Recorded Future V2
Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files
This connector is available in the following products and regions:
Service | Class | Regions |
---|---|---|
Logic Apps | Standard | All Logic Apps regions |
Power Automate | Premium | All Power Automate regions |
Power Apps | Premium | All Power Apps regions |
Contact | |
---|---|
Name | Recorded Future Support |
URL | https://support.recordedfuture.com |
support@recordedfuture.com |
Connector Metadata | |
---|---|
Publisher | Recorded Future |
Website | https://www.recordedfuture.com |
Privacy Policy | https://www.recordedfuture.com/privacy-policy/ |
Categories | AI;Data |
Recorded Future V2
The Recorded Future integration allows real-time security intelligence to be integrated into popular Microsoft services like Sentinel, Defender ATP, and others. This empowers our clients to maximize their existing security investments, ensuring they have real-time intelligence to secure their cloud environments and reduce risk to the organization. The Recorded Future connector for Microsoft Azure enables access to dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash, Vulnerabilities), associated context (Risk Score, Risk Rules, High Confidence Links, and an Intelligence Card Link), Recorded Future Alerts, Playbooks Alerts and Detection Rules.
- Added Recorded Future Playbook Alerts actions
- New V2 Recorded Future Alerts actions
- Added Recorded Future Detection Rules actions
- Added IntelligenceCloud parameter
- Added HTML response to lookup actions
To enable the Recorded Future for Microsoft Azure integration, users must be provisioned a Recorded Future API token. Please reach to your account manager to obtain the necessary API token.
Prior to use of the Recorded Future integration for Microsoft Azure, users must provision an API token from their account manager or from within the Recorded Future portal necessary for the integration.
Login to the Recorded Future Portal (https://app.recordedfuture.com). Click on the menu in the upper right and choose �User Settings�.
On the User Settings menu, choose the �API Access� section and click the �Generate New API Token� link.
Provide a name for your token, select a �Description� of �Microsoft Azure�, and then click the �Create� button. Save the API token that is generated, since you will configure it within the Microsoft Azure connector for the integration.
This connector is used to pull Recorded Future indicators, alerts, playbook alerts, and detection rules :
- IP Enrichment - Enrich an IP with Recorded Future data.
- Domain Enrichment - Enrich a domain with Recorded Future data.
- URL Enrichment - Enrich a URL with Recorded Future data.
- Hash Enrichment - Enrich a hash with Recorded Future data.
- Vulnerability Enrichment - Enrich a vulnerability with Recorded Future data.
- Search Alert Notification - List Alert Notifications by a set of search parameters.
- Get Alert Notification by ID - Get the alert details of a triggered alert
- Search Alert Rules - List alert rules by name
- Search Alert Notification (Deprecated) - Deprecated
- Get Alert Notification by ID (Deprecated) - Deprecated
- Search Playbook Alerts - List playbook alerts based on a set of search parameters
- Get Playbook Alert by ID - Get the alert details of a playbook alert
- Search Detection Rules - Get detection rules matching a search filter
- Recorded Future RiskLists and SCF Download - Download Recorded Future Risk Lists and Security Control Feeds
- SOAR API - Multi-Entitiy Enrichment - Enrich multiple entities at once (Specific Access is Required)
N/A
The connector supports the following authentication types:
Default | Parameters for creating connection. | All regions | Not shareable |
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
API Key | securestring | The API Key for this api | True |
Name | Calls | Renewal Period |
---|---|---|
API calls per connection | 100 | 60 seconds |
Domain Enrichment |
Enrich a domain with Recorded Future data |
Get Alert Notification by ID |
Get the alert details of a triggered alert |
Get Alert Notification by ID (Deprecated) |
Deprecated, use /v2/alerts/{id} instead. Get the alert details of a triggered alert |
Get Playbook Alert by ID |
Get the alert details of a playbook alert |
Hash Enrichment |
Enrich a hash with Recorded Future data |
IP Enrichment |
Enrich an IP with Recorded Future data |
Recorded Future Risk |
Download Recorded Future Risk Lists and Security Control Feeds |
Search Alert Notification |
List Alert Notifications by a set of search parameters |
Search Alert Notifications (Deprecated) |
Deprecated, use /v2/alerts instead. List Alert Notifications by a set of search parameters |
Search Alert Rules |
List alert rules by name |
Search Detection Rules |
Get detection rules matching a search filter |
Search Playbook Alerts |
List playbook alerts based on a set of search parameters |
SOAR API - Multi-Entitiy Enrichment |
Enrich multiple entities at once (Specific Access is Required) |
URL Enrichment |
Enrich a URL with Recorded Future data |
Vulnerability Enrichment |
Enrich a vulnerability with Recorded Future data |
Enrich a domain with Recorded Future data
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Domain input
|
domain | True | string |
The domain to lookup. Must be a single domain |
Returns
Name | Path | Type | Description |
---|---|---|---|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
links
|
data.links | Links |
High Confidence Evidence Based Links |
html_response
|
data.html_response | string |
Get the alert details of a triggered alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Alert Notification ID
|
id | True | string |
Alert Notification ID |
Fields to include
|
fields | string |
Fields to include. Returns all if not specified. |
Returns
Name | Path | Type | Description |
---|---|---|---|
data
|
data | AlertSearchV2 |
Deprecated, use /v2/alerts/{id} instead. Get the alert details of a triggered alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Alert Notification ID
|
id | True | string |
Alert Notification ID |
Returns
- Body
- AlertLookup
Get the alert details of a playbook alert
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Playbook Alert ID
|
id | True | string |
Playbook Alert ID |
Returns
- Body
- PlaybookAlertLookup
Enrich a hash with Recorded Future data
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
HASH input
|
hash | True | string |
The HASH to lookup. Must be a single HASH |
Returns
Name | Path | Type | Description |
---|---|---|---|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
links
|
data.links | Links |
High Confidence Evidence Based Links |
html_response
|
data.html_response | string |
Enrich an IP with Recorded Future data
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
IP input
|
ip | True | string |
The IP address to lookup. Must be a single IP address |
Returns
Name | Path | Type | Description |
---|---|---|---|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
links
|
data.links | Links |
High Confidence Evidence Based Links |
html_response
|
data.html_response | string |
Download Recorded Future Risk Lists and Security Control Feeds
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Path to file
|
path | True | string |
Path to file |
Returns
Name | Path | Type | Description |
---|---|---|---|
|
array of object | ||
Name
|
Name | string | |
Risk
|
Risk | integer | |
RiskString
|
RiskString | string | |
EvidenceDetails
|
EvidenceDetails.EvidenceDetails | array of object | |
Rule
|
EvidenceDetails.EvidenceDetails.Rule | string | |
EvidenceString
|
EvidenceDetails.EvidenceDetails.EvidenceString | string | |
CriticalityLabel
|
EvidenceDetails.EvidenceDetails.CriticalityLabel | string | |
Timestamp
|
EvidenceDetails.EvidenceDetails.Timestamp | integer | |
MitigationString
|
EvidenceDetails.EvidenceDetails.MitigationString | string | |
Criticality
|
EvidenceDetails.EvidenceDetails.Criticality | integer |
List Alert Notifications by a set of search parameters
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Triggered
|
triggered | string |
The timeframe for which to include triggered alerts. |
|
Alert Rule ID
|
alertRule | string |
Only return alerts triggered for the specified alert rule id. |
|
Maximum number of records
|
limit | integer |
Limits the number of returned alerts. |
|
Records from offset
|
from | integer |
Records from offset |
|
Fields to include
|
fields | string |
Fields to include. Returns all if not specified. |
Returns
Name | Path | Type | Description |
---|---|---|---|
data
|
data | array of AlertSearchV2 | |
returned
|
counts.returned | integer | |
total
|
counts.total | integer |
Deprecated, use /v2/alerts instead. List Alert Notifications by a set of search parameters
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Triggered
|
triggered | string |
All Elasticsearch compatible date formats are valid. |
|
Alert Rule ID
|
alertRule | True | string |
Alert Rule ID |
Maximum number of records
|
limit | integer |
Maximum number of records |
|
Records from offset
|
from | integer |
Records from offset |
Returns
- Body
- AlertSearch
List alert rules by name
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Freetext search
|
freetext | string |
Freetext search for Alert Rule Name |
|
Maximum number of records
|
limit | integer |
Maximum number of records |
Returns
Name | Path | Type | Description |
---|---|---|---|
results
|
data.results | array of object |
Results |
Alert Rule Title
|
data.results.title | string |
Title |
Alert Rule ID
|
data.results.id | string |
Id |
Returned Number of Alert Rules
|
counts.returned | integer |
Returned |
Total Number of Alert Rules
|
counts.total | integer |
Total |
Get detection rules matching a search filter
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
types
|
types | array of string |
List of detection rule types to include in the response |
|
entities
|
entities | array of string |
List of entities that the detection rules must be related to |
|
before
|
before | date-time |
Limit created date. E.g: 2023-06-01T00:00:00Z |
|
after
|
after | date-time |
Limit created date. E.g: 2023-01-01T00:00:00Z |
|
Limit
|
limit | integer |
Limit the number of returned detection rules |
Returns
Name | Path | Type | Description |
---|---|---|---|
Detection Rule Count
|
count | integer |
Count |
Detection Rules
|
result | array of object |
Detection Rules |
id
|
result.id | string | |
type
|
result.type | string | |
title
|
result.title | string | |
description
|
result.description | string | |
rules
|
result.rules | array of object | |
name
|
result.rules.name | string | |
description
|
result.rules.description | string | |
file_name
|
result.rules.file_name | string | |
entities
|
result.rules.entities | array of object | |
id
|
result.rules.entities.id | string | |
type
|
result.rules.entities.type | string | |
name
|
result.rules.entities.name | string | |
display_name
|
result.rules.entities.display_name | string | |
content
|
result.rules.content | string | |
created
|
result.created | string | |
updated
|
result.updated | string |
List playbook alerts based on a set of search parameters
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
entities
|
entities | array of string |
A list of entities |
|
statuses
|
statuses | array of string |
A list of alert statuses |
|
priorities
|
priorities | array of string |
A list of alert priorities |
|
categories
|
categories | array of string |
A list of alert categories |
|
Relative created from
|
created_from_relative | string |
Limit the response to playbook alerts created at most this many hours in the past. Defaults to '-168' (one week back). |
|
Relative created until
|
created_until_relative | string |
Limit the response to playbook alerts created at the latest this many hours in the past. Defaults to '0' (now). |
|
Relative updated from
|
updated_from_relative | string |
Limit the response to playbook alerts updated at most this many hours in the past. Defaults to '-168' (one week back). |
|
Relative updated until
|
updated_until_relative | string |
Limit the response to playbook alerts updated at the latest this many hours in the past. Defaults to '0' (now). |
Returns
Playbook Alerts matching the search criteria
- Items
- PlaybookAlertSearch
Enrich multiple entities at once (Specific Access is Required)
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
ip
|
ip | array of string |
Ip |
|
url
|
url | array of string |
Url |
|
domain
|
domain | array of string |
Domain |
|
hash
|
hash | array of string |
Hash |
|
vulnerability
|
vulnerability | array of string |
Vulnerability |
Returns
Name | Path | Type | Description |
---|---|---|---|
returned
|
counts.returned | integer | |
total
|
counts.total | integer | |
results
|
data.results | array of object | |
id
|
data.results.entity.id | string | |
name
|
data.results.entity.name | string | |
type
|
data.results.entity.type | string | |
context
|
data.results.risk.context | object | |
level
|
data.results.risk.level | number | |
rule
|
data.results.risk.rule | object | |
score
|
data.results.risk.score | number |
Enrich a URL with Recorded Future data
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
URL input
|
url | True | string |
The URL to lookup. Must be a single URL |
Returns
Name | Path | Type | Description |
---|---|---|---|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
links
|
data.links | Links |
High Confidence Evidence Based Links |
html_response
|
data.html_response | string |
Enrich a vulnerability with Recorded Future data
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Vulnerability ID (CVE, name) input
|
id | True | string |
The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name) |
Returns
Name | Path | Type | Description |
---|---|---|---|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Vulnerability Criticality Level |
score
|
data.risk.score | integer |
Recorded Future Vulnerability Risk Score |
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Vulnerability Risk Rules |
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
links
|
data.links | Links |
High Confidence Evidence Based Links |
html_response
|
data.html_response | string |
High Confidence Evidence Based Links
Name | Path | Type | Description |
---|---|---|---|
startDate
|
technical.start_date | string |
Link start date |
stopDate
|
technical.stop_date | string |
Link stop date |
entities
|
technical.entities | array of LinkEntities |
Related entities |
startDate
|
research.start_date | string |
Link start date |
stopDate
|
research.stop_date | string |
Link stop date |
entities
|
research.entities | array of LinkEntities |
Related entities |
Name | Path | Type | Description |
---|---|---|---|
type
|
type | string |
Enitity type |
name
|
name | string |
Entity name |
score
|
score | integer |
Risk score |
category
|
category | string |
Entity category |
Name | Path | Type | Description |
---|---|---|---|
review
|
review | AlertReviewV2 | |
owner_organisation_details
|
owner_organisation_details | AlertOwnerV2 | |
url
|
url | AlertURLV2 | |
rule
|
rule | AlertRuleV2 | |
id
|
id | AlertID | |
hits
|
hits | AlertHitsV2 | |
log
|
log | AlertLogV2 | |
title
|
title | AlertTitle | |
type
|
type | AlertType | |
ai_insights
|
ai_insights | AlertAiV2 |
Name | Path | Type | Description |
---|---|---|---|
comment
|
comment | string | |
text
|
text | string |
Name | Path | Type | Description |
---|---|---|---|
entities
|
entities | array of object | |
id
|
entities.id | string | |
name
|
entities.name | string | |
type
|
entities.type | string | |
id
|
document.source.id | string | |
name
|
document.source.name | string | |
type
|
document.source.type | string | |
title
|
document.title | string | |
url
|
document.url | string | |
authors
|
document.authors | array of object | |
id
|
document.authors.id | string | |
name
|
document.authors.name | string | |
type
|
document.authors.type | string | |
fragment
|
fragment | string | |
id
|
id | string | |
language
|
language | string | |
id
|
primary_entity.id | string | |
name
|
primary_entity.name | string | |
type
|
primary_entity.type | string | |
analyst_note
|
analyst_note | string |
Name | Path | Type | Description |
---|---|---|---|
results
|
data.results | array of object | |
review
|
data.results.review | AlertReview | |
url
|
data.results.url | AlertURL | |
rule
|
data.results.rule | AlertRule | |
triggered
|
data.results.triggered | AlertTriggered | |
id
|
data.results.id | AlertID | |
title
|
data.results.title | AlertTitle | |
type
|
data.results.type | AlertType | |
returned
|
counts.returned | integer | |
total
|
counts.total | integer |
Name | Path | Type | Description |
---|---|---|---|
review
|
data.review | AlertReview | |
entities
|
data.entities | AlertEntities | |
url
|
data.url | AlertURL | |
rule
|
data.rule | AlertRule | |
triggered
|
data.triggered | AlertTriggered | |
id
|
data.id | AlertID | |
references
|
data.counts.references | integer | |
entities
|
data.counts.entities | integer | |
documents
|
data.counts.documents | integer | |
title
|
data.title | AlertTitle | |
type
|
data.type | AlertType |
Name | Path | Type | Description |
---|---|---|---|
note_author
|
note_author | string | |
note_date
|
note_date | date-time | |
status_date
|
status_date | string | |
triggered
|
triggered | string | |
status_change_by
|
status_change_by | string |
Name | Path | Type | Description |
---|---|---|---|
organisations
|
organisations | array of object | |
organisation_id
|
organisations.organisation_id | string | |
organisation_name
|
organisations.organisation_name | string | |
enterprise_id
|
enterprise_id | string | |
enterprise_name
|
enterprise_name | string |
Name | Path | Type | Description |
---|---|---|---|
assignee
|
assignee | string | |
status
|
status | string | |
status_in_portal
|
status_in_portal | string | |
note
|
note | string |
Name | Path | Type | Description |
---|---|---|---|
assignee
|
assignee | string | |
status
|
status | string | |
noteDate
|
noteDate | string | |
noteAuthor
|
noteAuthor | string | |
note
|
note | string |
Name | Path | Type | Description |
---|---|---|---|
trend
|
trend | object | |
documents
|
documents | array of object | |
references
|
documents.references | array of object | |
fragment
|
documents.references.fragment | string | |
entities
|
documents.references.entities | array of object | |
id
|
documents.references.entities.id | string | |
name
|
documents.references.entities.name | string | |
type
|
documents.references.entities.type | string | |
language
|
documents.references.language | string | |
id
|
documents.source.id | string | |
name
|
documents.source.name | string | |
type
|
documents.source.type | string | |
title
|
documents.title | string | |
url
|
documents.url | string | |
risk
|
risk | object | |
id
|
entity.id | string | |
name
|
entity.name | string | |
type
|
entity.type | string |
Name | Path | Type | Description |
---|---|---|---|
name
|
name | string | |
id
|
id | string | |
url
|
url | string |
Name | Path | Type | Description |
---|---|---|---|
api
|
api | string | |
portal
|
portal | string |
Name | Path | Type | Description |
---|---|---|---|
name
|
name | string | |
id
|
id | string | |
portal
|
url.portal | string |
Playbook Alerts matching the search criteria
Name | Path | Type | Description |
---|---|---|---|
playbook_alert_id
|
playbook_alert_id | string | |
created
|
created | string | |
updated
|
updated | string | |
status
|
status | string | |
category
|
category | string | |
priority
|
priority | string | |
title
|
title | string | |
owner_id
|
owner_id | string | |
owner_name
|
owner_name | string | |
organisation_id
|
organisation_id | string | |
organistaion_name
|
organistaion_name | string | |
organisations
|
owner_organisation_details.organisations | array of object | |
organisation_id
|
owner_organisation_details.organisations.organisation_id | string | |
organisation_name
|
owner_organisation_details.organisations.organisation_name | string | |
enterprise_id
|
owner_organisation_details.enterprise_id | string | |
enterprise_name
|
owner_organisation_details.enterprise_name | string |
Name | Path | Type | Description |
---|---|---|---|
title
|
title | string | |
id
|
id | string | |
category
|
category | string | |
rule_label
|
rule_label | string | |
status
|
status | string | |
priority
|
priority | string | |
targets
|
targets | string | |
created_date
|
created_date | string | |
updated_date
|
updated_date | string | |
evidence_summary
|
evidence_summary | string | |
link
|
link | string | |
json_alert
|
json_alert | string |