Recorded Future
Version: 1.1.9
Recorded Future is the world's largest intelligence company with complete coverage across adversaries, infrastructure, and targets.
Connect Recorded Future with Logichub
- Navigate to Automations > Integrations.
- Search for Recorded Future.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- X-RFToken: X-RFToken for the Recorded Future API.
- After you've entered all the details, click Connect.
Search Playbook Alert
Searches for Playbook Alerts based on filtering conditions supplied in the body. Not specifying a filter for a property means the filter will match a Playbook Alert regardless of the property's value. Only Playbook Alerts matching all specified criteria are included in the response.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filters | Jinja-templated JSON containing the filters. Example: '{"from": 0,"limit": 100,"order_by": "created","direction": "asc","entity": ["idn:mail.google.mail.pl"],"statuses": ["New"]}' | Optional |
Output
JSON containing the following items:
{
"data":[
{
"playbook_alert_id":"task:dasdf-768c-asdf-9c50-1asdfe725",
"created":"2022-06-18T15:53:17.000Z",
"updated":"2022-06-18T16:10:00.316Z",
"status":"New",
"category":"domain_abuse",
"priority":"Informational",
"title":"XYZ",
"owner_id":"ABC",
"owner_name":"CNNAME",
"organisation_id":"uhash:asdf",
"organisation_name":"CNANAME",
"owner_organisation_details":{
"organisations":[
{
"organisation_id":"uhash:6asdf",
"organisation_name":"CNANAME"
}
],
"enterprise_id":"uhash:random_id",
"enterprise_name":"random name"
}
}
],
"has_error":false,
"error":null,
"status":{
"status_code":"Ok",
"status_message":"Playbook alert search successful"
},
"counts":{
"returned":1,
"total":1
}
}
Bulk Domain Abuse Alert Lookup
Perform a detailed lookup of data panels for several alerts at once.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Ids | Jinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status":{
"status_code":"Ok",
"status_message":"Playbook alert bulk lookup successful."
},
"data":[
{
"playbook_alert_id":"task:asdf-0asdff228",
"panel_status":{
"entity_id":"idn:asdf.org",
"entity_name":"asdf.org",
"entity_criticality":"0",
"risk_score":0,
"context_list":[
],
"targets":[
],
"status":"New",
"priority":"Informational",
"created":"2022-06-02T00:40:45.993Z",
"updated":"2023-01-20T00:22:11.114Z",
"case_rule_id":"report:asdfE",
"case_rule_label":"Domain Abuse",
"owner_id":"uhash:asdf",
"owner_name":"qwer",
"organisation_id":"uhash:asdf",
"organisation_name":"qwer",
"owner_organisation_details":{
"organisations":[
{
"organisation_id":"uhash:6asdf",
"organisation_name":"qwer"
}
],
"enterprise_id":"uhash:asdf",
"enterprise_name":"qwer"
}
},
"panel_action":[
],
"panel_evidence_summary":{
"explanation":"Alert was created as a result of a match in the similar domains query",
"resolved_record_list":[
{
"entity":"ip:1.1.1.1",
"risk_score":26,
"criticality":"Medium",
"record_type":"A",
"context_list":[
]
}
],
"screenshots":[
{
"description":"An image associated with the Playbook Alert",
"image_id":"img:asdf86772easdf2c1c",
"created":"2022-08-01T00:43:57.015Z"
}
]
},
"panel_evidence_dns":{
"ip_list":[
{
"entity":"ip:1.1.1.1",
"risk_score":25,
"criticality":"Medium",
"record_type":"A",
"context_list":[
]
}
],
"mx_list":[
],
"ns_list":[
]
},
"panel_evidence_whois":{
"body":[
{
"provider":"asdf",
"entity":"idn:asdf.org",
"attribute":"attr:whois",
"value":{
"privateRegistration":false,
"status":"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited",
"nameServers":[
"idn:asdf.com"
],
"registrarName":"asdf, LLC",
"createdDate":"2021-01-20T00:00:00.000Z"
},
"added":"2023-01-20T00:22:10.947Z"
}
]
},
"panel_log":[
{
"id":"uuid:asdfdcc3-4236-9f04asdf74b",
"created":"2022-06-02T00:47:27.619Z",
"modified":"2022-06-02T00:47:27.619Z",
"action_priority":"Informational",
"context":{
"type":"domain_abuse",
"changes":[
{
"domain":"idn:asdf.org",
"new":{
"status":"",
"private_registration":true,
"name_servers":[
"idn:asdf.com"
],
"contact_email":"email:[email protected]",
"created":"2021-01-20T00:00:00.000Z"
},
"removed_contacts":[
],
"added_contacts":[
{
"type":"administrativeContact",
"telephone":"REDACTED FOR PRIVACY",
"street1":"REDACTED FOR PRIVACY",
"state":"REDACTED FOR PRIVACY",
"postal_code":"REDACTED FOR PRIVACY",
"organization":"REDACTED FOR PRIVACY",
"name":"REDACTED FOR PRIVACY",
"country":"REDACTED FOR PRIVACY",
"city":"REDACTED FOR PRIVACY"
}
],
"type":"whois_change"
}
]
}
}
]
}
],
"error":null,
"has_error":false
}
Detail Domain Abuse Alert Data
Retrieve detailed information about a Domain Abuse Playbook Alert with data grouped into UI-ready panels.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Id | Jinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532' | Required |
| Panels | Jinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log' | Optional |
Output
JSON containing the following items:
{
"status":{
"status_code":"Ok",
"status_message":"Playbook alert single lookup successful."
},
"data":{
"playbook_alert_id":"task:asdf-0asdff228",
"panel_status":{
"entity_id":"idn:asdf.org",
"entity_name":"asdf.org",
"entity_criticality":"0",
"risk_score":0,
"context_list":[
],
"targets":[
],
"status":"New",
"priority":"Informational",
"created":"2022-06-02T00:40:45.993Z",
"updated":"2023-01-20T00:22:11.114Z",
"case_rule_id":"report:asdfE",
"case_rule_label":"Domain Abuse",
"owner_id":"uhash:asdf",
"owner_name":"qwer",
"organisation_id":"uhash:asdf",
"organisation_name":"qwer",
"owner_organisation_details":{
"organisations":[
{
"organisation_id":"uhash:6asdf",
"organisation_name":"qwer"
}
],
"enterprise_id":"uhash:asdf",
"enterprise_name":"qwer"
}
},
"panel_action":[
],
"panel_evidence_summary":{
"explanation":"Alert was created as a result of a match in the similar domains query",
"resolved_record_list":[
{
"entity":"ip:1.1.1.1",
"risk_score":26,
"criticality":"Medium",
"record_type":"A",
"context_list":[
]
}
],
"screenshots":[
{
"description":"An image associated with the Playbook Alert",
"image_id":"img:asdf86772easdf2c1c",
"created":"2022-08-01T00:43:57.015Z"
}
]
},
"panel_evidence_dns":{
"ip_list":[
{
"entity":"ip:1.1.1.1",
"risk_score":25,
"criticality":"Medium",
"record_type":"A",
"context_list":[
]
}
],
"mx_list":[
],
"ns_list":[
]
},
"panel_evidence_whois":{
"body":[
{
"provider":"asdf",
"entity":"idn:asdf.org",
"attribute":"attr:whois",
"value":{
"privateRegistration":false,
"status":"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited",
"nameServers":[
"idn:asdf.com"
],
"registrarName":"asdf, LLC",
"createdDate":"2021-01-20T00:00:00.000Z"
},
"added":"2023-01-20T00:22:10.947Z"
}
]
},
"panel_log":[
{
"id":"uuid:asdfdcc3-4236-9f04asdf74b",
"created":"2022-06-02T00:47:27.619Z",
"modified":"2022-06-02T00:47:27.619Z",
"action_priority":"Informational",
"context":{
"type":"domain_abuse",
"changes":[
{
"domain":"idn:asdf.org",
"new":{
"status":"",
"private_registration":true,
"name_servers":[
"idn:asdf.com"
],
"contact_email":"email:[email protected]",
"created":"2021-01-20T00:00:00.000Z"
},
"removed_contacts":[
],
"added_contacts":[
{
"type":"administrativeContact",
"telephone":"REDACTED FOR PRIVACY",
"street1":"REDACTED FOR PRIVACY",
"state":"REDACTED FOR PRIVACY",
"postal_code":"REDACTED FOR PRIVACY",
"organization":"REDACTED FOR PRIVACY",
"name":"REDACTED FOR PRIVACY",
"country":"REDACTED FOR PRIVACY",
"city":"REDACTED FOR PRIVACY"
}
],
"type":"whois_change"
}
]
}
}
]
},
"error":null,
"has_error":false
}
Screenshot Related to Domain Abuse Alert
Fetch a screenshot associated with the Domain Abuse alert.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Playbook Alert Id | Jinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532' | Required |
| Image Id | Jinja-templated text containing the image Id. Example: 'img:404basdf-4f23-438c-a27c-aa675asdfda0' | Required |
Output
JSON containing the following items:
{
"result"{
"lhub_file_id": "aiuwehoifsubvixcvuhpoaf"
},
"error":null,
"has_error":false
}
Get Incident Reports
Provides an exposure incident report for a single malware log.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated text containing the body for the recorded future API. Example: 'string' | Required |
Output
JSON containing the following items:
{
"count": 0,
"count_relation": "Equals",
"has_error": false,
"error": null,
"details": {},
"credentials": []
}
Lookup Password for Exposure
Lookup password for exposure.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"passwords": [{"algorithm": "SHA1","hash": "string"}]}' | Required |
Output
JSON containing the following items:
{
"results": [
{
"password": {
"algorithm": "SHA1",
"hash": "string"
},
"exposure_status": "NeverExposed"
}
],
"error": null,
"has_error": false
}
Search Credentials Data
Search credentials data for a set of domains.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"limit": 3}' | Optional |
Output
JSON containing the following items:
{
"identities": [],
"count": 0,
"error": null,
"has_error": false
}
Malware Family Statistics
Returns malware family statistics.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"limit": 1}' | Required |
Output
JSON containing the following items:
{
"malware_families": [
"ABC",
"XYZ",
"QWE"
],
"error": null,
"has_error": false
}
Lookup Credentials Data
Lookup credentials data for a set of subjects.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"subjects": ["[email protected]"]}' | Required |
Output
JSON containing the following items:
{
"identities": [],
"count": 0,
"error": null,
"has_error": false
}
Search Dump Metadata
Search dump metadata for given names.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Body | Jinja-templated JSON containing the body for the recorded future API. Example: '{"names": ["string"],"limit": 0}' | Required |
Output
JSON containing the following items:
{
"dumps": [],
"error": null,
"has_error": false
}
Release Notes
v1.1.9- Added Pagination support inSearch Credentials Dataaction.v1.1.2- Added 6 new actions:Get Incident Reports,Lookup Password for Exposure,Search Credentials Data,Malware Family Statistics,Lookup Credentials DataandSearch Dump Metadata.v1.0.1- Added 4 new actions:Search Playbook Alert,Bulk Domain Abuse Alert Lookup,Detail Domain Abuse Alert DataandScreenshot Related to Domain Abuse Alert.
Updated about 1 month ago