Recorded Future

Version: 1.2.2

Recorded Future is the world's largest intelligence company with complete coverage across adversaries, infrastructure, and targets.

Connect Recorded Future with Logichub

  1. Navigate to Automations > Integrations.
  2. Search for Recorded Future.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • X-RFToken: X-RFToken for the Recorded Future API.
  4. After you've entered all the details, click Connect.

Search Playbook Alert

Searches for Playbook Alerts based on filtering conditions supplied in the body. Not specifying a filter for a property means the filter will match a Playbook Alert regardless of the property's value. Only Playbook Alerts matching all specified criteria are included in the response.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
FiltersJinja-templated JSON containing the filters. Example: '{"from": 0,"limit": 100,"order_by": "created","direction": "asc","entity": ["idn:mail.google.mail.pl"],"statuses": ["New"]}'Optional

Output

JSON containing the following items:

{
   "data":[
      {
         "playbook_alert_id":"task:dasdf-768c-asdf-9c50-1asdfe725",
         "created":"2022-06-18T15:53:17.000Z",
         "updated":"2022-06-18T16:10:00.316Z",
         "status":"New",
         "category":"domain_abuse",
         "priority":"Informational",
         "title":"XYZ",
         "owner_id":"ABC",
         "owner_name":"CNNAME",
         "organisation_id":"uhash:asdf",
         "organisation_name":"CNANAME",
         "owner_organisation_details":{
            "organisations":[
               {
                  "organisation_id":"uhash:6asdf",
                  "organisation_name":"CNANAME"
               }
            ],
            "enterprise_id":"uhash:random_id",
            "enterprise_name":"random name"
         }
      }
   ],
   "has_error":false,
   "error":null,
   "status":{
      "status_code":"Ok",
      "status_message":"Playbook alert search successful"
   },
   "counts":{
      "returned":1,
      "total":1
   }
}

Bulk Domain Abuse Alert Lookup

Perform a detailed lookup of data panels for several alerts at once.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdsJinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
   "status":{
      "status_code":"Ok",
      "status_message":"Playbook alert bulk lookup successful."
   },
   "data":[
      {
         "playbook_alert_id":"task:asdf-0asdff228",
         "panel_status":{
            "entity_id":"idn:asdf.org",
            "entity_name":"asdf.org",
            "entity_criticality":"0",
            "risk_score":0,
            "context_list":[
            ],
            "targets":[
               
            ],
            "status":"New",
            "priority":"Informational",
            "created":"2022-06-02T00:40:45.993Z",
            "updated":"2023-01-20T00:22:11.114Z",
            "case_rule_id":"report:asdfE",
            "case_rule_label":"Domain Abuse",
            "owner_id":"uhash:asdf",
            "owner_name":"qwer",
            "organisation_id":"uhash:asdf",
            "organisation_name":"qwer",
            "owner_organisation_details":{
               "organisations":[
                  {
                     "organisation_id":"uhash:6asdf",
                     "organisation_name":"qwer"
                  }
               ],
               "enterprise_id":"uhash:asdf",
               "enterprise_name":"qwer"
            }
         },
         "panel_action":[
            
         ],
         "panel_evidence_summary":{
            "explanation":"Alert was created as a result of a match in the similar domains query",
            "resolved_record_list":[
               {
                  "entity":"ip:1.1.1.1",
                  "risk_score":26,
                  "criticality":"Medium",
                  "record_type":"A",
                  "context_list":[
                  ]
               }
            ],
            "screenshots":[
               {
                  "description":"An image associated with the Playbook Alert",
                  "image_id":"img:asdf86772easdf2c1c",
                  "created":"2022-08-01T00:43:57.015Z"
               }
            ]
         },
         "panel_evidence_dns":{
            "ip_list":[
               {
                  "entity":"ip:1.1.1.1",
                  "risk_score":25,
                  "criticality":"Medium",
                  "record_type":"A",
                  "context_list":[
                     
                  ]
               }
            ],
            "mx_list":[
            ],
            "ns_list":[
            ]
         },
         "panel_evidence_whois":{
            "body":[
               {
                  "provider":"asdf",
                  "entity":"idn:asdf.org",
                  "attribute":"attr:whois",
                  "value":{
                     "privateRegistration":false,
                     "status":"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited",
                     "nameServers":[
                        "idn:asdf.com"
                     ],
                     "registrarName":"asdf, LLC",
                     "createdDate":"2021-01-20T00:00:00.000Z"
                  },
                  "added":"2023-01-20T00:22:10.947Z"
               }
            ]
         },
         "panel_log":[
            {
               "id":"uuid:asdfdcc3-4236-9f04asdf74b",
               "created":"2022-06-02T00:47:27.619Z",
               "modified":"2022-06-02T00:47:27.619Z",
               "action_priority":"Informational",
               "context":{
                  "type":"domain_abuse",
                  "changes":[
                     {
                        "domain":"idn:asdf.org",
                        "new":{
                           "status":"",
                           "private_registration":true,
                           "name_servers":[
                              "idn:asdf.com"
                           ],
                           "contact_email":"email:[email protected]",
                           "created":"2021-01-20T00:00:00.000Z"
                        },
                        "removed_contacts":[
                           
                        ],
                        "added_contacts":[
                           {
                              "type":"administrativeContact",
                              "telephone":"REDACTED FOR PRIVACY",
                              "street1":"REDACTED FOR PRIVACY",
                              "state":"REDACTED FOR PRIVACY",
                              "postal_code":"REDACTED FOR PRIVACY",
                              "organization":"REDACTED FOR PRIVACY",
                              "name":"REDACTED FOR PRIVACY",
                              "country":"REDACTED FOR PRIVACY",
                              "city":"REDACTED FOR PRIVACY"
                           }
                        ],
                        "type":"whois_change"
                     }
                  ]
               }
            }
         ]
      }
   ],
   "error":null,
   "has_error":false
}

Detail Domain Abuse Alert Data

Retrieve detailed information about a Domain Abuse Playbook Alert with data grouped into UI-ready panels.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdJinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
   "status":{
      "status_code":"Ok",
      "status_message":"Playbook alert single lookup successful."
   },
   "data":{
         "playbook_alert_id":"task:asdf-0asdff228",
         "panel_status":{
            "entity_id":"idn:asdf.org",
            "entity_name":"asdf.org",
            "entity_criticality":"0",
            "risk_score":0,
            "context_list":[
            ],
            "targets":[
               
            ],
            "status":"New",
            "priority":"Informational",
            "created":"2022-06-02T00:40:45.993Z",
            "updated":"2023-01-20T00:22:11.114Z",
            "case_rule_id":"report:asdfE",
            "case_rule_label":"Domain Abuse",
            "owner_id":"uhash:asdf",
            "owner_name":"qwer",
            "organisation_id":"uhash:asdf",
            "organisation_name":"qwer",
            "owner_organisation_details":{
               "organisations":[
                  {
                     "organisation_id":"uhash:6asdf",
                     "organisation_name":"qwer"
                  }
               ],
               "enterprise_id":"uhash:asdf",
               "enterprise_name":"qwer"
            }
         },
         "panel_action":[
            
         ],
         "panel_evidence_summary":{
            "explanation":"Alert was created as a result of a match in the similar domains query",
            "resolved_record_list":[
               {
                  "entity":"ip:1.1.1.1",
                  "risk_score":26,
                  "criticality":"Medium",
                  "record_type":"A",
                  "context_list":[
                  ]
               }
            ],
            "screenshots":[
               {
                  "description":"An image associated with the Playbook Alert",
                  "image_id":"img:asdf86772easdf2c1c",
                  "created":"2022-08-01T00:43:57.015Z"
               }
            ]
         },
         "panel_evidence_dns":{
            "ip_list":[
               {
                  "entity":"ip:1.1.1.1",
                  "risk_score":25,
                  "criticality":"Medium",
                  "record_type":"A",
                  "context_list":[
                     
                  ]
               }
            ],
            "mx_list":[
            ],
            "ns_list":[
            ]
         },
         "panel_evidence_whois":{
            "body":[
               {
                  "provider":"asdf",
                  "entity":"idn:asdf.org",
                  "attribute":"attr:whois",
                  "value":{
                     "privateRegistration":false,
                     "status":"clientDeleteProhibited clientRenewProhibited clientTransferProhibited clientUpdateProhibited",
                     "nameServers":[
                        "idn:asdf.com"
                     ],
                     "registrarName":"asdf, LLC",
                     "createdDate":"2021-01-20T00:00:00.000Z"
                  },
                  "added":"2023-01-20T00:22:10.947Z"
               }
            ]
         },
         "panel_log":[
            {
               "id":"uuid:asdfdcc3-4236-9f04asdf74b",
               "created":"2022-06-02T00:47:27.619Z",
               "modified":"2022-06-02T00:47:27.619Z",
               "action_priority":"Informational",
               "context":{
                  "type":"domain_abuse",
                  "changes":[
                     {
                        "domain":"idn:asdf.org",
                        "new":{
                           "status":"",
                           "private_registration":true,
                           "name_servers":[
                              "idn:asdf.com"
                           ],
                           "contact_email":"email:[email protected]",
                           "created":"2021-01-20T00:00:00.000Z"
                        },
                        "removed_contacts":[
                           
                        ],
                        "added_contacts":[
                           {
                              "type":"administrativeContact",
                              "telephone":"REDACTED FOR PRIVACY",
                              "street1":"REDACTED FOR PRIVACY",
                              "state":"REDACTED FOR PRIVACY",
                              "postal_code":"REDACTED FOR PRIVACY",
                              "organization":"REDACTED FOR PRIVACY",
                              "name":"REDACTED FOR PRIVACY",
                              "country":"REDACTED FOR PRIVACY",
                              "city":"REDACTED FOR PRIVACY"
                           }
                        ],
                        "type":"whois_change"
                     }
                  ]
               }
            }
         ]
      },
   "error":null,
   "has_error":false
}

Screenshot Related to Domain Abuse Alert

Fetch a screenshot associated with the Domain Abuse alert.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdJinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532'Required
Image IdJinja-templated text containing the image Id. Example: 'img:404basdf-4f23-438c-a27c-aa675asdfda0'Required

Output

JSON containing the following items:

{
   "result"{
     "lhub_file_id": "aiuwehoifsubvixcvuhpoaf"
   },
   "error":null,
   "has_error":false
}

Get Incident Reports

Provides an exposure incident report for a single malware log.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated text containing the body for the recorded future API. Example: 'string'Required

Output

JSON containing the following items:

{
  "count": 0,
  "count_relation": "Equals",
  "has_error": false,
  "error": null,
  "details": {},
  "credentials": []
}

Lookup Password for Exposure

Lookup password for exposure.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"passwords": [{"algorithm": "SHA1","hash": "string"}]}'Required

Output

JSON containing the following items:

{
  "results": [
    {
      "password": {
        "algorithm": "SHA1",
        "hash": "string"
      },
      "exposure_status": "NeverExposed"
    }
  ],
  "error": null,
  "has_error": false
}

Search Credentials Data

Search credentials data for a set of domains.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"limit": 3}'Optional

Output

JSON containing the following items:

{
  "identities": [],
  "count": 0,
  "error": null,
  "has_error": false
}

Malware Family Statistics

Returns malware family statistics.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"limit": 1}'Required

Output

JSON containing the following items:

{
  "malware_families": [
    "ABC",
    "XYZ",
    "QWE"
  ],
  "error": null,
  "has_error": false
}

Lookup Credentials Data

Lookup credentials data for a set of subjects.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"subjects": ["[email protected]"]}'Required

Output

JSON containing the following items:

{
  "identities": [],
  "count": 0,
  "error": null,
  "has_error": false
}

Search Dump Metadata

Search dump metadata for given names.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
BodyJinja-templated JSON containing the body for the recorded future API. Example: '{"names": ["string"],"limit": 0}'Required

Output

JSON containing the following items:

{
  "dumps": [],
  "error": null,
  "has_error": false
}

Search IP

Search for IP address using a variety of filters.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
FilterJinja-templated JSON containing the filters for the recorded future IP Search API. Check : https://api.recordedfuture.com/v2/#!/IP/IP_Address_Search. Example: '{"fields": "analystNotes,counts,intelCard", "metadata": "true", "limit": 10}'.Required

Output

JSON containing the following items:

{
  "data":{
    "results":[
      "counts":[{"date":"2023-11-27","count":3}],
      "intelCard":"https://app.recordedfuture.com/live/sc/entity/ip%3A20.81.157.149",
	    "analystNotes":[]
    ],
		"metadata":{
      "entries":{
        "key":"results",
        "label":"Results",
        "type":"list"
      }
    }
	"has_error":false
	"error":null
}

Search URL

Search for Url address using a variety of filters.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
FilterJinja-templated JSON containing the filters for the recorded future URL Search API. Example: '{"freetext": "text", "fields": "analystNotes,counts,intelCard", "metadata": "true", "limit": 10}'. Check : https://api.recordedfuture.com/v2/#!/URL/URL_Search.Required

Output

JSON containing the following items:

{
  "data":{
    "results":[
      "counts":[{
      	"date":"2023-11-27",
      	"count":3
      	}],
	    "attributes":{
  			"validated_on":"2018-10-15T16:00:00.000Z"
			},
			"source":{
        "id":"source:VKz42X",
        "name":"Test Group",
        "type" ...
      },
			"id":"XygRjY"
    ],
		"metadata":{
      "entries":{
        "key":"results",
        "label":"Results",
        "type":"list"
      }
    }
	"has_error":false
	"error":null
}

Search Hash

Search for Hash address using a variety of filters.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
FilterJinja-templated JSON containing the filters for the recorded future Hash Search API. Check : https://api.recordedfuture.com/v2/#!/Hash/Hash_Search. Example: '{"fields": "analystNotes,counts,intelCard", "metadata": "true", "limit": 10}'.Required

Output

JSON containing the following items:

{
  "data":{
    "results":[
      "counts":[{
      	"date":"2023-11-27",
      	"count":3
      	}],
      "intelCard":"https://app.recordedfuture.com/live/sc/entity/hash%3A1a927e5be8c58da1fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd",
	    "analystNotes":[]
    ],
		"metadata":{
      "entries":{
        "key":"results",
        "label":"Results",
        "type":"list"
      }
    }
	"has_error":false
	"error":null
}

Check IP

Retrieve information about an IP address.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
IP AddressJinja-templated Text containing the IP AddressRequired
FilterJinja-templated Filters for the recorded future ip search API. E.g 'fields=risk&metadata=false&taggedText=false'Required

Output

JSON containing the following items:

{
  "data":{
    "results":{
      "risk":{
        "criticalityLabel": "Unusual",
        "riskString": 1/71,
        "rules":1,
        "criticality":1,
        "riskSummary":"1 of 71 Risk Rules currently observed.",
        "score":5
    	}
    }
	"has_error":false
	"error":null
}

Check Hash

Retrieve information about a Hash.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
HashJinja-templated Text containing the HashRequired
FilterJinja-templated Filters for the recorded future hash search API. E.g 'fields=risk&metadata=false&taggedText=false'Required

Output

JSON containing the following items:

{
  "data":{
    "results":{
      "risk":{
        "criticalityLabel": "Malicious",
        "riskString": 1/71,
        "rules":1,
        "criticality":1,
        "riskSummary":"1 of 71 Risk Rules currently observed.",
        "score":5
    	}
    }
	"has_error":false
	"error":null
}

Check Domain

Retrieve information about a Domain.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
DomainJinja-templated Text containing the DomainRequired
FilterJinja-templated Filters for the recorded future domain search API. E.g 'fields=risk&metadata=false&taggedText=false'Required

Output

JSON containing the following items:

{
  "data":{
    "results":{
      "traceId":"624b58c3-32bf-47e7-94e8-cf7f40df5e"
    }
	"has_error":false
	"error":null
}

Check URL

Retrieve information about a URL.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
URLJinja-templated Text containing the URLRequired
FilterJinja-templated Filters for the recorded future url search API. E.g 'fields=risk&metadata=false&taggedText=false'Required

Output

JSON containing the following items:

{
  "data":{
    "results":{
      "traceId":"624b58c3-32bf-47e7-94e8-cf7f40df5e"
    }
	"has_error":false
	"error":null
}

Identity Novel Exposures Bulk

Perform a detailed lookup of data panels for several Identity Novel Exposures alerts at once.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdsJinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
  "status": {
		    "status_code": "Ok",
    		"status_message": "Playbook alert single lookup successful."
  		},
      "data": [{
		    "playbook_alert_id": "task:fc441-b017-42a6-b8a4-0adad126541c",
    		"panel_status": {
        "status": "New",
        "priority": "Moderate",
        "created": "2023-10-04T07:10:45.461Z",
        "updated": "2023-10-04T07:11:25.705Z",
        "case_rule_id": "report:p6nvD-",
        "case_rule_label": "Cyber Vulnerability",
        "owner_id": "uhash:09876",
        "owner_name": "TEST",
        "organisation_id": "uhash:test",
        "organisation_name": "TEST",
        "owner_organisation_details": {
          "organisations": [
            {
              "organisation_id": "uhash:test",
              "organisation_name": "TEST"
            }
          ],
          "enterprise_id": "uhash:test",
          "enterprise_name": "TEST"
        },
        "entity_id": "rzl3",
        "entity_name": "CVE3-35359",
        "entity_criticality": "Medium",
        "risk_score": 33,
        "lifecycle_stage": "Exploit Likely",
        "targets": [
          {
            "name": "Microsoft Windows Server 2019"
          }
        ]
    	},
        "panel_evidence_summary": {
          "summary": {
            "targets": [
              {
                "name": "Microsoft Windows Server 2019"
              }
            ],
            "lifecycle_stage": "Exploit Likely",
            "risk_rules": [
              {
                "rule": "Likely Historical Exploit Development",
                "description": "1 sighting on 1 source: CTCI Intelligence and Research. This vulnerability is flagged as likely to be exploited soon based on intelligence received on October 04, 2023."
              }
            ]
          },
          "affected_products": [
            {
              "name": "Microsoft Windows 10 1607 10.0.14393.4169 on X86"
            },
          ],
          "insikt_notes": [
            {
              "id": "doc:tE6hDp",
              "title": "Summary note for CVE-2023-35359",
              "published": "2023-10-20T21:05:53.378Z",
              "topic": "Informational",
              "fragment": "Core impact has added this exploit to their toolset. Several criminal groups use pirated copies of the software. The intelligence was collected from publicly available sources. Naa. A public PoC was validated for this vulnerability. The Admiralty score was A1."
            }
          ]
        },
        "panel_log": [
          {
            "id": "uuid:32b9c166-ff6d-49b2-90cd-ae4bdacbc360",
            "created": "2023-10-04T07:11:25.705Z",
            "modified": "2023-10-04T07:11:25.705Z",
            "action_priority": "Moderate",
            "context": {
              "type": "cyber_vulnerability",
              "changes": []
            }
          }
        ],
        "panel_log_v2": [
          {
            "id": "uuid:32b9c166-ff6d-49b2-90cd-ae4bdacbc360",
            "created": "2023-10-04T07:11:25.705Z",
            "changes": []
          }
        ]
    }] 
	"has_error":false
	"error":null
	
}

Identity Novel Exposures

Retrieve detailed information about a Identity Novel Exposures Playbook Alert with data grouped into UI-ready panels.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdJinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
  "status": {
		    "status_code": "Ok",
    		"status_message": "Playbook alert single lookup successful."
  		},
      "data": {
		    "playbook_alert_id": "task:fc441-b017-42a6-b8a4-0adad126541c",
    		"panel_status": {
        "status": "New",
        "priority": "Moderate",
        "created": "2023-10-04T07:10:45.461Z",
        "updated": "2023-10-04T07:11:25.705Z",
        "case_rule_id": "report:p6nvD-",
        "case_rule_label": "Cyber Vulnerability",
        "owner_id": "uhash:09876",
        "owner_name": "TEST",
        "organisation_id": "uhash:test",
        "organisation_name": "TEST",
        "owner_organisation_details": {
          "organisations": [
            {
              "organisation_id": "uhash:test",
              "organisation_name": "TEST"
            }
          ],
          "enterprise_id": "uhash:test",
          "enterprise_name": "TEST"
        },
        "entity_id": "rzl3",
        "entity_name": "CVE3-35359",
        "entity_criticality": "Medium",
        "risk_score": 33,
        "lifecycle_stage": "Exploit Likely",
        "targets": [
          {
            "name": "Microsoft Windows Server 2019"
          }
        ]
    	},
        "panel_evidence_summary": {
          "summary": {
            "targets": [
              {
                "name": "Microsoft Windows Server 2019"
              }
            ],
            "lifecycle_stage": "Exploit Likely",
            "risk_rules": [
              {
                "rule": "Likely Historical Exploit Development",
                "description": "1 sighting on 1 source: CTCI Intelligence and Research. This vulnerability is flagged as likely to be exploited soon based on intelligence received on October 04, 2023."
              }
            ]
          },
          "affected_products": [
            {
              "name": "Microsoft Windows 10 1607 10.0.14393.4169 on X86"
            },
          ],
          "insikt_notes": [
            {
              "id": "doc:tE6hDp",
              "title": "Summary note for CVE-2023-35359",
              "published": "2023-10-20T21:05:53.378Z",
              "topic": "Informational",
              "fragment": "Core impact has added this exploit to their toolset. Several criminal groups use pirated copies of the software. The intelligence was collected from publicly available sources. Naa. A public PoC was validated for this vulnerability. The Admiralty score was A1."
            }
          ]
        },
        "panel_log": [
          {
            "id": "uuid:32b9c166-ff6d-49b2-90cd-ae4bdacbc360",
            "created": "2023-10-04T07:11:25.705Z",
            "modified": "2023-10-04T07:11:25.705Z",
            "action_priority": "Moderate",
            "context": {
              "type": "cyber_vulnerability",
              "changes": []
            }
          }
        ],
        "panel_log_v2": [
          {
            "id": "uuid:32b9c166-ff6d-49b2-90cd-ae4bdacbc360",
            "created": "2023-10-04T07:11:25.705Z",
            "changes": []
          }
        ]
    } 
	"has_error":false,
	"error":null
}

Code Repo Leakage Bulk

Perform a detailed lookup of data panels for several code repository leakage alerts at once.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdsJinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
  "status": {
    "status_code": "Ok",
    "status_message": "Playbook alert bulk lookup successful."
  },
  "data": {
      "playbook_alert_id": "task:cf201020-16e0-4b3b-a421-8afeaac12d43",
      "panel_status": {
        "status": "New",
        "priority": "Moderate",
        "assignee_name": "Name",
        "assignee_id": "uhash:id",
        "created": "2024-01-15T23:40:14.778Z",
        "updated": "2024-01-15T23:42:48.231Z",
        "case_rule_id": "report:id",
        "case_rule_label": "Data Leakage on Code Repository",
        "owner_id": "uhash:id",
        "owner_name": "Name",
        "organisation_id": "uhash:id",
        "organisation_name": "Name",
        "owner_organisation_details": {
          "organisations": [
            {
              "organisation_id": "uhash:id",
              "organisation_name": "Name"
            }
          ],
          "enterprise_id": "uhash:id",
          "enterprise_name": "Name"
        },
        "entity_id": "url:https://github.com/SueMcMetzger/MachineLearning",
        "entity_name": "https://github.com/SueMcMetzger/MachineLearning",
        "entity_criticality": "",
        "risk_score": 0,
        "targets": [
          {
            "name": "Name Inc"
          }
        ]
      },
      "panel_evidence_summary": {
        "repository": {
          "id": "url:https://github.com/SueMcMetzger/MachineLearning",
          "name": "https://github.com/SueMcMetzger/MachineLearning",
          "owner": {
            "name": "SueMcMetzger"
          }
        },
        "evidence": [
          {
            "assessments": [
              {
                "id": "attr:possibleKeyLeak",
                "title": "Possible Key Leak",
                "value": "env"
              },
              {
                "id": "attr:watchListEntityMention",
                "title": "Watch List Entity Mention",
                "value": "Name Inc"
              }
            ],
            "targets": [
              {
                "name": "Name Inc"
              }
            ],
            "url": "https://github.com/SueMcMetzger/MachineLearning/commit/6dcf0c646d5",
            "content": "comment",
            "published": "2024-01-15T23:35:47.826Z"
          }
        ]
      },
      "panel_log": [
        {
          "id": "uuid:id",
          "created": "2024-01-15T23:42:08.135Z",
          "modified": "2024-01-15T23:42:08.135Z",
          "action_priority": "Moderate",
          "context": {
            "type": "code_repo_leakage",
            "changes": [
              {
                "added": [
                  {
                    "assessments": [
                      {
                        "id": "attr:possibleKeyLeak",
                        "level": 2,
                        "title": "Possible Key Leak",
                        "text_indicator": "env"
                      },
                      {
                        "id": "attr:watchListEntityMention",
                        "level": 0,
                        "title": "Watch List Entity Mention",
                        "entity": "I3ZDfr"
                      }
                    ],
                    "document_content": {
                      "id": "doc:uKG2Aq",
                      "tagged_content": "Tag content",
                      "content": "content",
                      "url": "url:url",
                      "owner": "WbzWXK",
                      "published": "2024-01-15T23:35:47.824Z"
                    },
                    "ontology": [
                      {
                        "path": [
                          {
                            "attribute": "attr:Event.entities",
                            "entity": "I3ZDfr"
                          },
                          {
                            "attribute": "attr:Entity.lists",
                            "entity": "report:dfeB3b"
                          }
                        ]
                      }
                    ],
                    "target_entities": [
                      "I3ZDfr"
                    ],
                    "watch_lists": [
                      "report:dfeB3b"
                    ]
                  }
                ],
                "type": "evidence_changes"
              }
            ]
          }
        }
      ],
      "panel_log_v2": [
        {
          "id": "uuid:id",
          "created": "2024-01-15T23:42:08.135Z",
          "changes": [
            {
              "added": [
                {
                  "assessments": [
                    {
                      "id": "attr:possibleKeyLeak",
                      "level": 2,
                      "title": "Possible Key Leak",
                      "text_indicator": "env"
                    },
                    {
                      "id": "attr:watchListEntityMention",
                      "level": 0,
                      "title": "Watch List Entity Mention",
                      "entity": {
                        "id": "I3ZDfr",
                        "name": "Name Inc",
                        "type": "Company"
                      }
                    }
                  ],
                  "document": {
                    "id": "doc:uKG2Aq",
                    "content": "coment",
                    "owner_id": "WbzWXK",
                    "published": "2024-01-15T23:35:47.824Z"
                  },
                  "target_entities": [
                    {
                      "id": "I3ZDfr",
                      "name": "Name Inc",
                      "type": "Company"
                    }
                  ],
                  "watch_lists": [
                    {
                      "id": "report:dfeB3b"
                    }
                  ]
                }
              ],
              "type": "evidence_change"
            }
          ]
        }
      ]
    },
  "error": null,
  "has_error": false
}

Code Repo Leakage

Retrieve detailed information about a Code Repository Leakage Playbook Alert with data grouped into UI-ready panels.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdJinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
  "status": {
    "status_code": "Ok",
    "status_message": "Playbook alert bulk lookup successful."
  },
  "data": [
    {
      "playbook_alert_id": "task:cf201020-16e0-4b3b-a421-8afeaac12d43",
      "panel_status": {
        "status": "New",
        "priority": "Moderate",
        "assignee_name": "Name",
        "assignee_id": "uhash:id",
        "created": "2024-01-15T23:40:14.778Z",
        "updated": "2024-01-15T23:42:48.231Z",
        "case_rule_id": "report:id",
        "case_rule_label": "Data Leakage on Code Repository",
        "owner_id": "uhash:id",
        "owner_name": "Name",
        "organisation_id": "uhash:id",
        "organisation_name": "Name",
        "owner_organisation_details": {
          "organisations": [
            {
              "organisation_id": "uhash:id",
              "organisation_name": "Name"
            }
          ],
          "enterprise_id": "uhash:id",
          "enterprise_name": "Name"
        },
        "entity_id": "url:https://github.com/SueMcMetzger/MachineLearning",
        "entity_name": "https://github.com/SueMcMetzger/MachineLearning",
        "entity_criticality": "",
        "risk_score": 0,
        "targets": [
          {
            "name": "Name Inc"
          }
        ]
      },
      "panel_evidence_summary": {
        "repository": {
          "id": "url:https://github.com/SueMcMetzger/MachineLearning",
          "name": "https://github.com/SueMcMetzger/MachineLearning",
          "owner": {
            "name": "SueMcMetzger"
          }
        },
        "evidence": [
          {
            "assessments": [
              {
                "id": "attr:possibleKeyLeak",
                "title": "Possible Key Leak",
                "value": "env"
              },
              {
                "id": "attr:watchListEntityMention",
                "title": "Watch List Entity Mention",
                "value": "Name Inc"
              }
            ],
            "targets": [
              {
                "name": "Name Inc"
              }
            ],
            "url": "https://github.com/SueMcMetzger/MachineLearning/commit/6dcf0c646d5",
            "content": "comment",
            "published": "2024-01-15T23:35:47.826Z"
          }
        ]
      },
      "panel_log": [
        {
          "id": "uuid:id",
          "created": "2024-01-15T23:42:08.135Z",
          "modified": "2024-01-15T23:42:08.135Z",
          "action_priority": "Moderate",
          "context": {
            "type": "code_repo_leakage",
            "changes": [
              {
                "added": [
                  {
                    "assessments": [
                      {
                        "id": "attr:possibleKeyLeak",
                        "level": 2,
                        "title": "Possible Key Leak",
                        "text_indicator": "env"
                      },
                      {
                        "id": "attr:watchListEntityMention",
                        "level": 0,
                        "title": "Watch List Entity Mention",
                        "entity": "I3ZDfr"
                      }
                    ],
                    "document_content": {
                      "id": "doc:uKG2Aq",
                      "tagged_content": "Tag content",
                      "content": "content",
                      "url": "url:url",
                      "owner": "WbzWXK",
                      "published": "2024-01-15T23:35:47.824Z"
                    },
                    "ontology": [
                      {
                        "path": [
                          {
                            "attribute": "attr:Event.entities",
                            "entity": "I3ZDfr"
                          },
                          {
                            "attribute": "attr:Entity.lists",
                            "entity": "report:dfeB3b"
                          }
                        ]
                      }
                    ],
                    "target_entities": [
                      "I3ZDfr"
                    ],
                    "watch_lists": [
                      "report:dfeB3b"
                    ]
                  }
                ],
                "type": "evidence_changes"
              }
            ]
          }
        }
      ],
      "panel_log_v2": [
        {
          "id": "uuid:id",
          "created": "2024-01-15T23:42:08.135Z",
          "changes": [
            {
              "added": [
                {
                  "assessments": [
                    {
                      "id": "attr:possibleKeyLeak",
                      "level": 2,
                      "title": "Possible Key Leak",
                      "text_indicator": "env"
                    },
                    {
                      "id": "attr:watchListEntityMention",
                      "level": 0,
                      "title": "Watch List Entity Mention",
                      "entity": {
                        "id": "I3ZDfr",
                        "name": "Name Inc",
                        "type": "Company"
                      }
                    }
                  ],
                  "document": {
                    "id": "doc:uKG2Aq",
                    "content": "coment",
                    "owner_id": "WbzWXK",
                    "published": "2024-01-15T23:35:47.824Z"
                  },
                  "target_entities": [
                    {
                      "id": "I3ZDfr",
                      "name": "Name Inc",
                      "type": "Company"
                    }
                  ],
                  "watch_lists": [
                    {
                      "id": "report:dfeB3b"
                    }
                  ]
                }
              ],
              "type": "evidence_change"
            }
          ]
        }
      ]
    }
  ],
  "error": null,
  "has_error": false
}

Vulnerability Check Bulk

Perform a detailed lookup of data panels for vulnerabilities at once.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdsJinja-templated text containing the comma seperated playbook alert Ids. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532,task:af4d5068-1548-41ae-bdb6-1232393ddf71'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
  "status": {
    "status_code": "Ok",
    "status_message": "Playbook alert single lookup successful."
  },
  "data": [{
    "playbook_alert_id": "task:fa-8d8e-4346-a3a-fd8e7a4d",
    "panel_status": {
      "status": "New",
      "priority": "Moderate",
      "created": "2024-01-01T12:00:50.767Z",
      "updated": "2024-01-01T12:00:50.767Z",
      "case_rule_id": "report:tS",
      "case_rule_label": "Novel Identity Exposure",
      "owner_id": "uhash:test",
      "owner_name": "TEST",
      "organisation_id": "uhash:test",
      "organisation_name": "Test",
      "owner_organisation_details": {
        "organisations": [
          {
            "organisation_id": "uhash:test",
            "organisation_name": "TEST"
          }
        ],
        "enterprise_id": "uhash:test",
        "enterprise_name": "TEST"
      },
      "entity_id": "[email protected]",
      "entity_name": "test",
      "targets": [
        {
          "name": "test"
        }
      ]
    },
    "panel_evidence_summary": {
      "subject": "test",
      "authorization_url": "test",
      "exposed_secret": {
        "type": "clear",
        "effectively_clear": true,
        "hashes": [
          {
            "algorithm": "SHA1",
            "hash": "8be3c943b1609fffbfc51aad666dc9d"
          },
          {
            "algorithm": "SHA256",
            "hash": "e7cf3ef4f17c399902bd38ec221a"
          },
          {
            "algorithm": "NTLM",
            "hash": "a4fab6824ee7c30fd852"
          },
          {
            "algorithm": "MD5",
            "hash": "dc647e212b3964"
          }
        ],
        "details": {
          "properties": [
            "Letter",
            "UpperCase",
            "LowerCase",
            "AtLeast8Characters"
          ],
          "clear_text_hint": "Pa"
        }
      },
      "compromised_host": {
        "exfiltration_date": "2024-01-01T02:05:36.000Z",
        "os": "Windows 10 (10.0.22621)",
        "os_username": "arunk",
        "computer_name": "HP"
      },
      "malware_family": {
        "id": "nlflWX",
        "name": "Lumma"
      },
      "infrastructure": {
        "ip": "243.132.143.222"
      }
    },
    "panel_log": [],
    "panel_log_v2": []
  }],
  "error": null,
  "has_error": false
}

Vulnerability Check

Retrieve detailed information about a Vulnerability Playbook Alert with data grouped into UI-ready panels.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Playbook Alert IdJinja-templated text containing the playbook alert Id. Example: 'task:5efed6bf-76ef-48d1-91f9-3749f3d73532'Required
PanelsJinja-templated text containing the comma seperated panels. Example: 'status,action,summary,dns,whois,log'Optional

Output

JSON containing the following items:

{
  "status": {
    "status_code": "Ok",
    "status_message": "Playbook alert single lookup successful."
  },
  "data": {
    "playbook_alert_id": "task:fa-8d8e-4346-a3a-fd8e7a4d",
    "panel_status": {
      "status": "New",
      "priority": "Moderate",
      "created": "2024-01-01T12:00:50.767Z",
      "updated": "2024-01-01T12:00:50.767Z",
      "case_rule_id": "report:tS",
      "case_rule_label": "Novel Identity Exposure",
      "owner_id": "uhash:test",
      "owner_name": "TEST",
      "organisation_id": "uhash:test",
      "organisation_name": "Test",
      "owner_organisation_details": {
        "organisations": [
          {
            "organisation_id": "uhash:test",
            "organisation_name": "TEST"
          }
        ],
        "enterprise_id": "uhash:test",
        "enterprise_name": "TEST"
      },
      "entity_id": "[email protected]",
      "entity_name": "test",
      "targets": [
        {
          "name": "test"
        }
      ]
    },
    "panel_evidence_summary": {
      "subject": "test",
      "authorization_url": "test",
      "exposed_secret": {
        "type": "clear",
        "effectively_clear": true,
        "hashes": [
          {
            "algorithm": "SHA1",
            "hash": "8be3c943b1609fffbfc51aad666dc9d"
          },
          {
            "algorithm": "SHA256",
            "hash": "e7cf3ef4f17c399902bd38ec221a"
          },
          {
            "algorithm": "NTLM",
            "hash": "a4fab6824ee7c30fd852"
          },
          {
            "algorithm": "MD5",
            "hash": "dc647e212b3964"
          }
        ],
        "details": {
          "properties": [
            "Letter",
            "UpperCase",
            "LowerCase",
            "AtLeast8Characters"
          ],
          "clear_text_hint": "Pa"
        }
      },
      "compromised_host": {
        "exfiltration_date": "2024-01-01T02:05:36.000Z",
        "os": "Windows 10 (10.0.22621)",
        "os_username": "arunk",
        "computer_name": "HP"
      },
      "malware_family": {
        "id": "nlflWX",
        "name": "Lumma"
      },
      "infrastructure": {
        "ip": "243.132.143.222"
      }
    },
    "panel_log": [],
    "panel_log_v2": []
  },
  "error": null,
  "has_error": false
}

Release Notes

  • v1.2.2- Added 6 new actions: Identity Novel Exposures Bulk, Identity Novel Exposures, Code Repo Leakage Bulk,Code Repo Leakage, Vulnerability Check Bulk and Vulnerability Check
  • v1.2.1 - Added 7 new actions: Search IP, Search HASH, Search URL,Check IP, Check HASH, Check URL and Check Domain
  • v1.1.11 - Updated architecture to support IO via filesystem
  • v1.1.9 - Added Pagination support in Search Credentials Data action.
  • v1.1.2 - Added 6 new actions: Get Incident Reports, Lookup Password for Exposure, Search Credentials Data, Malware Family Statistics, Lookup Credentials Data and Search Dump Metadata.
  • v1.0.1 - Added 4 new actions: Search Playbook Alert, Bulk Domain Abuse Alert Lookup, Detail Domain Abuse Alert Data and Screenshot Related to Domain Abuse Alert.