Recorded Future Identity
The Recorded Future Identity Intelligence Connector enables security and IT teams to detect identity compromises, for both employees and customers. To do this, Recorded Future automates the collection, analysis, and production of identity intelligence from a vast range of sources. Through this connector, organizations can incorporate identity intelligence into automated workflows (e.g., password resets) with applications such as Azure Active Directory and Microsoft Sentinel.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions |
| Power Automate | Premium | All Power Automate regions |
| Power Apps | Premium | All Power Apps regions |
| Contact | |
|---|---|
| Name | Recorded Future Support |
| URL | https://support.recordedfuture.com |
| support@recordedfuture.com |
| Connector Metadata | |
|---|---|
| Publisher | Recorded Future |
| Website | https://www.recordedfuture.com |
| Privacy Policy | https://www.recordedfuture.com/privacy-policy/ |
| Categories | AI;Data |
Prerequisites
To enable the Recorded Future Identity Connector for Microsoft Azure, users must be provisioned a Recorded Future API token.
How to get credentials
Please reach to your Recorded Future account manager to obtain the necessary API token.
Get started with your connector
The connector offers two actions:
- Credential Search - Use this action to list exposed credentials for both internal and external accounts. Note that external account search is only possible for credentials compromised in malware logs, where a search by authorization url domain is possible.
- Credential Lookup - Use this action to get detailed information on a specific account's exposed credentials. This includes the dump or breach details if the credential was found in such a collection, download date, password analytics, and if in a malware log, then additional information such as exfiltration date, type of malware used, authorization url, and many more attributes are available.
The suggested use cases for this connector are as follows: For internal or "workforce" security: on a periodic basis (e.g., once a day or once a week), use this Recorded Future Identity Intelligence connector to search for any "new" employee credentials that may have been exposed recently. When such credentials are found, use the lookup action to get greater details about the compromised credential. Alternatively, when suspicious employee behavior is noticed (e.g., logins from uncommon geographic locations, or large downloads of information during non business hours), use the Recorded Future identity intelligence connector lookup action to check if that user has had credentials exposed in prior dumps or malware logs. Possible remediations and next steps (to be set up downstream of this connector and its associated workflow) include password resets, user privilege revocation, credential compromise history logging, MFA set up, and/or user quarantining. Advanced teams may also choose to flag users suspected of takeover by a threat actor to track usage through their system. For external or "customer" security: Similar to 1a above, Recorded Future's Identity Intelligence malware logs can be searched periodically for specific authorization domains (belonging to this organization) with compromised credentials. Another use case: during new customer account creation, use the Recorded Future Identity Intelligence module to check whether the username and/or username/password pair have been previously compromised Another use case: during a customer login, check the Recorded Future Identity Intelligence module for whether the username/password pair is compromised Possible remediations include requiring a password reset, or temporarily locking down the account and requesting the user contact customer service for a user re-authentication process.
Common errors and remedies
The following error codes are commonly returned by the connector actions:
- 400 Bad Request - Returned if the server receives a faulty request, such as one with poorly formatted parameters.
- 403 Forbidden - Returned if the provided API token does not have enough access, or, if the user tries to access exposed credentials belonging to a domain not recognized as their own in Recorded Future. Both of these issues are resolved by reaching out to your account manager.
Creating a connection
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| API Key | securestring | The key for this API | True |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| Credential Lookup - Look up credential data for one or more users |
Look up exposed credential data for a specific set of subjects |
| Credential Search - Search credential data for one or more domains |
Search credential data exposed in data dumps and through malware logs |
Credential Lookup - Look up credential data for one or more users
Look up exposed credential data for a specific set of subjects
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Emails
|
subjects | array of string |
List of email addresses to look up |
|
|
Hashed emails
|
subjects_sha1 | array of string |
List of hashed email addresses to look up |
|
|
Username
|
login | string |
Either input username or hash of username |
|
|
Hash of username
|
login_sha1 | string |
Either input username or hash of username |
|
|
Domain
|
domain | string |
domain.com |
|
|
From
|
first_downloaded_gte | string |
YYYY-MM-DD (until today) |
|
|
Credential properties
|
properties | array of string |
Filter on credential properties |
|
|
Breach name
|
name | string |
E.g. Cit0day |
|
|
Breaches from
|
date | string |
YYYY-MM-DD (until today) |
|
|
Dump name
|
name | string |
E.g. XSS.is Dump 2021 |
|
|
Dumps from
|
date | string |
YYYY-MM-DD (until today) |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Exposed credentials
|
exposed_credentials | array of object |
List of exposed credentials |
|
signature
|
exposed_credentials.signature | string |
Requested signature |
|
exposed_secret_format
|
exposed_credentials.exposed_secret_format | string |
Format of the exposed secret. Either the hash algorithm or clear for cleartext. |
|
first_seen
|
exposed_credentials.first_seen | string |
Date when the signature was first seen exposed |
|
last_seen
|
exposed_credentials.last_seen | string |
Date when the signature was last seen exposed |
|
clear_text_hint
|
exposed_credentials.clear_text_hint | string |
First two letters of the exposed secret. Only available for secrets exposed in clear text |
|
secret_properties
|
exposed_credentials.secret_properties | array of string |
Properties of the clear text |
|
secret_rank
|
exposed_credentials.secret_rank | string |
Any common password collections the password is part of |
|
secret_hashes
|
exposed_credentials.secret_hashes | array of object | |
|
algorithm
|
exposed_credentials.secret_hashes.algorithm | string |
Hash algorithm used |
|
hash
|
exposed_credentials.secret_hashes.hash | string |
Hash value |
|
Malware family
|
exposed_credentials.malware_family | string |
Family of malware used to extract the credentials |
|
dumps
|
exposed_credentials.dumps | array of object |
List of data dumps in which the signature has been involved. |
|
name
|
exposed_credentials.dumps.name | string |
Name of the dump |
|
description
|
exposed_credentials.dumps.description | string |
Description of the dump |
|
downloaded
|
exposed_credentials.dumps.downloaded | string |
Date when the dump was downloaded |
|
type
|
exposed_credentials.dumps.type | string |
Type of the dump |
|
breaches
|
exposed_credentials.dumps.breaches | array of object |
List of data breaches related to the dump |
|
name
|
exposed_credentials.dumps.breaches.name | string | |
|
domain
|
exposed_credentials.dumps.breaches.domain | string | |
|
type
|
exposed_credentials.dumps.breaches.type | string | |
|
breached
|
exposed_credentials.dumps.breaches.breached | string | |
|
start
|
exposed_credentials.dumps.breaches.start | string | |
|
stop
|
exposed_credentials.dumps.breaches.stop | string | |
|
precision
|
exposed_credentials.dumps.breaches.precision | string | |
|
description
|
exposed_credentials.dumps.breaches.description | string | |
|
site_description
|
exposed_credentials.dumps.breaches.site_description | string |
Credential Search - Search credential data for one or more domains
Search credential data exposed in data dumps and through malware logs
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Domains
|
domains | array of string |
List of domains to search |
|
|
Credential type
|
domain_type | string |
Select credential type |
|
|
From
|
latest_downloaded_gte | string |
YYYY-MM-DD (until today) |
|
|
Credential properties
|
properties | array of string |
Filter on credential properties |
|
|
Breach name
|
name | string |
E.g. Cit0day |
|
|
Breaches from
|
date | string |
YYYY-MM-DD (until today) |
|
|
Dump name
|
name | string |
E.g. XSS.is Dump 2021 |
|
|
Dumps from
|
date | string |
YYYY-MM-DD (until today) |
|
|
Offset
|
offset | string |
Records from offset |
|
|
Results
|
limit | number |
Maxiumum number of results |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Credential dumps
|
credential_dumps | array of string |
List of credentials exposed in data dumps |
|
Malware logs
|
malware_logs | array of object |
List of credentials exposed through malware logs |
|
Login
|
malware_logs.login | string |
Login username |
|
Domain
|
malware_logs.domain | string |
Login domain |
|
Count
|
count | number |
Number of returned credentials |
|
Next offset
|
next_offset | string |
Offset used to request succeeding records |