Recorded Future
Version: 1.3.0
Recorded Future is the world's largest intelligence company with complete coverage across adversaries, infrastructure, and targets.
Connect Recorded Future with Logichub
- Navigate to Automations > Integrations.
- Search for Recorded Future.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- X-RFToken: X-RFToken for the Recorded Future API.
- After you've entered all the details, click Connect.
Search Playbook Alert
Searches for Playbook Alerts based on filtering conditions supplied in the body. Not specifying a filter for a property means the filter will match a Playbook Alert regardless of the property's value. Only Playbook Alerts matching all specified criteria are included in the response.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filters | Jinja-templated JSON containing the filters. Example: '{"from": 0,"limit": 100,"order_by": "created","direction": "asc","entity": ["idn:mail.google.mail.pl"],"statuses": ["New"]}' | Optional |
Output
JSON containing the following items:
{
"data":[
{
"playbook_alert_id":"task:dasdf-768c-asdf-9c50-1asdfe725",
"created":"2022-06-18T15:53:17.000Z",
"updated":"2022-06-18T16:10:00.316Z",
"status":"New",
"category":"domain_abuse",
"priority":"Informational",
"title":"XYZ",
"owner_id":"ABC",
"owner_name":"CNNAME",
"organisation_id":"uhash:asdf",
"organisation_name":"CNANAME",
"owner_organisation_details":{
"organisations":[
{
"organisation_id":"uhash:6asdf",
"organisation_name":"CNANAME"
}
],
"enterprise_id":"uhash:random_id",
"enterprise_name":"random name"
}
}
],
"has_error":false,
"error":null,
"status":{
"status_code":"Ok",
"status_message":"Playbook alert search successful"
},
"counts":{
"returned":1,
"total":1
}
}
Bulk Domain Abuse Alert Lookup
Perform a detailed lookup of data panels for several alerts at once.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Ids | Jinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status":{
"status_code":"Ok",
"status_message":"Playbook alert bulk lookup successful."
},
"data":[
{
"playbook_alert_id":"task:asdf-0asdff228",
"panel_status":{
"entity_id":"idn:asdf.org",
"entity_name":"asdf.org",
"entity_criticality":"0",
"risk_score":0,
"context_list":[
],
"targets":[
],
"status":"New",
"priority":"Informational",
"created":"2022-06-02T00:40:45.993Z",
"updated":"2023-01-20T00:22:11.114Z",
"case_rule_id":"report:asdfE",
"case_rule_label":"Domain Abuse",
"owner_id":"uhash:asdf",
"owner_name":"qwer",
"organisation_id":"uhash:asdf",
"organisation_name":"qwer",
"owner_organisation_details":{
"organisations":[
{
"organisation_id":"uhash:6asdf",
"organisation_name":"qwer"
}
],
"enterprise_id":"uhash:asdf",
"enterprise_name":"qwer"
}
},
"panel_action":[
],
"panel_evidence_summary":{
"explanation":"Alert was created as a result of a match in the similar domains query",
"resolved_record_list":[
{
"entity":"ip:1.1.1.1",
"risk_score":26,
"criticality":"Medium",
"record_type":"A",
"context_list":[
]
}
],
"screenshots":[
{
"description":"An image associated with the Playbook Alert",
"image_id":"img:asdf86772easdf2c1c",
"created":"2022-08-01T00:43:57.015Z"
}
]
},
"panel_evidence_dns":{
"ip_list":[
{
"entity":"ip:1.1.1.1",
"risk_score":25,
"criticality":"Medium",
"record_type":"A",
"context_list":[
]
}
],
"mx_list":[
],
"ns_list":[
]
},
"panel_evidence_whois":{
"body":[
{
"provider":"asdf",
"entity":"idn:asdf.org",
"attribute":"attr:whois",
"value":{
"privateRegistration":false,
"status":"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited",
"nameServers":[
"idn:asdf.com"
],
"registrarName":"asdf, LLC",
"createdDate":"2021-01-20T00:00:00.000Z"
},
"added":"2023-01-20T00:22:10.947Z"
}
]
},
"panel_log":[
{
"id":"uuid:asdfdcc3-4236-9f04asdf74b",
"created":"2022-06-02T00:47:27.619Z",
"modified":"2022-06-02T00:47:27.619Z",
"action_priority":"Informational",
"context":{
"type":"domain_abuse",
"changes":[
{
"domain":"idn:asdf.org",
"new":{
"status":"",
"private_registration":true,
"name_servers":[
"idn:asdf.com"
],
"contact_email":"email:[email protected]",
"created":"2021-01-20T00:00:00.000Z"
},
"removed_contacts":[
],
"added_contacts":[
{
"type":"administrativeContact",
"telephone":"REDACTED FOR PRIVACY",
"street1":"REDACTED FOR PRIVACY",
"state":"REDACTED FOR PRIVACY",
"postal_code":"REDACTED FOR PRIVACY",
"organization":"REDACTED FOR PRIVACY",
"name":"REDACTED FOR PRIVACY",
"country":"REDACTED FOR PRIVACY",
"city":"REDACTED FOR PRIVACY"
}
],
"type":"whois_change"
}
]
}
}
]
}
],
"error":null,
"has_error":false
}
Detail Domain Abuse Alert Data
Retrieve detailed information about a Domain Abuse Playbook Alert with data grouped into UI-ready panels.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Id | Jinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status":{
"status_code":"Ok",
"status_message":"Playbook alert single lookup successful."
},
"data":{
"playbook_alert_id":"task:asdf-0asdff228",
"panel_status":{
"entity_id":"idn:asdf.org",
"entity_name":"asdf.org",
"entity_criticality":"0",
"risk_score":0,
"context_list":[
],
"targets":[
],
"status":"New",
"priority":"Informational",
"created":"2022-06-02T00:40:45.993Z",
"updated":"2023-01-20T00:22:11.114Z",
"case_rule_id":"report:asdfE",
"case_rule_label":"Domain Abuse",
"owner_id":"uhash:asdf",
"owner_name":"qwer",
"organisation_id":"uhash:asdf",
"organisation_name":"qwer",
"owner_organisation_details":{
"organisations":[
{
"organisation_id":"uhash:6asdf",
"organisation_name":"qwer"
}
],
"enterprise_id":"uhash:asdf",
"enterprise_name":"qwer"
}
},
"panel_action":[
],
"panel_evidence_summary":{
"explanation":"Alert was created as a result of a match in the similar domains query",
"resolved_record_list":[
{
"entity":"ip:1.1.1.1",
"risk_score":26,
"criticality":"Medium",
"record_type":"A",
"context_list":[
]
}
],
"screenshots":[
{
"description":"An image associated with the Playbook Alert",
"image_id":"img:asdf86772easdf2c1c",
"created":"2022-08-01T00:43:57.015Z"
}
]
},
"panel_evidence_dns":{
"ip_list":[
{
"entity":"ip:1.1.1.1",
"risk_score":25,
"criticality":"Medium",
"record_type":"A",
"context_list":[
]
}
],
"mx_list":[
],
"ns_list":[
]
},
"panel_evidence_whois":{
"body":[
{
"provider":"asdf",
"entity":"idn:asdf.org",
"attribute":"attr:whois",
"value":{
"privateRegistration":false,
"status":"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited",
"nameServers":[
"idn:asdf.com"
],
"registrarName":"asdf, LLC",
"createdDate":"2021-01-20T00:00:00.000Z"
},
"added":"2023-01-20T00:22:10.947Z"
}
]
},
"panel_log":[
{
"id":"uuid:asdfdcc3-4236-9f04asdf74b",
"created":"2022-06-02T00:47:27.619Z",
"modified":"2022-06-02T00:47:27.619Z",
"action_priority":"Informational",
"context":{
"type":"domain_abuse",
"changes":[
{
"domain":"idn:asdf.org",
"new":{
"status":"",
"private_registration":true,
"name_servers":[
"idn:asdf.com"
],
"contact_email":"email:[email protected]",
"created":"2021-01-20T00:00:00.000Z"
},
"removed_contacts":[
],
"added_contacts":[
{
"type":"administrativeContact",
"telephone":"REDACTED FOR PRIVACY",
"street1":"REDACTED FOR PRIVACY",
"state":"REDACTED FOR PRIVACY",
"postal_code":"REDACTED FOR PRIVACY",
"organization":"REDACTED FOR PRIVACY",
"name":"REDACTED FOR PRIVACY",
"country":"REDACTED FOR PRIVACY",
"city":"REDACTED FOR PRIVACY"
}
],
"type":"whois_change"
}
]
}
}
]
},
"error":null,
"has_error":false
}
Screenshot Related to Domain Abuse Alert
Fetch a screenshot associated with the Domain Abuse alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Id | Jinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532' | Required |
| Image Id | Jinja-templated text containing the image Id. Example: 'img:404basdf-4f23-438c-a27c-aa675asdfda0' | Required |
Output
JSON containing the following items:
{
"result"{
"lhub_file_id": "aiuwehoifsubvixcvuhpoaf"
},
"error":null,
"has_error":false
}
Get Incident Reports
Provides an exposure incident report for a single malware log.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated text containing the body for the recorded future API. Example: 'string' | Required |
Output
JSON containing the following items:
{
"count": 0,
"count_relation": "Equals",
"has_error": false,
"error": null,
"details": {},
"credentials": []
}
Lookup Password for Exposure
Lookup password for exposure.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"passwords": [{"algorithm": "SHA1","hash": "string"}]}' | Required |
Output
JSON containing the following items:
{
"results": [
{
"password": {
"algorithm": "SHA1",
"hash": "string"
},
"exposure_status": "NeverExposed"
}
],
"error": null,
"has_error": false
}
Search Credentials Data
Search credentials data for a set of domains.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"limit": 3}' | Optional |
Output
JSON containing the following items:
{
"identities": [],
"count": 0,
"error": null,
"has_error": false
}
Malware Family Statistics
Returns malware family statistics.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"limit": 1}' | Required |
Output
JSON containing the following items:
{
"malware_families": [
"ABC",
"XYZ",
"QWE"
],
"error": null,
"has_error": false
}
Lookup Credentials Data
Lookup credentials data for a set of subjects.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"subjects": ["[email protected]"]}' | Required |
Output
JSON containing the following items:
{
"identities": [],
"count": 0,
"error": null,
"has_error": false
}
Search Dump Metadata
Search dump metadata for given names.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"names": ["string"],"limit": 0}' | Required |
Output
JSON containing the following items:
{
"dumps": [],
"error": null,
"has_error": false
}
Search IP
Search for IP address using a variety of filters.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter | Jinja-templated JSON containing the filters for the recorded future IP Search API. Check : https://api.recordedfuture.com/v2/#!/IP/IP_Address_Search. Example: '{"fields": "analystNotes,counts,intelCard", "metadata": "true", "limit": 10}'. | Required |
Output
JSON containing the following items:
{
"data":{
"results":[
"counts":[{"date":"2023-11-27","count":3}],
"intelCard":"https://app.recordedfuture.com/live/sc/entity/ip%3A20.81.157.149",
"analystNotes":[]
],
"metadata":{
"entries":{
"key":"results",
"label":"Results",
"type":"list"
}
}
"has_error":false
"error":null
}
Search URL
Search for Url address using a variety of filters.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter | Jinja-templated JSON containing the filters for the recorded future URL Search API. Example: '{"freetext": "text", "fields": "analystNotes,counts,intelCard", "metadata": "true", "limit": 10}'. Check : https://api.recordedfuture.com/v2/#!/URL/URL_Search. | Required |
Output
JSON containing the following items:
{
"data":{
"results":[
"counts":[{
"date":"2023-11-27",
"count":3
}],
"attributes":{
"validated_on":"2018-10-15T16:00:00.000Z"
},
"source":{
"id":"source:VKz42X",
"name":"Test Group",
"type" ...
},
"id":"XygRjY"
],
"metadata":{
"entries":{
"key":"results",
"label":"Results",
"type":"list"
}
}
"has_error":false
"error":null
}
Search Hash
Search for Hash address using a variety of filters.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter | Jinja-templated JSON containing the filters for the recorded future Hash Search API. Check : https://api.recordedfuture.com/v2/#!/Hash/Hash_Search. Example: '{"fields": "analystNotes,counts,intelCard", "metadata": "true", "limit": 10}'. | Required |
Output
JSON containing the following items:
{
"data":{
"results":[
"counts":[{
"date":"2023-11-27",
"count":3
}],
"intelCard":"https://app.recordedfuture.com/live/sc/entity/hash%3A1a927e5be8c58da1fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd",
"analystNotes":[]
],
"metadata":{
"entries":{
"key":"results",
"label":"Results",
"type":"list"
}
}
"has_error":false
"error":null
}
Check IP
Retrieve information about an IP address.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| IP Address | Jinja-templated Text containing the IP Address | Required |
| Filter | Jinja-templated Filters for the recorded future ip search API. E.g 'fields=risk&metadata=false&taggedText=false' | Required |
Output
JSON containing the following items:
{
"data":{
"results":{
"risk":{
"criticalityLabel": "Unusual",
"riskString": 1/71,
"rules":1,
"criticality":1,
"riskSummary":"1 of 71 Risk Rules currently observed.",
"score":5
}
}
"has_error":false
"error":null
}
Check Hash
Retrieve information about a Hash.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Hash | Jinja-templated Text containing the Hash | Required |
| Filter | Jinja-templated Filters for the recorded future hash search API. E.g 'fields=risk&metadata=false&taggedText=false' | Required |
Output
JSON containing the following items:
{
"data":{
"results":{
"risk":{
"criticalityLabel": "Malicious",
"riskString": 1/71,
"rules":1,
"criticality":1,
"riskSummary":"1 of 71 Risk Rules currently observed.",
"score":5
}
}
"has_error":false
"error":null
}
Check Domain
Retrieve information about a Domain.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Domain | Jinja-templated Text containing the Domain | Required |
| Filter | Jinja-templated Filters for the recorded future domain search API. E.g 'fields=risk&metadata=false&taggedText=false' | Required |
Output
JSON containing the following items:
{
"data":{
"results":{
"traceId":"624b58c3-32bf-47e7-94e8-cf7f40df5e"
}
"has_error":false
"error":null
}
Check URL
Retrieve information about a URL.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| URL | Jinja-templated Text containing the URL | Required |
| Filter | Jinja-templated Filters for the recorded future url search API. E.g 'fields=risk&metadata=false&taggedText=false' | Required |
Output
JSON containing the following items:
{
"data":{
"results":{
"traceId":"624b58c3-32bf-47e7-94e8-cf7f40df5e"
}
"has_error":false
"error":null
}
Identity Novel Exposures Bulk
Perform a detailed lookup of data panels for several Identity Novel Exposures alerts at once.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Ids | Jinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status": {
"status_code": "Ok",
"status_message": "Playbook alert single lookup successful."
},
"data": [{
"playbook_alert_id": "task:fc441-b017-42a6-b8a4-0adad126541c",
"panel_status": {
"status": "New",
"priority": "Moderate",
"created": "2023-10-04T07:10:45.461Z",
"updated": "2023-10-04T07:11:25.705Z",
"case_rule_id": "report:p6nvD-",
"case_rule_label": "Cyber Vulnerability",
"owner_id": "uhash:09876",
"owner_name": "TEST",
"organisation_id": "uhash:test",
"organisation_name": "TEST",
"owner_organisation_details": {
"organisations": [
{
"organisation_id": "uhash:test",
"organisation_name": "TEST"
}
],
"enterprise_id": "uhash:test",
"enterprise_name": "TEST"
},
"entity_id": "rzl3",
"entity_name": "CVE3-35359",
"entity_criticality": "Medium",
"risk_score": 33,
"lifecycle_stage": "Exploit Likely",
"targets": [
{
"name": "Microsoft Windows Server 2019"
}
]
},
"panel_evidence_summary": {
"summary": {
"targets": [
{
"name": "Microsoft Windows Server 2019"
}
],
"lifecycle_stage": "Exploit Likely",
"risk_rules": [
{
"rule": "Likely Historical Exploit Development",
"description": "1 sighting on 1 source: CTCI Intelligence and Research. This vulnerability is flagged as likely to be exploited soon based on intelligence received on October 04, 2023."
}
]
},
"affected_products": [
{
"name": "Microsoft Windows 10 1607 10.0.14393.4169 on X86"
},
],
"insikt_notes": [
{
"id": "doc:tE6hDp",
"title": "Summary note for CVE-2023-35359",
"published": "2023-10-20T21:05:53.378Z",
"topic": "Informational",
"fragment": "Core impact has added this exploit to their toolset. Several criminal groups use pirated copies of the software. The intelligence was collected from publicly available sources. Naa. A public PoC was validated for this vulnerability. The Admiralty score was A1."
}
]
},
"panel_log": [
{
"id": "uuid:32b9c166-ff6d-49b2-90cd-ae4bdacbc360",
"created": "2023-10-04T07:11:25.705Z",
"modified": "2023-10-04T07:11:25.705Z",
"action_priority": "Moderate",
"context": {
"type": "cyber_vulnerability",
"changes": []
}
}
],
"panel_log_v2": [
{
"id": "uuid:32b9c166-ff6d-49b2-90cd-ae4bdacbc360",
"created": "2023-10-04T07:11:25.705Z",
"changes": []
}
]
}]
"has_error":false
"error":null
}
Identity Novel Exposures
Retrieve detailed information about a Identity Novel Exposures Playbook Alert with data grouped into UI-ready panels.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Id | Jinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status": {
"status_code": "Ok",
"status_message": "Playbook alert single lookup successful."
},
"data": {
"playbook_alert_id": "task:fc441-b017-42a6-b8a4-0adad126541c",
"panel_status": {
"status": "New",
"priority": "Moderate",
"created": "2023-10-04T07:10:45.461Z",
"updated": "2023-10-04T07:11:25.705Z",
"case_rule_id": "report:p6nvD-",
"case_rule_label": "Cyber Vulnerability",
"owner_id": "uhash:09876",
"owner_name": "TEST",
"organisation_id": "uhash:test",
"organisation_name": "TEST",
"owner_organisation_details": {
"organisations": [
{
"organisation_id": "uhash:test",
"organisation_name": "TEST"
}
],
"enterprise_id": "uhash:test",
"enterprise_name": "TEST"
},
"entity_id": "rzl3",
"entity_name": "CVE3-35359",
"entity_criticality": "Medium",
"risk_score": 33,
"lifecycle_stage": "Exploit Likely",
"targets": [
{
"name": "Microsoft Windows Server 2019"
}
]
},
"panel_evidence_summary": {
"summary": {
"targets": [
{
"name": "Microsoft Windows Server 2019"
}
],
"lifecycle_stage": "Exploit Likely",
"risk_rules": [
{
"rule": "Likely Historical Exploit Development",
"description": "1 sighting on 1 source: CTCI Intelligence and Research. This vulnerability is flagged as likely to be exploited soon based on intelligence received on October 04, 2023."
}
]
},
"affected_products": [
{
"name": "Microsoft Windows 10 1607 10.0.14393.4169 on X86"
},
],
"insikt_notes": [
{
"id": "doc:tE6hDp",
"title": "Summary note for CVE-2023-35359",
"published": "2023-10-20T21:05:53.378Z",
"topic": "Informational",
"fragment": "Core impact has added this exploit to their toolset. Several criminal groups use pirated copies of the software. The intelligence was collected from publicly available sources. Naa. A public PoC was validated for this vulnerability. The Admiralty score was A1."
}
]
},
"panel_log": [
{
"id": "uuid:32b9c166-ff6d-49b2-90cd-ae4bdacbc360",
"created": "2023-10-04T07:11:25.705Z",
"modified": "2023-10-04T07:11:25.705Z",
"action_priority": "Moderate",
"context": {
"type": "cyber_vulnerability",
"changes": []
}
}
],
"panel_log_v2": [
{
"id": "uuid:32b9c166-ff6d-49b2-90cd-ae4bdacbc360",
"created": "2023-10-04T07:11:25.705Z",
"changes": []
}
]
}
"has_error":false,
"error":null
}
Code Repo Leakage Bulk
Perform a detailed lookup of data panels for several code repository leakage alerts at once.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Ids | Jinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status": {
"status_code": "Ok",
"status_message": "Playbook alert bulk lookup successful."
},
"data": {
"playbook_alert_id": "task:cf201020-16e0-4b3b-a421-8afeaac12d43",
"panel_status": {
"status": "New",
"priority": "Moderate",
"assignee_name": "Name",
"assignee_id": "uhash:id",
"created": "2024-01-15T23:40:14.778Z",
"updated": "2024-01-15T23:42:48.231Z",
"case_rule_id": "report:id",
"case_rule_label": "Data Leakage on Code Repository",
"owner_id": "uhash:id",
"owner_name": "Name",
"organisation_id": "uhash:id",
"organisation_name": "Name",
"owner_organisation_details": {
"organisations": [
{
"organisation_id": "uhash:id",
"organisation_name": "Name"
}
],
"enterprise_id": "uhash:id",
"enterprise_name": "Name"
},
"entity_id": "url:https://github.com/SueMcMetzger/MachineLearning",
"entity_name": "https://github.com/SueMcMetzger/MachineLearning",
"entity_criticality": "",
"risk_score": 0,
"targets": [
{
"name": "Name Inc"
}
]
},
"panel_evidence_summary": {
"repository": {
"id": "url:https://github.com/SueMcMetzger/MachineLearning",
"name": "https://github.com/SueMcMetzger/MachineLearning",
"owner": {
"name": "SueMcMetzger"
}
},
"evidence": [
{
"assessments": [
{
"id": "attr:possibleKeyLeak",
"title": "Possible Key Leak",
"value": "env"
},
{
"id": "attr:watchListEntityMention",
"title": "Watch List Entity Mention",
"value": "Name Inc"
}
],
"targets": [
{
"name": "Name Inc"
}
],
"url": "https://github.com/SueMcMetzger/MachineLearning/commit/6dcf0c646d5",
"content": "comment",
"published": "2024-01-15T23:35:47.826Z"
}
]
},
"panel_log": [
{
"id": "uuid:id",
"created": "2024-01-15T23:42:08.135Z",
"modified": "2024-01-15T23:42:08.135Z",
"action_priority": "Moderate",
"context": {
"type": "code_repo_leakage",
"changes": [
{
"added": [
{
"assessments": [
{
"id": "attr:possibleKeyLeak",
"level": 2,
"title": "Possible Key Leak",
"text_indicator": "env"
},
{
"id": "attr:watchListEntityMention",
"level": 0,
"title": "Watch List Entity Mention",
"entity": "I3ZDfr"
}
],
"document_content": {
"id": "doc:uKG2Aq",
"tagged_content": "Tag content",
"content": "content",
"url": "url:url",
"owner": "WbzWXK",
"published": "2024-01-15T23:35:47.824Z"
},
"ontology": [
{
"path": [
{
"attribute": "attr:Event.entities",
"entity": "I3ZDfr"
},
{
"attribute": "attr:Entity.lists",
"entity": "report:dfeB3b"
}
]
}
],
"target_entities": [
"I3ZDfr"
],
"watch_lists": [
"report:dfeB3b"
]
}
],
"type": "evidence_changes"
}
]
}
}
],
"panel_log_v2": [
{
"id": "uuid:id",
"created": "2024-01-15T23:42:08.135Z",
"changes": [
{
"added": [
{
"assessments": [
{
"id": "attr:possibleKeyLeak",
"level": 2,
"title": "Possible Key Leak",
"text_indicator": "env"
},
{
"id": "attr:watchListEntityMention",
"level": 0,
"title": "Watch List Entity Mention",
"entity": {
"id": "I3ZDfr",
"name": "Name Inc",
"type": "Company"
}
}
],
"document": {
"id": "doc:uKG2Aq",
"content": "coment",
"owner_id": "WbzWXK",
"published": "2024-01-15T23:35:47.824Z"
},
"target_entities": [
{
"id": "I3ZDfr",
"name": "Name Inc",
"type": "Company"
}
],
"watch_lists": [
{
"id": "report:dfeB3b"
}
]
}
],
"type": "evidence_change"
}
]
}
]
},
"error": null,
"has_error": false
}
Code Repo Leakage
Retrieve detailed information about a Code Repository Leakage Playbook Alert with data grouped into UI-ready panels.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Id | Jinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status": {
"status_code": "Ok",
"status_message": "Playbook alert bulk lookup successful."
},
"data": [
{
"playbook_alert_id": "task:cf201020-16e0-4b3b-a421-8afeaac12d43",
"panel_status": {
"status": "New",
"priority": "Moderate",
"assignee_name": "Name",
"assignee_id": "uhash:id",
"created": "2024-01-15T23:40:14.778Z",
"updated": "2024-01-15T23:42:48.231Z",
"case_rule_id": "report:id",
"case_rule_label": "Data Leakage on Code Repository",
"owner_id": "uhash:id",
"owner_name": "Name",
"organisation_id": "uhash:id",
"organisation_name": "Name",
"owner_organisation_details": {
"organisations": [
{
"organisation_id": "uhash:id",
"organisation_name": "Name"
}
],
"enterprise_id": "uhash:id",
"enterprise_name": "Name"
},
"entity_id": "url:https://github.com/SueMcMetzger/MachineLearning",
"entity_name": "https://github.com/SueMcMetzger/MachineLearning",
"entity_criticality": "",
"risk_score": 0,
"targets": [
{
"name": "Name Inc"
}
]
},
"panel_evidence_summary": {
"repository": {
"id": "url:https://github.com/SueMcMetzger/MachineLearning",
"name": "https://github.com/SueMcMetzger/MachineLearning",
"owner": {
"name": "SueMcMetzger"
}
},
"evidence": [
{
"assessments": [
{
"id": "attr:possibleKeyLeak",
"title": "Possible Key Leak",
"value": "env"
},
{
"id": "attr:watchListEntityMention",
"title": "Watch List Entity Mention",
"value": "Name Inc"
}
],
"targets": [
{
"name": "Name Inc"
}
],
"url": "https://github.com/SueMcMetzger/MachineLearning/commit/6dcf0c646d5",
"content": "comment",
"published": "2024-01-15T23:35:47.826Z"
}
]
},
"panel_log": [
{
"id": "uuid:id",
"created": "2024-01-15T23:42:08.135Z",
"modified": "2024-01-15T23:42:08.135Z",
"action_priority": "Moderate",
"context": {
"type": "code_repo_leakage",
"changes": [
{
"added": [
{
"assessments": [
{
"id": "attr:possibleKeyLeak",
"level": 2,
"title": "Possible Key Leak",
"text_indicator": "env"
},
{
"id": "attr:watchListEntityMention",
"level": 0,
"title": "Watch List Entity Mention",
"entity": "I3ZDfr"
}
],
"document_content": {
"id": "doc:uKG2Aq",
"tagged_content": "Tag content",
"content": "content",
"url": "url:url",
"owner": "WbzWXK",
"published": "2024-01-15T23:35:47.824Z"
},
"ontology": [
{
"path": [
{
"attribute": "attr:Event.entities",
"entity": "I3ZDfr"
},
{
"attribute": "attr:Entity.lists",
"entity": "report:dfeB3b"
}
]
}
],
"target_entities": [
"I3ZDfr"
],
"watch_lists": [
"report:dfeB3b"
]
}
],
"type": "evidence_changes"
}
]
}
}
],
"panel_log_v2": [
{
"id": "uuid:id",
"created": "2024-01-15T23:42:08.135Z",
"changes": [
{
"added": [
{
"assessments": [
{
"id": "attr:possibleKeyLeak",
"level": 2,
"title": "Possible Key Leak",
"text_indicator": "env"
},
{
"id": "attr:watchListEntityMention",
"level": 0,
"title": "Watch List Entity Mention",
"entity": {
"id": "I3ZDfr",
"name": "Name Inc",
"type": "Company"
}
}
],
"document": {
"id": "doc:uKG2Aq",
"content": "coment",
"owner_id": "WbzWXK",
"published": "2024-01-15T23:35:47.824Z"
},
"target_entities": [
{
"id": "I3ZDfr",
"name": "Name Inc",
"type": "Company"
}
],
"watch_lists": [
{
"id": "report:dfeB3b"
}
]
}
],
"type": "evidence_change"
}
]
}
]
}
],
"error": null,
"has_error": false
}
Vulnerability Check Bulk
Perform a detailed lookup of data panels for vulnerabilities at once.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Ids | Jinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status": {
"status_code": "Ok",
"status_message": "Playbook alert single lookup successful."
},
"data": [{
"playbook_alert_id": "task:fa-8d8e-4346-a3a-fd8e7a4d",
"panel_status": {
"status": "New",
"priority": "Moderate",
"created": "2024-01-01T12:00:50.767Z",
"updated": "2024-01-01T12:00:50.767Z",
"case_rule_id": "report:tS",
"case_rule_label": "Novel Identity Exposure",
"owner_id": "uhash:test",
"owner_name": "TEST",
"organisation_id": "uhash:test",
"organisation_name": "Test",
"owner_organisation_details": {
"organisations": [
{
"organisation_id": "uhash:test",
"organisation_name": "TEST"
}
],
"enterprise_id": "uhash:test",
"enterprise_name": "TEST"
},
"entity_id": "[email protected]",
"entity_name": "test",
"targets": [
{
"name": "test"
}
]
},
"panel_evidence_summary": {
"subject": "test",
"authorization_url": "test",
"exposed_secret": {
"type": "clear",
"effectively_clear": true,
"hashes": [
{
"algorithm": "SHA1",
"hash": "8be3c943b1609fffbfc51aad666dc9d"
},
{
"algorithm": "SHA256",
"hash": "e7cf3ef4f17c399902bd38ec221a"
},
{
"algorithm": "NTLM",
"hash": "a4fab6824ee7c30fd852"
},
{
"algorithm": "MD5",
"hash": "dc647e212b3964"
}
],
"details": {
"properties": [
"Letter",
"UpperCase",
"LowerCase",
"AtLeast8Characters"
],
"clear_text_hint": "Pa"
}
},
"compromised_host": {
"exfiltration_date": "2024-01-01T02:05:36.000Z",
"os": "Windows 10 (10.0.22621)",
"os_username": "arunk",
"computer_name": "HP"
},
"malware_family": {
"id": "nlflWX",
"name": "Lumma"
},
"infrastructure": {
"ip": "243.132.143.222"
}
},
"panel_log": [],
"panel_log_v2": []
}],
"error": null,
"has_error": false
}
Vulnerability Check
Retrieve detailed information about a Vulnerability Playbook Alert with data grouped into UI-ready panels.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Id | Jinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status": {
"status_code": "Ok",
"status_message": "Playbook alert single lookup successful."
},
"data": {
"playbook_alert_id": "task:fa-8d8e-4346-a3a-fd8e7a4d",
"panel_status": {
"status": "New",
"priority": "Moderate",
"created": "2024-01-01T12:00:50.767Z",
"updated": "2024-01-01T12:00:50.767Z",
"case_rule_id": "report:tS",
"case_rule_label": "Novel Identity Exposure",
"owner_id": "uhash:test",
"owner_name": "TEST",
"organisation_id": "uhash:test",
"organisation_name": "Test",
"owner_organisation_details": {
"organisations": [
{
"organisation_id": "uhash:test",
"organisation_name": "TEST"
}
],
"enterprise_id": "uhash:test",
"enterprise_name": "TEST"
},
"entity_id": "[email protected]",
"entity_name": "test",
"targets": [
{
"name": "test"
}
]
},
"panel_evidence_summary": {
"subject": "test",
"authorization_url": "test",
"exposed_secret": {
"type": "clear",
"effectively_clear": true,
"hashes": [
{
"algorithm": "SHA1",
"hash": "8be3c943b1609fffbfc51aad666dc9d"
},
{
"algorithm": "SHA256",
"hash": "e7cf3ef4f17c399902bd38ec221a"
},
{
"algorithm": "NTLM",
"hash": "a4fab6824ee7c30fd852"
},
{
"algorithm": "MD5",
"hash": "dc647e212b3964"
}
],
"details": {
"properties": [
"Letter",
"UpperCase",
"LowerCase",
"AtLeast8Characters"
],
"clear_text_hint": "Pa"
}
},
"compromised_host": {
"exfiltration_date": "2024-01-01T02:05:36.000Z",
"os": "Windows 10 (10.0.22621)",
"os_username": "arunk",
"computer_name": "HP"
},
"malware_family": {
"id": "nlflWX",
"name": "Lumma"
},
"infrastructure": {
"ip": "243.132.143.222"
}
},
"panel_log": [],
"panel_log_v2": []
},
"error": null,
"has_error": false
}
Collective Insight Detections
Submit a list of detected IoCs (indicator of compromise)
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body. Example: '{"options":{"debug":false,"summary":true},"organization_ids":["uhash:T2j9L"],"data":[{"timestamp":"2023-01-01T10:00:00Z","ioc":{"type":"ip","value":"1.2.3.4","field":"dstip","source_type":"netscreen:firewall"},"incident":{"id":"28548e09-63e8-4f8b-abd4-be86207b1583","name":"Triggered Detection Rule","type":"splunk-detection-rule"},"mitre_codes":["T1055"],"malwares":["Stuxnet"],"detection":{"id":"string","name":"string","type":"detection_rule","sub_type":"sigma"}}]}' | Required |
Output
JSON containing the following items:
{
"result": {
"DetectionsResponse": {
"result": {
"status": "OK",
"object_ids": [
"16046941d44a85e4748a9e9a",
"16046941d44a85e4748a9e9b",
"16046941d44a85e4748a9e9c"
],
"debug": false,
"summary": {
"processed": {}
}
}
}
},
"error": null,
"has_error":false,
}
Entity Match
Match entities by name
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body. Example: '{"name": "WannaCry","type": ["Malware"],"limit": 10}' | Required |
Output
JSON containing the following items:
{
"result": {
[
{
"id": "TzghRB",
"name": "WannaCry 1.0",
"type": "Malware"
}
]
},
"error": null,
"has_error":false,
}
Search for Links
Search for links related to one or more entities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body. Example: '{"entities":["JLHNoH"],"filters":{"sections":["iU_ZsI"],"entity_types":["type:IpAddress"],"sources":["technical","insikt"],"technical":{"timeframe":"-30d","events":["type:MalwareAnalysis"],"connected_entities":["idn:google.com"]}},"limits":{"search_scope":"medium","per_entity_type":100}}' | Required |
Output
JSON containing the following items:
{
"result": {
"data": {
"entity": {
"type": "type:Malware",
"id": "JLHNoH",
"name": "Cobalt Strike"
},
"links": [
{
"type": "type:IpAddress",
"id": "ip:8.8.8.8",
"name": "8.8.8.8",
"source": "technical",
"section": "iU_ZsI",
"attributes": [
{
"id": "risk_score",
"value": 90
},
{
"id": "criticality",
"value": "Malicious"
},
{
"id": "display_name",
"value": "T1001 (Data Obfuscation)"
},
{
"id": "threat_actor",
"value": true
}
]
}
],
"error": {
"message": "The entity was not found",
"status_code": 404
}
}
},
"error": null,
"has_error":false,
}
Release Notes
v1.3.0- Added new action:Entity MatchandSearch for Linksv1.2.6- Added new action:Collective Insight Detectionsv1.2.2- Added 6 new actions:Identity Novel Exposures Bulk,Identity Novel Exposures,Code Repo Leakage Bulk,Code Repo Leakage,Vulnerability Check BulkandVulnerability Checkv1.2.1- Added 7 new actions:Search IP,Search HASH,Search URL,Check IP,Check HASH,Check URLandCheck Domainv1.1.11- Updated architecture to support IO via filesystemv1.1.9- Added Pagination support inSearch Credentials Dataaction.v1.1.2- Added 6 new actions:Get Incident Reports,Lookup Password for Exposure,Search Credentials Data,Malware Family Statistics,Lookup Credentials DataandSearch Dump Metadata.v1.0.1- Added 4 new actions:Search Playbook Alert,Bulk Domain Abuse Alert Lookup,Detail Domain Abuse Alert DataandScreenshot Related to Domain Abuse Alert.
Updated about 1 month ago