Recorded Future Identity
The Recorded Future Identity Intelligence Connector enables security and IT teams to detect identity compromises, for both employees and customers. To do this, Recorded Future automates the collection, analysis, and production of identity intelligence from a vast range of sources. Through this connector, organizations can incorporate identity intelligence into automated workflows (e.g., password resets) with applications such as Azure Active Directory and Microsoft Sentinel.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions |
| Power Automate | Premium | All Power Automate regions |
| Power Apps | Premium | All Power Apps regions |
| Contact | |
|---|---|
| Name | Recorded Future Support |
| URL | https://support.recordedfuture.com |
| support@recordedfuture.com |
| Connector Metadata | |
|---|---|
| Publisher | Recorded Future |
| Website | https://www.recordedfuture.com |
| Privacy Policy | https://www.recordedfuture.com/privacy-policy/ |
| Categories | AI;Data |
The Recorded Future Identity Intelligence Connector enables security and IT teams to detect identity compromises, for both employees and customers. To do this, Recorded Future automates the collection, analysis, and production of identity intelligence from a vast range of open source, dark web, and technical sources; this approach produces real-time intelligence at massive scale, offering an unmatched source of truth for identity authenticity. Through this connector, organizations can incorporate identity intelligence into automated workflows (e.g., password resets) with applications such as Azure Active Directory and Microsoft Sentinel.
To enable the Recorded Future Identity for Microsoft Azure integration, users must be provisioned a Recorded Future API token. Please reach to your account manager to obtain the necessary API token.
N/A
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| API Key | securestring | The key for this API | True |
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
| Credential Lookup - Look up credential data for one or more users [DEPRECATED] |
This action has been deprecated. Please use Credential Lookup V2 - Look up credential data for one or more users instead.
|
| Credential Lookup V2 - Look up credential data for one or more users |
Look up exposed credential data for a specific set of subjects |
| Credential Search - Search credential data for one or more domains |
Search credential data exposed in data dumps and through malware logs |
This action has been deprecated. Please use Credential Lookup V2 - Look up credential data for one or more users instead.
Look up exposed credential data for a specific set of subjects
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
authorization_protocols
|
authorization_protocols | array of string |
Only include credentials with these authorization protocols |
|
|
authorization_technologies
|
authorization_technologies | array of string |
Only include credentials with these authorization technologies |
|
|
date
|
date | date-time | ||
|
name
|
name | string | ||
|
date
|
date | date-time | ||
|
name
|
name | string | ||
|
exfiltration_date_gte
|
exfiltration_date_gte | date-time |
YYYY-MM-DD (until today) |
|
|
first_downloaded_gte
|
first_downloaded_gte | date-time |
YYYY-MM-DD (until today) |
|
|
latest_downloaded_gte
|
latest_downloaded_gte | date-time |
YYYY-MM-DD (until today) |
|
|
malware_families
|
malware_families | array of string |
Only include credentials with these malware families |
|
|
properties
|
properties | array of string |
Only include breaches of passwords that exhibit these properties |
|
|
username_properties
|
username_properties | array of string |
Only include credentials with these username properties |
|
|
organization_id
|
organization_id | string | ||
|
Emails
|
subjects | array of string |
List of email addresses to look up |
|
|
domain
|
domain | string |
domain.com |
|
|
login
|
login | string |
Either input username or hash of username |
|
|
login_sha1
|
login_sha1 | string |
Either input username or hash of username |
|
|
Hashed emails
|
subjects_sha1 | array of string |
List of hashed email addresses to look up |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Exposed credentials
|
exposed_credentials | array of object |
List of exposed credentials |
|
clear_text_hint
|
exposed_credentials.clear_text_hint | string |
First two letters of the exposed secret. Only available for secrets exposed in clear text |
|
dumps
|
exposed_credentials.dumps | array of object |
List of data dumps in which the signature has been involved. |
|
breaches
|
exposed_credentials.dumps.breaches | array of object |
List of data breaches related to the dump |
|
breached
|
exposed_credentials.dumps.breaches.breached | string | |
|
description
|
exposed_credentials.dumps.breaches.description | string | |
|
domain
|
exposed_credentials.dumps.breaches.domain | string | |
|
name
|
exposed_credentials.dumps.breaches.name | string | |
|
precision
|
exposed_credentials.dumps.breaches.precision | string | |
|
site_description
|
exposed_credentials.dumps.breaches.site_description | string | |
|
start
|
exposed_credentials.dumps.breaches.start | string | |
|
stop
|
exposed_credentials.dumps.breaches.stop | string | |
|
type
|
exposed_credentials.dumps.breaches.type | string | |
|
description
|
exposed_credentials.dumps.description | string |
Description of the dump |
|
downloaded
|
exposed_credentials.dumps.downloaded | string |
Date when the dump was downloaded |
|
name
|
exposed_credentials.dumps.name | string |
Name of the dump |
|
type
|
exposed_credentials.dumps.type | string |
Type of the dump |
|
exposed_secret_format
|
exposed_credentials.exposed_secret_format | string |
Format of the exposed secret. Either the hash algorithm or clear for cleartext. |
|
first_seen
|
exposed_credentials.first_seen | string |
Date when the signature was first seen exposed |
|
last_seen
|
exposed_credentials.last_seen | string |
Date when the signature was last seen exposed |
|
Malware family
|
exposed_credentials.malware_family | string |
Family of malware used to extract the credentials |
|
secret_hashes
|
exposed_credentials.secret_hashes | array of object |
List of known hashes of the exposed secret. Calculated by Recorded Future if the secret was exposed in clear text. |
|
algorithm
|
exposed_credentials.secret_hashes.algorithm | string |
Hash algorithm used |
|
hash
|
exposed_credentials.secret_hashes.hash | string |
Hash value |
|
secret_properties
|
exposed_credentials.secret_properties | array of string |
Properties of the clear text |
|
secret_rank
|
exposed_credentials.secret_rank | string |
Any common password collections the password is part of |
|
signature
|
exposed_credentials.signature | string |
Requested signature |
Look up exposed credential data for a specific set of subjects
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
authorization_protocols
|
authorization_protocols | array of string |
Only include credentials with these authorization protocols |
|
|
authorization_technologies
|
authorization_technologies | array of string |
Only include credentials with these authorization technologies |
|
|
date
|
date | date-time | ||
|
name
|
name | string | ||
|
date
|
date | date-time | ||
|
name
|
name | string | ||
|
exfiltration_date_gte
|
exfiltration_date_gte | date-time |
YYYY-MM-DD (until today) |
|
|
first_downloaded_gte
|
first_downloaded_gte | date-time |
YYYY-MM-DD (until today) |
|
|
latest_downloaded_gte
|
latest_downloaded_gte | date-time |
YYYY-MM-DD (until today) |
|
|
malware_families
|
malware_families | array of string |
Only include credentials with these malware families |
|
|
properties
|
properties | array of string |
Only include breaches of passwords that exhibit these properties |
|
|
username_properties
|
username_properties | array of string |
Only include credentials with these username properties |
|
|
organization_id
|
organization_id | string | ||
|
Emails
|
subjects | array of string |
List of email addresses to look up |
|
|
domain
|
domain | string |
domain.com |
|
|
login
|
login | string |
Either input username or hash of username |
|
|
login_sha1
|
login_sha1 | string |
Either input username or hash of username |
|
|
Hashed emails
|
subjects_sha1 | array of string |
List of hashed email addresses to look up |
Returns
- Body
- LookupResponse
Search credential data exposed in data dumps and through malware logs
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Credential type
|
domain_type | string |
Select credential type |
|
|
Domains
|
domains | array of string |
List of domains to search |
|
|
date
|
date | date-time |
YYYY-MM-DD (until today) |
|
|
name
|
name | string | ||
|
date
|
date | date-time |
YYYY-MM-DD (until today) |
|
|
name
|
name | string | ||
|
From
|
latest_downloaded_gte | date-time |
YYYY-MM-DD (until today) |
|
|
properties
|
properties | array of string |
Filter on credential properties |
|
|
Results
|
limit | number |
Maximum number of results |
|
|
Offset
|
offset | string |
Records from offset |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Count
|
count | number |
Number of returned credentials |
|
Credential dumps
|
credential_dumps | array of string |
List of credentials exposed in data dumps |
|
Malware logs
|
malware_logs | array of object |
List of credentials exposed through malware logs |
|
Domain
|
malware_logs.domain | string |
Login domain |
|
Login
|
malware_logs.login | string |
Login username |
|
Next offset
|
next_offset | string |
Offset used to request succeeding records |
| Name | Path | Type | Description |
|---|---|---|---|
|
breached
|
breached | date-time | |
|
description
|
description | string | |
|
domain
|
domain | string | |
|
name
|
name | string | |
|
precision
|
precision | string | |
|
site_description
|
site_description | string | |
|
start
|
start | date-time | |
|
stop
|
stop | date-time | |
|
type
|
type | string |
| Name | Path | Type | Description |
|---|---|---|---|
|
dns
|
dns | string | |
|
expiration
|
expiration | date-time | |
|
http
|
http | boolean | |
|
name
|
name | string | |
|
secure
|
secure | boolean |
| Name | Path | Type | Description |
|---|---|---|---|
|
domain
|
authorization_service.domain | string | |
|
fqdn
|
authorization_service.fqdn | string | |
|
protocols
|
authorization_service.protocols | array of string | |
|
technology
|
authorization_service.technology | array of Technology | |
|
url
|
authorization_service.url | string | |
|
exfiltration_date
|
compromise.exfiltration_date | date-time | |
|
cookies
|
cookies | array of Cookie | |
|
dumps
|
dumps | array of DumpMetadata | |
|
exposed_secret
|
exposed_secret | SecretDetails | |
|
first_downloaded
|
first_downloaded | date-time | |
|
latest_downloaded
|
latest_downloaded | date-time | |
|
id
|
malware_family.id | string | |
|
name
|
malware_family.name | string | |
|
subject
|
subject | string |
| Name | Path | Type | Description |
|---|---|---|---|
|
breaches
|
breaches | array of BreachMetadata | |
|
antivirus
|
compromise.antivirus | array of string | |
|
computer_name
|
compromise.computer_name | string | |
|
exfiltration_date
|
compromise.exfiltration_date | date-time | |
|
malware_file
|
compromise.malware_file | string | |
|
os
|
compromise.os | string | |
|
os_username
|
compromise.os_username | string | |
|
timezone
|
compromise.timezone | string | |
|
uac
|
compromise.uac | string | |
|
description
|
description | string | |
|
downloaded
|
downloaded | date-time | |
|
ip
|
infrastructure.ip | string | |
|
address
|
location.address | string | |
|
address1
|
location.address1 | string | |
|
address2
|
location.address2 | string | |
|
city
|
location.city | string | |
|
alpha2Code
|
location.country.alpha2Code | string | |
|
alpha3Code
|
location.country.alpha3Code | string | |
|
countryCode
|
location.country.countryCode | string | |
|
displayName
|
location.country.displayName | string | |
|
name
|
location.country.name | string | |
|
postal_code
|
location.postal_code | string | |
|
state
|
location.state | string | |
|
zip
|
location.zip | string | |
|
name
|
name | string | |
|
type
|
type | string |
| Name | Path | Type | Description |
|---|---|---|---|
|
subjects
|
subjects | array of string |
| Name | Path | Type | Description |
|---|---|---|---|
|
count
|
count | integer | |
|
credentials
|
credentials | array of Credentials | |
|
identity
|
identity | IdentityDetails |
| Name | Path | Type | Description |
|---|---|---|---|
|
count
|
count | integer | |
|
identities
|
identities | array of LeakedIdentity | |
|
next_offset
|
next_offset | string |
| Name | Path | Type | Description |
|---|---|---|---|
|
|
object |
| Name | Path | Type | Description |
|---|---|---|---|
|
clear_text_hint
|
details.clear_text_hint | string |
First two characters of the cleartext password |
|
clear_text_value
|
details.clear_text_value | string |
The password as clear text |
|
properties
|
details.properties | array of string |
Properties exhibited by the password |
|
rank
|
details.rank | string |
A ranking of how common this password is |
|
effectively_clear
|
effectively_clear | boolean | |
|
hashes
|
hashes | array of PasswordHash |
Known hashes for this secret |
|
type
|
type | string |
| Name | Path | Type | Description |
|---|---|---|---|
|
category
|
category | string | |
|
id
|
id | string | |
|
name
|
name | string |