Recorded Future

Version: 1.1.9

Recorded Future is the world's largest intelligence company with complete coverage across adversaries, infrastructure, and targets.

Connect Recorded Future with Logichub

  1. Navigate to Automations > Integrations.
  2. Search for Recorded Future.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • X-RFToken: X-RFToken for the Recorded Future API.
  4. After you've entered all the details, click Connect.

Search Playbook Alert

Searches for Playbook Alerts based on filtering conditions supplied in the body. Not specifying a filter for a property means the filter will match a Playbook Alert regardless of the property's value. Only Playbook Alerts matching all specified criteria are included in the response.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
FiltersJinja-templated JSON containing the filters. Example: '{"from": 0,"limit": 100,"order_by": "created","direction": "asc","entity": ["idn:mail.google.mail.pl"],"statuses": ["New"]}'Optional

Output

JSON containing the following items:

{
   "data":[
      {
         "playbook_alert_id":"task:dasdf-768c-asdf-9c50-1asdfe725",
         "created":"2022-06-18T15:53:17.000Z",
         "updated":"2022-06-18T16:10:00.316Z",
         "status":"New",
         "category":"domain_abuse",
         "priority":"Informational",
         "title":"XYZ",
         "owner_id":"ABC",
         "owner_name":"CNNAME",
         "organisation_id":"uhash:asdf",
         "organisation_name":"CNANAME",
         "owner_organisation_details":{
            "organisations":[
               {
                  "organisation_id":"uhash:6asdf",
                  "organisation_name":"CNANAME"
               }
            ],
            "enterprise_id":"uhash:random_id",
            "enterprise_name":"random name"
         }
      }
   ],
   "has_error":false,
   "error":null,
   "status":{
      "status_code":"Ok",
      "status_message":"Playbook alert search successful"
   },
   "counts":{
      "returned":1,
      "total":1
   }
}

Bulk Domain Abuse Alert Lookup

Perform a detailed lookup of data panels for several alerts at once.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdsJinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
   "status":{
      "status_code":"Ok",
      "status_message":"Playbook alert bulk lookup successful."
   },
   "data":[
      {
         "playbook_alert_id":"task:asdf-0asdff228",
         "panel_status":{
            "entity_id":"idn:asdf.org",
            "entity_name":"asdf.org",
            "entity_criticality":"0",
            "risk_score":0,
            "context_list":[
            ],
            "targets":[
               
            ],
            "status":"New",
            "priority":"Informational",
            "created":"2022-06-02T00:40:45.993Z",
            "updated":"2023-01-20T00:22:11.114Z",
            "case_rule_id":"report:asdfE",
            "case_rule_label":"Domain Abuse",
            "owner_id":"uhash:asdf",
            "owner_name":"qwer",
            "organisation_id":"uhash:asdf",
            "organisation_name":"qwer",
            "owner_organisation_details":{
               "organisations":[
                  {
                     "organisation_id":"uhash:6asdf",
                     "organisation_name":"qwer"
                  }
               ],
               "enterprise_id":"uhash:asdf",
               "enterprise_name":"qwer"
            }
         },
         "panel_action":[
            
         ],
         "panel_evidence_summary":{
            "explanation":"Alert was created as a result of a match in the similar domains query",
            "resolved_record_list":[
               {
                  "entity":"ip:1.1.1.1",
                  "risk_score":26,
                  "criticality":"Medium",
                  "record_type":"A",
                  "context_list":[
                  ]
               }
            ],
            "screenshots":[
               {
                  "description":"An image associated with the Playbook Alert",
                  "image_id":"img:asdf86772easdf2c1c",
                  "created":"2022-08-01T00:43:57.015Z"
               }
            ]
         },
         "panel_evidence_dns":{
            "ip_list":[
               {
                  "entity":"ip:1.1.1.1",
                  "risk_score":25,
                  "criticality":"Medium",
                  "record_type":"A",
                  "context_list":[
                     
                  ]
               }
            ],
            "mx_list":[
            ],
            "ns_list":[
            ]
         },
         "panel_evidence_whois":{
            "body":[
               {
                  "provider":"asdf",
                  "entity":"idn:asdf.org",
                  "attribute":"attr:whois",
                  "value":{
                     "privateRegistration":false,
                     "status":"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited",
                     "nameServers":[
                        "idn:asdf.com"
                     ],
                     "registrarName":"asdf, LLC",
                     "createdDate":"2021-01-20T00:00:00.000Z"
                  },
                  "added":"2023-01-20T00:22:10.947Z"
               }
            ]
         },
         "panel_log":[
            {
               "id":"uuid:asdfdcc3-4236-9f04asdf74b",
               "created":"2022-06-02T00:47:27.619Z",
               "modified":"2022-06-02T00:47:27.619Z",
               "action_priority":"Informational",
               "context":{
                  "type":"domain_abuse",
                  "changes":[
                     {
                        "domain":"idn:asdf.org",
                        "new":{
                           "status":"",
                           "private_registration":true,
                           "name_servers":[
                              "idn:asdf.com"
                           ],
                           "contact_email":"email:[email protected]",
                           "created":"2021-01-20T00:00:00.000Z"
                        },
                        "removed_contacts":[
                           
                        ],
                        "added_contacts":[
                           {
                              "type":"administrativeContact",
                              "telephone":"REDACTED FOR PRIVACY",
                              "street1":"REDACTED FOR PRIVACY",
                              "state":"REDACTED FOR PRIVACY",
                              "postal_code":"REDACTED FOR PRIVACY",
                              "organization":"REDACTED FOR PRIVACY",
                              "name":"REDACTED FOR PRIVACY",
                              "country":"REDACTED FOR PRIVACY",
                              "city":"REDACTED FOR PRIVACY"
                           }
                        ],
                        "type":"whois_change"
                     }
                  ]
               }
            }
         ]
      }
   ],
   "error":null,
   "has_error":false
}

Detail Domain Abuse Alert Data

Retrieve detailed information about a Domain Abuse Playbook Alert with data grouped into UI-ready panels.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdJinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
   "status":{
      "status_code":"Ok",
      "status_message":"Playbook alert single lookup successful."
   },
   "data":{
         "playbook_alert_id":"task:asdf-0asdff228",
         "panel_status":{
            "entity_id":"idn:asdf.org",
            "entity_name":"asdf.org",
            "entity_criticality":"0",
            "risk_score":0,
            "context_list":[
            ],
            "targets":[
               
            ],
            "status":"New",
            "priority":"Informational",
            "created":"2022-06-02T00:40:45.993Z",
            "updated":"2023-01-20T00:22:11.114Z",
            "case_rule_id":"report:asdfE",
            "case_rule_label":"Domain Abuse",
            "owner_id":"uhash:asdf",
            "owner_name":"qwer",
            "organisation_id":"uhash:asdf",
            "organisation_name":"qwer",
            "owner_organisation_details":{
               "organisations":[
                  {
                     "organisation_id":"uhash:6asdf",
                     "organisation_name":"qwer"
                  }
               ],
               "enterprise_id":"uhash:asdf",
               "enterprise_name":"qwer"
            }
         },
         "panel_action":[
            
         ],
         "panel_evidence_summary":{
            "explanation":"Alert was created as a result of a match in the similar domains query",
            "resolved_record_list":[
               {
                  "entity":"ip:1.1.1.1",
                  "risk_score":26,
                  "criticality":"Medium",
                  "record_type":"A",
                  "context_list":[
                  ]
               }
            ],
            "screenshots":[
               {
                  "description":"An image associated with the Playbook Alert",
                  "image_id":"img:asdf86772easdf2c1c",
                  "created":"2022-08-01T00:43:57.015Z"
               }
            ]
         },
         "panel_evidence_dns":{
            "ip_list":[
               {
                  "entity":"ip:1.1.1.1",
                  "risk_score":25,
                  "criticality":"Medium",
                  "record_type":"A",
                  "context_list":[
                     
                  ]
               }
            ],
            "mx_list":[
            ],
            "ns_list":[
            ]
         },
         "panel_evidence_whois":{
            "body":[
               {
                  "provider":"asdf",
                  "entity":"idn:asdf.org",
                  "attribute":"attr:whois",
                  "value":{
                     "privateRegistration":false,
                     "status":"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited",
                     "nameServers":[
                        "idn:asdf.com"
                     ],
                     "registrarName":"asdf, LLC",
                     "createdDate":"2021-01-20T00:00:00.000Z"
                  },
                  "added":"2023-01-20T00:22:10.947Z"
               }
            ]
         },
         "panel_log":[
            {
               "id":"uuid:asdfdcc3-4236-9f04asdf74b",
               "created":"2022-06-02T00:47:27.619Z",
               "modified":"2022-06-02T00:47:27.619Z",
               "action_priority":"Informational",
               "context":{
                  "type":"domain_abuse",
                  "changes":[
                     {
                        "domain":"idn:asdf.org",
                        "new":{
                           "status":"",
                           "private_registration":true,
                           "name_servers":[
                              "idn:asdf.com"
                           ],
                           "contact_email":"email:[email protected]",
                           "created":"2021-01-20T00:00:00.000Z"
                        },
                        "removed_contacts":[
                           
                        ],
                        "added_contacts":[
                           {
                              "type":"administrativeContact",
                              "telephone":"REDACTED FOR PRIVACY",
                              "street1":"REDACTED FOR PRIVACY",
                              "state":"REDACTED FOR PRIVACY",
                              "postal_code":"REDACTED FOR PRIVACY",
                              "organization":"REDACTED FOR PRIVACY",
                              "name":"REDACTED FOR PRIVACY",
                              "country":"REDACTED FOR PRIVACY",
                              "city":"REDACTED FOR PRIVACY"
                           }
                        ],
                        "type":"whois_change"
                     }
                  ]
               }
            }
         ]
      },
   "error":null,
   "has_error":false
}

Screenshot Related to Domain Abuse Alert

Fetch a screenshot associated with the Domain Abuse alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdJinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532'Required
Image IdJinja-templated text containing the image Id. Example: 'img:404basdf-4f23-438c-a27c-aa675asdfda0'Required

Output

JSON containing the following items:

{
   "result"{
     "lhub_file_id": "aiuwehoifsubvixcvuhpoaf"
   },
   "error":null,
   "has_error":false
}

Get Incident Reports

Provides an exposure incident report for a single malware log.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated text containing the body for the recorded future API. Example: 'string'Required

Output

JSON containing the following items:

{
  "count": 0,
  "count_relation": "Equals",
  "has_error": false,
  "error": null,
  "details": {},
  "credentials": []
}

Lookup Password for Exposure

Lookup password for exposure.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"passwords": [{"algorithm": "SHA1","hash": "string"}]}'Required

Output

JSON containing the following items:

{
  "results": [
    {
      "password": {
        "algorithm": "SHA1",
        "hash": "string"
      },
      "exposure_status": "NeverExposed"
    }
  ],
  "error": null,
  "has_error": false
}

Search Credentials Data

Search credentials data for a set of domains.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"limit": 3}'Optional

Output

JSON containing the following items:

{
  "identities": [],
  "count": 0,
  "error": null,
  "has_error": false
}

Malware Family Statistics

Returns malware family statistics.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"limit": 1}'Required

Output

JSON containing the following items:

{
  "malware_families": [
    "ABC",
    "XYZ",
    "QWE"
  ],
  "error": null,
  "has_error": false
}

Lookup Credentials Data

Lookup credentials data for a set of subjects.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"subjects": ["[email protected]"]}'Required

Output

JSON containing the following items:

{
  "identities": [],
  "count": 0,
  "error": null,
  "has_error": false
}

Search Dump Metadata

Search dump metadata for given names.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"names": ["string"],"limit": 0}'Required

Output

JSON containing the following items:

{
  "dumps": [],
  "error": null,
  "has_error": false
}

Release Notes

  • v1.1.9 - Added Pagination support in Search Credentials Data action.
  • v1.1.2 - Added 6 new actions: Get Incident Reports, Lookup Password for Exposure, Search Credentials Data, Malware Family Statistics, Lookup Credentials Data and Search Dump Metadata.
  • v1.0.1 - Added 4 new actions: Search Playbook Alert, Bulk Domain Abuse Alert Lookup, Detail Domain Abuse Alert Data and Screenshot Related to Domain Abuse Alert.

© 2017-2021 LogicHub®. All Rights Reserved.