  },
                  {
                    "id": "J0Nl-p",
                    "name": "Ransomware",
                    "type": "MalwareCategory"
                  },
                  {
                    "id": "B_HOS",
                    "name": "Microsoft Windows",
                    "type": "Product"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "idn:8btc.com",
              "name": "8btc.com",
              "type": "InternetDomainName"
            },
            "url": "https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
            "title": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days | NEWS.8BTC.COM."
          },
          {
            "references": [
              {
                "fragment": "example.gmail.com|1qazse4r",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|snapy573",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|ric290888",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|cumicumi49",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|20may1993",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|04041995",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|lk63864551",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|mememesheryl",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|danubrata45",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|miracles7",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|albert",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|14Oktober1998",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|1234qwer",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|dwitamaalfred",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|oliviaagnes",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|5148520362",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|kucit11",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|n1kuailema",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|limajuli",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|tasyakevinrio",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|747474",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|sanurlovers",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|bologe10101994",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|flymuc12",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|donnie",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|g153ll3",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|kolonel8",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|Na11032009",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|gogle05",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|my9snapy",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|bani2005",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|mala2581998",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|961501",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|april322912",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|dalshabet2012",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|vicha1002",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|0811570188",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|amidala7",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|janand",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|cheptie",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|Dealova33",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|jss231094",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|arschgeil00",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|burlgoat97",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|Ahau7296",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|gilaabis",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|123456",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|Tiffani16694",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              },
              {
                "fragment": "example.gmail.com|4ndr15ukm4v4r094",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "Jv_xrR",
              "name": "PasteBin",
              "type": "Source"
            },
            "url": "https://pastebin.com/20WrvAKf",
            "title": "5K empas Indo + Bonus"
          },
          {
            "references": [
              {
                "fragment": "| [+] E-mail Found: example.gmail.com",
                "entities": [
                  {
                    "id": "email:example.gmail.com",
                    "name": "example.gmail.com",
                    "type": "EmailAddress"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "Jv_xrR",
              "name": "PasteBin",
              "type": "Source"
            },
            "url": "https://pastebin.com/Ntk14mse",
            "title": "Anonymous JTSEC #OpIsis Full Recon #11"
          },
          {
            "references": [
              {
                "fragment": "I remember reading that it was made loose on purpose so cords don't bring your Mac down if they're tripped over.",
                "entities": [
                  {
                    "id": "BBh7yv",
                    "name": "Mac",
                    "type": "Product"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "TiY1wz",
              "name": "Apple devices",
              "type": "Source"
            },
            "url": "https://www.reddit.com/r/apple/comments/aljr4z/apple_testing_iphones_with_usbc_port/efi3j06/",
            "title": "/u/ccrama on Apple testing iPhones with USB-C port"
          },
          {
            "references": [
              {
                "fragment": "App Store, iTunes Store, Apple Music been down for several hours now! @AppleSupport.",
                "entities": [
                  {
                    "id": "JZHhWg",
                    "name": "Apple iTunes",
                    "type": "Product"
                  },
                  {
                    "id": "QGkOLY",
                    "name": "@AppleSupport",
                    "type": "Username"
                  },
                  {
                    "id": "B_LyO",
                    "name": "Apple",
                    "type": "Company"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "BV5",
              "name": "Twitter",
              "type": "Source"
            },
            "url": "https://twitter.com/PRHTH/statuses/1091215388086394880",
            "title": "App Store, iTunes Store , Apple Music down พร้อมกันหมดเลยจ้า หลายชั่วโมงแล้ว \n\nApp Store, iTunes Store, Apple Music been down for several hours now! @AppleSupport"
          },
          {
            "references": [
              {
                "fragment": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days - 8BTC via BTCnews #Bitcoin https://t.co/1YEkzEdO92.",
                "entities": [
                  {
                    "id": "B75KVV",
                    "name": "via",
                    "type": "IndustryTerm"
                  },
                  {
                    "id": "url:https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
                    "name": "https://news.8btc.com/an-upgraded-satan-ransomware-infects-hundreds-of-windows-servers-in-china-demanding-a-ransom-of-1-bitcoin-within-3-days",
                    "type": "URL"
                  },
                  {
                    "id": "IH6pHd",
                    "name": "Bitcoin",
                    "type": "Technology"
                  },
                  {
                    "id": "Kei3LZ",
                    "name": "#Bitcoin",
                    "type": "Hashtag"
                  },
                  {
                    "id": "SePISm",
                    "name": "Satan",
                    "type": "Malware"
                  },
                  {
                    "id": "B_FNa",
                    "name": "China",
                    "type": "Country"
                  },
                  {
                    "id": "J0Nl-p",
                    "name": "Ransomware",
                    "type": "MalwareCategory"
                  },
                  {
                    "id": "B_HOS",
                    "name": "Microsoft Windows",
                    "type": "Product"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "BV5",
              "name": "Twitter",
              "type": "Source"
            },
            "url": "https://twitter.com/btcnewsapp/statuses/1091268383180537856",
            "title": "An Upgraded Satan Ransomware Infects Hundreds of Windows Servers in China, Demanding a Ransom of 1 Bitcoin Within 3 Days - 8BTC via BTCnews #Bitcoin https://t.co/1YEkzEdO92"
          },
          {
            "references": [
              {
                "fragment": "@Apple Flaw that allows hacker to access target mic, camera, location, memory.",
                "entities": [
                  {
                    "id": "P_iscR",
                    "name": "@Apple",
                    "type": "Username"
                  }
                ],
                "language": "eng"
              }
            ],
            "source": {
              "id": "BV5",
              "name": "Twitter",
              "type": "Source"
            },
            "url": "https://twitter.com/ganag92444992/statuses/1091257432662134784",
            "title": "@Apple Flaw that allows hacker to access target mic, camera, location, memory.\nAny remedy for that? Targetted due to that flaw\nSo not  #iOS #Apple #iphone  #hacker #HackerNews #cybersecurity #privacy #HumanRights #surveillance #DataSecurity #DataProtection"
          }
        ]
      }
    ],
    "review": {
      "noteDate": null,
      "note": null,
      "noteAuthor": null,
      "assignee": null,
      "status": "no-action"
    },
    "url": "https://app.recordedfuture.com/live/sc/notification/?id=Y9-jli",
    "triggered": "2019-02-01T09:58:13.564Z",
    "title": "DJIA Cyber - New references in 9 documents",
    "counts": {
      "references": 58,
      "entities": 0,
      "documents": 9
    },
    "id": "Y9-jli"
  }
}

Configure Recorded Future on Demisto

To use Recorded Future in Demisto, a Recorded Future API token is required. For more information, see the Recorded Future documentation .

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Recorded Future.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://api.recordedfuture.com )
    • API Token
    • File Threshold. Minimum risk score from Recorded Future to consider the file malicious.
    • IP Threshold. Minimum risk score from RF to consider the IP malicious.
    • Domain Threshold. Minimum risk score from Recorded Future to consider the domain malicious.
    • URL Threshold. Minimum risk score from Recorded Future to consider the URL malicious.
    • Vulnerability Threshold. Minimum risk score from Recorded Future to consider the vulnerability critical.
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Fetch incidents
    • Rule names to fetch alerts by, separated by semicolon. If empty, all alerts will be fetched
    • First fetch time (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
    • Incident type
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

1. Get information for a domain or DNS


Returns threat intelligence information for a domain or DNS in Recorded Future.

Base Command

domain

Input
Argument Name Description Required
domain Domain to get the reputation of Required
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
Domain.Name string Domain name
Domain.RecordedFuture.Criticality string Domain criticality label
Domain.RecordedFuture.FirstSeen date Risk first seen timestamp
Domain.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
!domain domain=google.com detailed=true
Context Example
{
    "DBotScore": {
        "Indicator": "google.com",
        "Score": 2,
        "Type": "domain",
        "Vendor": "Recorded Future"
    },
    "Domain": {
     "Name": "google.com",
    "RecordedFuture": {
        "Criticality": "Unusual",
        "FirstSeen": "2009-01-21T14:00:18.000Z",
        "LastSeen": "2018-07-04T07:25:34.533Z",
       }
     }
}
Human Readable Output

image

2. Get information for an IP address


Returns threat intelligence information for an IP address in Recorded Future.

Base Command

ip

Input
Argument Name Description Required
ip IP address to get the reputation of Required
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision
IP.Malicious.Description string For malicious IP addresses, the reason that the vendor made the decision
IP.Address string IP address
IP.RecordedFuture.Criticality string Risk criticality label
IP.RecordedFuture.FirstSeen date Risk first seen timestamp
IP.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
!ip ip=93.174.93.63 detailed=true
Context Example
{
    "DBotScore": {
        "Indicator": "93.174.93.63",
        "Score": 3,
        "Type": "ip",
        "Vendor": "Recorded Future"
    },
    "IP": {
        "Address": "93.174.93.63",,
        "Malicious": {
            "Description": "Score above 99",
            "Vendor": "Recorded Future"
        },
    "RecordedFuture": {
        "Criticality": "Very Malicious",
        "FirstSeen": "2014-12-07T04:37:34.125Z",
        "LastSeen": "2018-07-01T22:02:26.908Z",
      }
    }
}
Human Readable Output

image

3. Get information for a file


Returns threat intelligence information for a file in Recorded Future.

Base Command

file

Input
Argument Name Description Required
file File hash to check the reputation of (MD5, SHA-1, SHA-256, SHA-512, CRC-32, CTPH) Required
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional

Context Output
Path Type Description
File.SHA256 string File SHA-256
File.SHA512 string File SHA-512
File.SHA1 string File SHA-1
File.MD5 string File MD5
File.CRC32 string File CRC-32
File.CTPH string File CTPH
File.Malicious.Vendor string For malicious files, the vendor that made the decision
File.Malicious.Description string For malicious files, the reason that the vendor made the decision
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
File.Criticality string Risk criticality label
File.RecordedFuture.FirstSeen date Risk first seen timestamp
File.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
!file file=9d0e761f3803889dc83c180901dc7b22 detailed=true
Context Example
{
    "DBotScore": {
        "Indicator": "9d0e761f3803889dc83c180901dc7b22",
        "Score": 3,
        "Type": "file",
        "Vendor": "Recorded Future"
    },
    "File": {
        "MD5": "9d0e761f3803889dc83c180901dc7b22",
        "Malicious": {
            "Description": "Score above 65",
            "Vendor": "Recorded Future"
        },
       "RecordedFuture": {
         "Criticality": "Malicious",
         "FirstSeen": "2017-12-06T09:57:02.802Z",
         "LastSeen": "2018-02-01T08:25:27.902Z",
      }
    }
}
Human Readable Output

image

4. Get information for a URL


Returns threat intelligence information for a URL in Recorded Future.

Base Command

url

Input
Argument Name Description Required
url URL to get the reputation of Required
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
URL.Data string URL name
URL.RecordedFuture.Criticality string URL criticality label
URL.RecordedFuture.FirstSeen date Risk first seen timestamp
URL.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
![image](https://user-images.githubusercontent.com/35098543/52180293-1421c280-27ed-11e9-82ec-cbb1669b20dc.png)
Context Example
{
    "URL": {
        "Malicious": {
            "Vendor": "Recorded Future", 
            "Description": "Score above 70"
        }, 
        "Data": "https://www.obfuscated.com", 
        "RecordedFuture": {
            "FirstSeen": "2019-02-02T00:00:00.000Z", 
            "Criticality": "Malicious", 
            "LastSeen": "2019-02-02T23:59:59.000Z"
        }
    }, 
    "DBotScore": {
        "Vendor": "Recorded Future", 
        "Indicator": "https://www.obfuscated.com", 
        "Score": 3, 
        "Type": "url"
    }
}
Human Readable Output

image

5. Get threat intelligence context for an indicator


Returns threat intelligence context for an indicator in Recorded Future.

Base Command

recorded-future-get-related-entities

Input
Argument Name Description Required
entityType The type of entity to fetch context for. (Should be provided with its value in entityValue argument) Required
entityValue The value of the entity to fetch context for. (Should be provided with its type in entityType argument, Hash types supported: MD5, SHA-1, SHA-256, SHA-512, CRC-32, CTPH) Required
resultEntityType CSV list of related entity types to return in the result (e.g., Hash,IP,Domain) Optional

Context Output
Path Type Description
File.SHA256 string File SHA-256
File.SHA512 string File SHA-512
File.SHA1 string File SHA-1
File.MD5 string File MD5
File.CRC32 string File CRC-32
File.CTPH string File CTPH
File.RecordedFuture.RelatedEntities.IPAddress.Count number File related entity count (IP)
File.RecordedFuture.RelatedEntities.IPAddress.ID string File related entity ID (IP)
File.RecordedFuture.RelatedEntities.IPAddress.Name string File related entity name (IP)
File.RecordedFuture.RelatedEntities.Hash.Count number File related entity count (Hash)
File.RecordedFuture.RelatedEntities.Hash.ID string File related entity ID (Hash)
File.RecordedFuture.RelatedEntities.Hash.Name string File related entity name (Hash)
File.RecordedFuture.RelatedEntities.Domain.Count number File related entity count (Domain)
File.RecordedFuture.RelatedEntities.Domain.ID string File related entity ID (Domain)
File.RecordedFuture.RelatedEntities.Domain.Name string File related entity name (Domain)
File.RecordedFuture.RelatedEntities.Attacker.Count number File related entity count (Attacker)
File.RecordedFuture.RelatedEntities.Attacker.ID string File related entity ID (Attacker)
File.RecordedFuture.RelatedEntities.Attacker.Name string File related entity name (Attacker)
File.RecordedFuture.RelatedEntities.Malware.Count number File related entity count (Malware)
File.RecordedFuture.RelatedEntities.Malware.ID string File related entity ID (Malware)
File.RecordedFuture.RelatedEntities.Malware.Name string File related entity name (Malware)
File.RecordedFuture.RelatedEntities.URL.Count number File related entity count (URL)
File.RecordedFuture.RelatedEntities.URL.ID string File related entity ID (URL)
File.RecordedFuture.RelatedEntities.URL.Data string File related entity name (URL)
IP.Address string IP address
IP.RecordedFuture.RelatedEntities.IPAddress.Count number IP related entity count (IP)
IP.RecordedFuture.RelatedEntities.IPAddress.ID string IP related entity ID (IP)
IP.RecordedFuture.RelatedEntities.IPAddress.Name string IP related entity name (IP)
IP.RecordedFuture.RelatedEntities.Hash.Count number IP related entity count (Hash)
IP.RecordedFuture.RelatedEntities.Hash.ID string IP related entity ID (Hash)
IP.RecordedFuture.RelatedEntities.Hash.Name string IP related entity name (Hash)
IP.RecordedFuture.RelatedEntities.Domain.Count number IP related entity count (Domain)
IP.RecordedFuture.RelatedEntities.Domain.ID string IP related entity ID (Domain)
IP.RecordedFuture.RelatedEntities.Domain.Name string IP related entity name (Domain)
IP.RecordedFuture.RelatedEntities.Attacker.Count number IP related entity count (Attacker)
IP.RecordedFuture.RelatedEntities.Attacker.ID string IP related entity ID (Attacker)
IP.RecordedFuture.RelatedEntities.Attacker.Name string IP related entity name (Attacker)
IP.RecordedFuture.RelatedEntities.Malware.Count number IP related entity count (Malware)
IP.RecordedFuture.RelatedEntities.Malware.ID string IP related entity ID (Malware)
IP.RecordedFuture.RelatedEntities.Malware.Name string IP related entity name (Malware)
IP.RecordedFuture.RelatedEntities.URL.Count number IP related entity count (URL)
IP.RecordedFuture.RelatedEntities.URL.ID string IP related entity ID (URL)
IP.RecordedFuture.RelatedEntities.URL.Data string IP related entity name (URL)
Domain.Name string Domain name
Domain.RecordedFuture.RelatedEntities.IPAddress.Count number Domain related entity count (IP)
Domain.RecordedFuture.RelatedEntities.IPAddress.ID string Domain related entity ID (IP)
Domain.RecordedFuture.RelatedEntities.IPAddress.Name string Domain related entity name (IP)
Domain.RecordedFuture.RelatedEntities.Hash.Count number Domain related entity count (Hash)
Domain.RecordedFuture.RelatedEntities.Hash.ID string Domain related entity ID (Hash)
Domain.RecordedFuture.RelatedEntities.Hash.Name string Domain related entity name (Hash)
Domain.RecordedFuture.RelatedEntities.Domain.Count number Domain related entity count (Domain)
Domain.RecordedFuture.RelatedEntities.Domain.ID string Domain related entity ID (Domain)
Domain.RecordedFuture.RelatedEntities.Domain.Name string Domain related entity name (Domain)
Domain.RecordedFuture.RelatedEntities.Attacker.Count number Domain related entity count (Attacker)
Domain.RecordedFuture.RelatedEntities.Attacker.ID string Domain related entity ID (Attacker)
Domain.RecordedFuture.RelatedEntities.Attacker.Name string Domain related entity name (Attacker)
Domain.RecordedFuture.RelatedEntities.Malware.Count number Domain related entity count (Malware)
Domain.RecordedFuture.RelatedEntities.Malware.ID string Domain related entity ID (Malware)
Domain.RecordedFuture.RelatedEntities.Malware.Name string Domain related entity name (Malware)
Domain.RecordedFuture.RelatedEntities.URL.Count number Domain related entity count (URL)
Domain.RecordedFuture.RelatedEntities.URL.ID string Domain related entity ID (URL)
Domain.RecordedFuture.RelatedEntities.URL.Data string Domain related entity name (URL)
URL.Data string URL name
URL.RecordedFuture.RelatedEntities.IPAddress.Count number URL related entity count (IP)
URL.RecordedFuture.RelatedEntities.IPAddress.ID string URL related entity ID (IP)
URL.RecordedFuture.RelatedEntities.IPAddress.Name string URL related entity name (IP)
URL.RecordedFuture.RelatedEntities.Hash.Count number URL related entity count (Hash)
URL.RecordedFuture.RelatedEntities.Hash.ID string URL related entity ID (Hash)
URL.RecordedFuture.RelatedEntities.Hash.Name string URL related entity name (Hash)
URL.RecordedFuture.RelatedEntities.Domain.Count number URL related entity count (Domain)
URL.RecordedFuture.RelatedEntities.Domain.ID string URL related entity ID (Domain)
URL.RecordedFuture.RelatedEntities.Domain.Name string URL related entity name (Domain)
URL.RecordedFuture.RelatedEntities.Attacker.Count number URL related entity count (Attacker)
URL.RecordedFuture.RelatedEntities.Attacker.ID string URL related entity ID (Attacker)
URL.RecordedFuture.RelatedEntities.Attacker.Name string URL related entity name (Attacker)
URL.RecordedFuture.RelatedEntities.Malware.Count number URL related entity count (Malware)
URL.RecordedFuture.RelatedEntities.Malware.ID string URL related entity ID (Malware)
URL.RecordedFuture.RelatedEntities.Malware.Name string URL related entity name (Malware)
URL.RecordedFuture.RelatedEntities.URL.Count number URL related entity count (URL)
URL.RecordedFuture.RelatedEntities.URL.ID string URL related entity ID (URL)
URL.RecordedFuture.RelatedEntities.URL.Data string URL related entity name (URL)

Command Example
!recorded-future-get-related-entities entityType=domain entityValue=www.google.com resultEntityType=Malware
Context Example
{
    "Domain": {
        "Name": "www.google.com", 
        "RecordedFuture": {
            "RelatedEntities": {
                "Malware": [
                    {
                        "Count": 5150, 
                        "ID": "KeKudK", 
                        "Name": "Mydoom"
                    }, 
                    {
                        "Count": 1757, 
                        "ID": "J21f9C", 
                        "Name": "Zeus"
                    }, 
                    {
                        "Count": 1230, 
                        "ID": "eKnXx", 
                        "Name": "FakeAV"
                    }, 
                    {
                        "Count": 877, 
                        "ID": "Kj0AOY", 
                        "Name": "Adload"
                    }, 
                    {
                        "Count": 839,  ...
Human Readable Output

image

6. Get hash threats


Returns hash threats from Recorded Future.

Base Command

recorded-future-get-threats-hash

Input
Argument Name Description Required
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional
limit Number of results to return Optional
risk_lower Minimum threshold score to return results for Optional
risk_higher Maximum threshold score to return results for Optional
orderby Category to sort results by Optional
direction Sort direction Optional

Context Output
Path Type Description
File.SHA256 string File SHA-256
File.SHA512 string File SHA-512
File.SHA1 string File SHA-1
File.MD5 string File MD5
File.CRC32 string File CRC-32
File.CTPH string File CTPH
File.Malicious.Vendor string For malicious files, the vendor that made the decision
File.Malicious.Description string For malicious files, the reason that the vendor made the decision
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
File.RecordedFuture.Criticality string Risk criticality label
File.RecordedFuture.FirstSeen date Risk first seen timestamp
File.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
!recorded-future-get-threats-hash detailed=true orderby=sevendayshits
Context Example
{
    "DBotScore": {
        "Vendor": "Recorded Future", 
        "Indicator": "c4efca7808662973b7dc5ec04f82ea232b5f8fa4bb9bdd45cdfadc815c9ceeb9", 
        "Score": 3, 
        "Type": "file"
    }, 
    "File": {
        "Malicious": {
            "Vendor": "Recorded Future", 
            "Description": "Score above 65"
        }, 
        "SHA256": "c4efca7808662973b7dc5ec04f82ea232b5f8fa4bb9bdd45cdfadc815c9ceeb9", 
        "RecordedFuture": {
            "FirstSeen": "2018-09-12T05:39:01.057Z", 
            "Criticality": "Malicious", 
            "LastSeen": "2019-02-01T06:39:01.306Z"
        }
    }
}
Human Readable Output

image

7. Get IP threats


Returns IP threats from Recorded Future

Base Command

recorded-future-get-threats-ip

Input
Argument Name Description Required
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional
limit Number of results to return Optional
risk_lower Minimum threshold score to return results for Optional
risk_higher Maximum threshold score to return results for Optional
orderby Category to sort by Optional
direction Sort direction Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
IP.Malicious.Vendor string For malicious IP addresses, the vendor that made the decision
IP.Malicious.Description string For malicious IP addresses, the reason that the vendor made the decision
IP.Address string IP address
IP.RecordedFuture.Criticality string Risk criticality label
IP.RecordedFuture.FirstSeen string Risk first seen timestamp
IP.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
!recorded-future-get-threats-ip detailed=true orderby=sevendayshits
Context Example
{
    "IP": {
        "RecordedFuture": {
            "FirstSeen": "2012-12-26T11:01:01.939Z", 
            "Criticality": "Malicious", 
            "LastSeen": "2019-02-03T17:37:08.283Z"
        }, 
        "Malicious": {
            "Vendor": "Recorded Future", 
            "Description": "Score above 74"
        }, 
        "Address": "1.2.0.1"
    }, 
    "DBotScore": {
        "Vendor": "Recorded Future", 
        "Indicator": "1.2.0.1", 
        "Score": 3, 
        "Type": "ip"
    }
}
Human Readable Output

image

8. Get URL threats


Returns URL threats from Recorded Future

Base Command

recorded-future-get-threats-url

Input
Argument Name Description Required
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional
limit Number of results to return Optional
risk_lower Minimum threshold score to return results for Optional
risk_higher Maximum threshold score to return results for Optional
orderby Category to sort by Optional
direction Sort direction Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
URL.Data string URL name
URL.RecordedFuture.Criticality string URL criticality label
URL.RecordedFuture.FirstSeen date Risk first seen timestamp
URL.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
!recorded-future-get-threats-url detailed=true orderby=sevendayshits
Context Example
{
    "URL": {
        "Malicious": {
            "Vendor": "Recorded Future", 
            "Description": "Score above 65"
        }, 
        "Data": "obfuscated.com", 
        "RecordedFuture": {
            "FirstSeen": "2019-02-03T00:00:00.000Z", 
            "Criticality": "Malicious", 
            "LastSeen": "2019-02-03T23:59:59.000Z"
        }
    }, 
    "DBotScore": {
        "Vendor": "Recorded Future", 
        "Indicator": "https://obfuscated.com", 
        "Score": 3, 
        "Type": "url"
    }
}
Human Readable Output

image

9. Get domain threats


Returns domain threats from Recorded Future.

Base Command

recorded-future-get-threats-domain

Input
Argument Name Description Required
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional
limit Limit number of results returned Optional
risk_lower Minimum threshold score to return results for Optional
risk_higher Maximum threshold score to return results for Optional
orderby Category to sort by Optional
direction Sort direction Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested
DBotScore.Type string Indicator type
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
Domain.Name string Domain name
Domain.RecordedFuture.Criticality string Domain criticality label
Domain.RecordedFuture.FirstSeen date Risk first seen timestamp
Domain.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
!recorded-future-get-threats-domain detailed=true
Context Example
{
    "DBotScore": {
        "Vendor": "Recorded Future", 
        "Indicator": "obfuscated.com", 
        "Score": 3, 
        "Type": "domain"
    }, 
    "Domain": {
        "Malicious": {
            "Vendor": "Recorded Future", 
            "Description": "Score above 94"
        }, 
        "Name": "obfuscated.com", 
        "RecordedFuture": {
            "FirstSeen": "2016-09-16T21:06:34.240Z", 
            "Criticality": "Very Malicious", 
            "LastSeen": "2019-02-03T16:09:03.653Z"
        }
    }
}
Human Readable Output

image

10. Get vulnerability threats


Returns vulnerability threats from Recorded Future.

Base Command

recorded-future-get-threats-vulnerabilities

Input
Argument Name Description Required
limit Number of results to return Optional
risk_lower Minimum threshold score to return results for Optional
risk_higher Maximum threshold score to return results for Optional
detailed If true, fetches evidence details. Evidence is a record that is generated if any of the risk rules in Recorded Future is triggered. Optional
orderby Category to sort by Optional
direction Sort direction Optional

Context Output
Path Type Description
CVE.ID string Vulnerability CVE ID
CVE.RecordedFuture.Criticality string CVE criticality label
CVE.RecordedFuture.FirstSeen date Risk first seen timestamp
CVE.RecordedFuture.LastSeen date Risk last seen timestamp

Command Example
!recorded-future-get-threats-vulnerabilities detailed=true
Context Example
{
    "CVE": {
        "ID": "CVE-2017-0147", 
        "RecordedFuture": {
            "FirstSeen": "2017-03-14T16:59:26.413Z", 
            "Criticality": "Very Critical", 
            "LastSeen": "2019-02-03T17:19:59.183Z"
        }
    }
}
Human Readable Output

image

11. Get the domain risk list


Gets the domain risk list as a CSV file from Recorded Future.

Base Command

recorded-future-get-domain-risklist

Input
Argument Name Description Required
list Specify a domain list by a risk rule name, which can be retrieved by the get-domain-riskrules command. Optional

Context Output
Path Type Description
InfoFile.Name string File name
InfoFile.EntryID string The EntryID of the file
InfoFile.Size number File size
InfoFile.Type string File type, e.g., “PE”
InfoFile.Info string Basic information of the file
InfoFile.Extension string File extension

Command Example
!recorded-future-get-domain-risklist list=historicalThreatListMembership
Context Example
{
    "InfoFile": {
        "Info": "text/csv; charset=utf-8", 
        "Name": "domain_risk_list.csv", 
        "Extension": "csv", 
        "EntryID": "72047@cc00e449-9e7b-4609-8a68-1c8c01114562", 
        "Type": "ASCII text, with very long lines\n", 
        "Size": 2803398
    }
}
Human Readable Output

image

12. Get the URL risk list


Gets the URL risk list as a CSV file from Recorded Future.

Base Command

recorded-future-get-url-risklist

Input
Argument Name Description Required
list Specify a URL list by a risk rule name, which can be retrieved from the get-url-riskrules command. Optional

Context Output
Path Type Description
InfoFile.Name string File name
InfoFile.EntryID string The EntryID of the file
InfoFile.Size number File size
InfoFile.Type string File type, e.g., “PE”
InfoFile.Info string Basic information of the file
InfoFile.Extension string File extension

Command Example
!recorded-future-get-url-risklist list=ransomwareDistribution
Context Example
{
    "InfoFile": {
        "Info": "text/csv; charset=utf-8", 
        "Name": "url_risk_list.csv", 
        "Extension": "csv", 
        "EntryID": "72055@cc00e449-9e7b-4609-8a68-1c8c01114562", 
        "Type": "ASCII text, with very long lines\n", 
        "Size": 2990
    }
}
Human Readable Output

image

13. Get the IP address risk list


Gets the IP risk list as a CSV file from Recorded Future.

Base Command

recorded-future-get-ip-risklist

Input
Argument Name Description Required
list Specify an IP list by a risk rule name, which can be retrieved from the get-ip-riskrules command. Optional

Context Output
Path Type Description
InfoFile.Name string File name
InfoFile.EntryID string The EntryID of the file
InfoFile.Size number File size
InfoFile.Type string File type, e.g., “PE”
InfoFile.Info string Basic information of the file
InfoFile.Extension string File extension

Command Example
!recorded-future-get-ip-risklist list=malwareDelivery
Context Example
{
    "InfoFile": {
        "Info": "text/csv; charset=utf-8", 
        "Name": "ip_risk_list.csv", 
        "Extension": "csv", 
        "EntryID": "72063@cc00e449-9e7b-4609-8a68-1c8c01114562", 
        "Type": "UTF-8 Unicode text, with very long lines\n", 
        "Size": 254932
    }
}
Human Readable Output

image

14. Get the vulnerability risk list


Gets the vulnerability (CVE) risk list from Recorded Future.

Base Command

recorded-future-get-vulnerability-risklist

Input
Argument Name Description Required
list Specify a vulnerability list by a risk rule name, which can be retrieved from the get-vulnerability-riskrules command. Optional

Context Output
Path Type Description
InfoFile.Name string File name
InfoFile.EntryID string File entry ID
InfoFile.Size number File size
InfoFile.Type string File type, e.g., “PE”
InfoFile.Info string Basic information of the file
InfoFile.Extension string File extension

Command Example
!recorded-future-get-vulnerability-risklist list=cyberSignalCritical
Context Example
{
    "InfoFile": {
        "Info": "text/csv; charset=utf-8", 
        "Name": "cve_risk_list.csv", 
        "Extension": "csv", 
        "EntryID": "72073@cc00e449-9e7b-4609-8a68-1c8c01114562", 
        "Type": "UTF-8 Unicode text, with very long lines\n", 
        "Size": 3611
    }
}
Human Readable Output

image

15. Get the has risk list


Gets the hash risk list from Recorded Future.

Base Command

recorded-future-get-hash-risklist

Input
Argument Name Description Required
list Specify a hash list by a riskrule name, which can be retrieved from the get-hash-riskrules command. Optional

Context Output
Path Type Description
InfoFile.Name string File name
InfoFile.EntryID string File entry ID
InfoFile.Size number File size
InfoFile.Type string File type, e.g., “PE”
InfoFile.Info string Basic information of the file
InfoFile.Extension string File extension

Command Example
!recorded-future-get-hash-risklist list=historicalThreatListMembership
Context Example
{
    "InfoFile": {
        "Info": "text/csv; charset=utf-8", 
        "Name": "hash_list.csv", 
        "Extension": "csv", 
        "EntryID": "72081@cc00e449-9e7b-4609-8a68-1c8c01114562", 
        "Type": "ASCII text, with very long lines\n", 
        "Size": 8995
    }
}
Human Readable Output

image

16. Get the domain risk rules


Gets the risk rules for domain data.

Base Command

recorded-future-get-domain-riskrules

Input

There are no input arguments for this command.

Context Output
Path Type Description
RecordedFuture.RiskRule.Domain.Name string Risk rule name
RecordedFuture.RiskRule.Domain.Description string Risk rule description
RecordedFuture.RiskRule.Domain.Count number Risk rule indicator count
RecordedFuture.RiskRule.Domain.Criticality string Risk rule criticality

Command Example
!recorded-future-get-domain-riskrules
Context Example
{
    "RecordedFuture": {
        "RiskRule": {
            "Domain": [
                {
                    "Count": 1263174, 
                    "Description": "Linked to Cyber Attack", 
                    "Criticality": "Suspicious", 
                    "Name": "linkedToCyberAttack"
                }, 
                {
                    "Count": 118450670, 
                    "Description": "Linked to Malware", 
                    "Criticality": "Suspicious", 
                    "Name": "linkedToMalware"
                }, 
                {
                    "Count": 1542009, 
                    "Description": "Linked to Attack Vector", 
                    "Criticality": "Suspicious", 
                    "Name": "linkedToVector"
                }, 
                {
                    "Count": 342012, 
                    "Description": "Linked to Vulnerability", 
                    "Criticality": "Suspicious", 
                    "Name": "linkedToVuln"
                }, 
                {
                    "Count": 2615, 
                    "Description": "Malware SSL Certificate Fingerprint", 
                    "Criticality": "Malicious", 
                    "Name": "malwareSsl"
                }, 
                {
                    "Count": 171016408, 
                    "Description": "Positive Malware Verdict", 
                    "Criticality": "Malicious", 
                    "Name": "positiveMalwareVerdict"
                }, 
                {
                    "Count": 48382, 
                    "Description": "Threat Researcher", 
                    "Criticality": "Unusual", 
                    "Name": "threatResearcher"
                }, 
                {
                    "Count": 2136, 
                    "Description": "Reported by Insikt Group", 
                    "Criticality": "Unusual", 
                    "Name": "analystNote"
                }, 
                {
                    "Count": 5, 
                    "Description": "Trending in Recorded Future Analyst Community", 
                    "Criticality": "Unusual", 
                    "Name": "rfTrending"
                }, 
                {
                    "Count": 1018, 
                    "Description": "Historically Reported in Threat List", 
                    "Criticality": "Unusual", 
                    "Name": "historicalThreatListMembership"
                }
            ]
        }
    }
}
Human Readable Output

image

17. Get the has risk rules


Gets the risk rules for hash data.

Base Command

recorded-future-get-hash-riskrules

Input

There are no input arguments for this command.

Context Output
Path Type Description
RecordedFuture.RiskRule.Hash.Name string Risk rule name
RecordedFuture.RiskRule.Hash.Description string Risk rule description
RecordedFuture.RiskRule.Hash.Count number Risk rule indicator count
RecordedFuture.RiskRule.Hash.Criticality string Risk rule criticality

Command Example
!recorded-future-get-hash-riskrules
Context Example
{
    "RecordedFuture": {
        "RiskRule": {
            "Hash": [
                {
                    "Count": 1263174, 
                    "Description": "Linked to Cyber Attack", 
                    "Criticality": "Suspicious", 
                    "Name": "linkedToCyberAttack"
                }, 
                {
                    "Count": 118449991, 
                    "Description": "Linked to Malware", 
                    "Criticality": "Suspicious", 
                    "Name": "linkedToMalware"
                }, 
                {
                    "Count": 1542002, 
                    "Description": "Linked to Attack Vector", 
                    "Criticality": "Suspicious", 
                    "Name": "linkedToVector"
                }, 
                {
                    "Count": 342012, 
                    "Description": "Linked to Vulnerability", 
                    "Criticality": "Suspicious", 
                    "Name": "linkedToVuln"
                }, 
                {
                    "Count": 2615, 
                    "Description": "Malware SSL Certificate Fingerprint", 
                    "Criticality": "Malicious", 
                    "Name": "malwareSsl"
                }, 
                {
                    "Count": 171015323, 
                    "Description": "Positive Malware Verdict", 
                    "Criticality": "Malicious", 
                    "Name": "positiveMalwareVerdict"
                }, 
                {
                    "Count": 48382, 
                    "Description": "Threat Researcher", 
                    "Criticality": "Unusual", 
                    "Name": "threatResearcher"
                }, 
                {
                    "Count": 2136, 
                    "Description": "Reported by Insikt Group", 
                    "Criticality": "Unusual", 
                    "Name": "analystNote"
                }, 
                {
                    "Count": 5, 
                    "Description": "Trending in Recorded Future Analyst Community", 
                    "Criticality": "Unusual", 
                    "Name": "rfTrending"
                }, 
                {
                    "Count": 1018, 
                    "Description": "Historically Reported in Threat List", 
                    "Criticality": "Unusual", 
                    "Name": "historicalThreatListMembership"
                }
            ]
        }
    }
}
Human Readable Output

image

18. Get the IP address risk rules


Gets the risk rules for IP data.

Base Command

recorded-future-get-ip-riskrules

Input

There are no input arguments for this command.

Context Output
Path Type Description
RecordedFuture.RiskRule.IP.Name string Risk rule name
RecordedFuture.RiskRule.IP.Description string Risk rule description
RecordedFuture.RiskRule.IP.Count number Risk rule indicator count
RecordedFuture.RiskRule.IP.Criticality string Risk rule criticality

Command Example
!recorded-future-get-ip-riskrules
Context Example
{
    "RecordedFuture": {
        "RiskRule": {
            "IP": [
                {
                    "Count": 1187, 
                    "Description": "Recently Defaced Site", 
                    "Criticality": "Suspicious", 
                    "Name": "recentlyDefaced"
                }, 
                {
                    "Count": 233465, 
                    "Description": "Historically Reported by DHS AIS", 
                    "Criticality": "Unusual", 
                    "Name": "dhsAis"
                }, 
                {
                    "Count": 76, 
                    "Description": "Recently Reported by DHS AIS", 
                    "Criticality": "Suspicious", 
                    "Name": "recentDhsAis"
                }, 
                {
                    "Count": 65391, 
                    "Description": "Historical Botnet Traffic", 
                    "Criticality": "Unusual", 
                    "Name": "botnet"
                },  ...
Human Readable Output

image

19. Get the URL risk rules


Gets the risk rules for URL data.

Base Command

recorded-future-get-url-riskrules

Input

There are no input arguments for this command.

Context Output
Path Type Description
RecordedFuture.RiskRule.URL.Name string Risk rule name
RecordedFuture.RiskRule.URL.Description string Risk rule description
RecordedFuture.RiskRule.URL.Count number Risk rule indicator count
RecordedFuture.RiskRule.URL.Criticality string Risk rule criticality

Command Example
!recorded-future-get-url-riskrules
Context Example
{
    "RecordedFuture": {
        "RiskRule": {
            "URL": [
                {
                    "Count": 151947, 
                    "Description": "Historically Reported as a Defanged URL", 
                    "Criticality": "Suspicious", 
                    "Name": "defangedURL"
                }, 
                {
                    "Count": 2389, 
                    "Description": "Recently Reported as a Defanged URL", 
                    "Criticality": "Malicious", 
                    "Name": "recentDefangedURL"
                }, 
                {
                    "Count": 2242, 
                    "Description": "Compromised URL", 
                    "Criticality": "Malicious", 
                    "Name": "compromisedUrl"
                }, 
                {
                    "Count": 2259, 
                    "Description": "Active Phishing URL", 
                    "Criticality": "Malicious", 
                    "Name": "phishingUrl"
                }, 
                {
                    "Count": 88, 
                    "Description": "C&C URL", 
                    "Criticality": "Very Malicious", 
                    "Name": "cncUrl"
                }, 
                {
                    "Count": 9, 
                    "Description": "Ransomware Distribution URL", 
                    "Criticality": "Very Malicious", 
                    "Name": "ransomwareDistribution"
                }, 
                {
                    "Count": 176069, 
                    "Description": "Historically Reported in Threat List", 
                    "Criticality": "Unusual", 
                    "Name": "historicalThreatListMembership"
                }
            ]
        }
    }
}
Human Readable Output

image

20. Get the vulnerability risk rules


Gets the risk rules for vulnerability data.

Base Command

recorded-future-get-vulnerability-riskrules

Input

There are no input arguments for this command.

Context Output
Path Type Description
RecordedFuture.RiskRule.Vulnerability.Name string Risk rule name
RecordedFuture.RiskRule.Vulnerability.Description string Risk rule description
RecordedFuture.RiskRule.Vulnerability.Count number Risk rule indicator count
RecordedFuture.RiskRule.Vulnerability.Criticality string Risk rule criticality

Command Example
!recorded-future-get-vulnerability-riskrules
Context Example
{
    "RecordedFuture": {
        "RiskRule": {
            "Vulnerability": [
                {
                    "Count": 1, 
                    "Description": "Cyber Exploit Signal: Critical", 
                    "Criticality": "Critical", 
                    "Name": "cyberSignalCritical"
                }, 
                {
                    "Count": 4, 
                    "Description": "Cyber Exploit Signal: Important", 
                    "Criticality": "High", 
                    "Name": "cyberSignalHigh"
                }, 
                {
                    "Count": 105, 
                    "Description": "Cyber Exploit Signal: Medium", 
                    "Criticality": "Medium", 
                    "Name": "cyberSignalMedium"
                }, 
                {
                    "Count": 22203, 
                    "Description": "Linked to Historical Cyber Exploit", 
                    "Criticality": "Low", 
                    "Name": "linkedToCyberExploit"
                },  ...
Human Readable Output

image

21. Get a list of alert rules


Gets Recorded Future alert rules.

Base Command

recorded-future-get-alert-rules

Input
Argument Name Description Required
rule_name Rule name to search, can be a partial name Optional
limit Number of rules to return Optional

Context Output
Path Type Description
RecordedFuture.AlertRule.ID string Alert rule ID
RecordedFuture.AlertRule.Name string Alert rule name

Command Example
!recorded-future-get-alert-rules rule_name="Global Trends"
Context Example
{
    "RecordedFuture": {
        "AlertRule": [
            {
                "ID": "Y8wa3G", 
                "Name": "Global Trends, Trending Vulnerabilities"
            }, 
            {
                "ID": "Y8wa3F", 
                "Name": "Global Trends, Trending Attackers"
            }
        ]
}
Human Readable Output

image

22. Get a list of alerts


Gets alerts from Recorded Future.

Base Command

recorded-future-get-alerts

Input
Argument Name Description Required
rule_id Alert rule ID Optional
limit Number of alerts to return Optional
triggered_time Alert triggered time, e.g., “1 hour” or “2 days” Optional
assignee Alert assignee’s email address Optional
status Alert review status Optional
freetext Free text search Optional
offset Alerts from offset Optional
orderby Alerts sort order Optional
direction Alerts sort direction Optional

Context Output
Path Type Description
RecordedFuture.Alert.ID string Alert ID
RecordedFuture.Alert.Name string Alert name
RecordedFuture.Alert.Type string Alert type
RecordedFuture.Alert.Triggered date Alert triggered time
RecordedFuture.Alert.Status string Alert status
RecordedFuture.Alert.Assignee string Alert assignee
RecordedFuture.Alert.Rule string Alert rule name

Command Example
!recorded-future-get-alerts triggered_time="24 hours"
Context Example
{
    "RecordedFuture": {
        "Alert": [
            {
                "Status": "no-action", 
                "Name": "DJIA Cyber - New references in 10 documents", 
                "Triggered": "2019-02-04T10:06:28.619Z", 
                "Rule": "DJIA Cyber", 
                "Assignee": null, 
                "Type": "EVENT", 
                "ID": "Y_7dPz"
            }, 
            {
                "Status": "no-action", 
                "Name": "DJIA Cyber - New references in 6 documents", 
                "Triggered": "2019-02-04T06:06:59.791Z", 
                "Rule": "DJIA Cyber", 
                "Assignee": null, 
                "Type": "EVENT", 
                "ID": "Y_zJEj"
            }, 
            {
                "Status": "no-action", 
                "Name": "DJIA Cyber - New references in 1 document", 
                "Triggered": "2019-02-04T02:05:50.210Z", 
                "Rule": "DJIA Cyber", 
                "Assignee": null, 
                "Type": "EVENT", 
                "ID": "Y_s-Pu"
            }, 
            {
                "Status": "no-action", 
                "Name": "DJIA Cyber - New references in 12 documents", 
                "Triggered": "2019-02-03T22:05:45.377Z", 
                "Rule": "DJIA Cyber", 
                "Assignee": null, 
                "Type": "EVENT", 
                "ID": "Y_lnjO"
            }, 
            {
                "Status": "no-action", 
                "Name": "DJIA Cyber - New references in 11 documents", 
                "Triggered": "2019-02-03T18:05:36.142Z", 
                "Rule": "DJIA Cyber", 
                "Assignee": null, 
                "Type": "EVENT", 
                "ID": "Y_esMY"
            }, 
            {
                "Status": "no-action", 
                "Name": "DJIA Cyber - New references in 8 documents", 
                "Triggered": "2019-02-03T14:05:21.965Z", 
                "Rule": "DJIA Cyber", 
                "Assignee": null, 
                "Type": "EVENT", 
                "ID": "Y_X-vd"
            }
        ]
    }
}
Human Readable Output

image

Additional Information


Important notes regarding Risk Lists:

The risk list commands are wrapped by the following scripts:
RecordedFutureDomainRiskList
RecordedFutureHashRiskList
RecordedFutureIPRiskList
RecordedFutureURLRiskList
RecordedFutureVulnerabilityRiskList
Those scripts perform the same functionality and in addition create indicators in Demisto, with the option to specify a threshold and delete the existing indicators - which will delete ALL the malicious Recorded Future indicators of that type .

The lists are updated in Recorded Future every hour. It is important to refrain from executing the risk list commands and scripts often, as they are costly, API credits wise. A good practice will be to schedule a job that executes the scripts once a day or a similar timeframe. For more information, see the Recorded Future documentation .

The lists contain a large number of indicators, so extracting them into Demisto might take a while. It is possible to specify a risk rule in order to extract a specific list.

Important notes regarding Alerts:

The integration fetches alerts from Recorded Future, which are generated by predefined rules.
It is possible to fetch all the alerts by not specifying any rule names. It is important however to know that each fetched alert costs 1 API credit, so fetching many alerts frequently could result in running out of credits. A good practice would be to specify alert rules or make sure not too many alerts are fetched every time.

Known Limitations


The Recorded Future API enforces a quota

For alerts:
image
(From the Recorded Future support site)