Recorded Future Sandbox (Preview)
The Recorded Future Sandbox Connector enables security and IT teams to analyze and understand files and URLs, which provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. Through this connector, organizations can incorporate the malware analysis sandbox into automated workflows with applications such as Microsoft Defender for Endpoint and Microsoft Sentinel.
This connector is available in the following products and regions:
Service | Class | Regions |
---|---|---|
Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions - US Department of Defense (DoD) |
Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
Contact | |
---|---|
Name | Recorded Future Support |
URL | https://support.recordedfuture.com |
[email protected] |
Connector Metadata | |
---|---|
Publisher | Recorded Future |
Website | https://www.recordedfuture.com |
Privacy Policy | https://www.recordedfuture.com/privacy-policy/ |
Categories | AI;Data |
With the Recorded Future Sandbox Connector, IT and security teams can conduct safe and prompt behavioral analysis of files and URLs, gaining insights into key artifacts in an investigation and facilitating quicker triage.
Prerequisites
To enable the Recorded Future Sandbox for Microsoft Azure integration, users must be provisioned two API tokens, one Recorded Future API token and one Sandbox API token. Please reach out to your account manager to obtain the necessary API token.
How to get credentials
Recorded Future clients interested in API access for custom scripts or to enable a paid integration can request an API Token via this Integration Support Ticket form. Please fill out the following fields, based on intended API usage. Recorded Future API Services - Choose if your token is pertaining to one of the below Recorded Future API offerings:
- Connect API
- Entity Match API
- List API
- Identity API (Note: Identity API is included with a license to Identity Intelligence Module)
- Detection Rule API
- Playbook Alert API (currently in Beta)
Integration Partner Category - Choose if your token is pertaining to a supported partner integration offering:
- Premier Integrations
- Partner Owned Integrations
- Client Owned Integration
- Intelligence Card Extensions
Select Your Problem - Choose "Upgrade" or "New Installation"
Note that for API access to enable a paid integration, Recorded Future Support will connect with your account team to confirm licensing and ensure the token is set up with the correct specifications and permissions.
Additional questions about API token requests not covered by the above can be sent via email to our support team, [email protected].
How to obtain Recorded Future Sandbox API token
To obtain the Sandbox API token sign in with your Recorded Future account here. Click on your account settings in the upper right corner. There you can find your API key in API Access.
If you were not able to sign in and obtain the Sandbox API token, request the token via this Integration Support Ticket form or [email protected].
Get started with your connector
This connector is used to submit URLs and files to Recorded Future Sandbox and then retrieve the summary and the report of the sample. The connector has no triggers and four actions:
- Submit file sample - A file is submitted to the Sandbox. Returns an overview of the submission, including sample ID.
- Submit URL sample - A URL is submitted to the Sandbox. Returns an overview of the submission, including sample ID.
- Get the summary - Returns a short summary of the submission, including the status of the full report
- Get the full report - Returns the full report
Common errors and remedies
401 - Bad Request. Sandbox token is missing.
403 - Not authenticated. Recorded Future API token is missing or wrong
Creating a connection
The connector supports the following authentication types:
Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
Name | Type | Description | Required |
---|---|---|---|
API Key | securestring | The key for this API | True |
Throttling Limits
Name | Calls | Renewal Period |
---|---|---|
API calls per connection | 100 | 60 seconds |
Actions
Get the full report |
Get the full report on the submitted sample. |
Get the full summary |
Get the full summary on the submitted sample. |
Submit file samples |
Submit file samples to Recorded Future Sandbox. |
Submit url samples |
Submit url samples to Recorded Future Sandbox. |
Get the full report
Get the full report on the submitted sample.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Sandbox API token
|
SandboxToken | True | string |
Token to the Sandbox API |
Sample ID
|
sampleID | True | string |
ID of the analyzed sample |
Returns
Name | Path | Type | Description |
---|---|---|---|
score_analysis_report
|
analysis.score | integer | |
html_report
|
html_report | string | |
completed_sample
|
sample.completed | string | |
created_sample
|
sample.created | string | |
id_sample
|
sample.id | string | |
score_sample
|
sample.score | integer | |
target_sample
|
sample.target | string | |
signatures
|
signatures | array of object | |
label_signatures
|
signatures.label | string | |
name_signatures
|
signatures.name | string | |
tags
|
signatures.tags | array of string | |
ttp
|
signatures.ttp | array of string | |
targets
|
targets | array of object | |
domains
|
targets.iocs.domains | array of string | |
ips
|
targets.iocs.ips | array of string | |
urls
|
targets.iocs.urls | array of string | |
score_targets
|
targets.score | integer | |
signatures
|
targets.signatures | array of object | |
label_signatures
|
targets.signatures.label | string | |
name_signatures
|
targets.signatures.name | string | |
tags
|
targets.signatures.tags | array of string | |
ttp
|
targets.signatures.ttp | array of string | |
target_targets
|
targets.target | string | |
tasks
|
targets.tasks | array of string | |
tasks
|
tasks | object | |
version
|
version | string |
Get the full summary
Get the full summary on the submitted sample.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Sandbox API Token
|
SandboxToken | True | string |
Token to the Sandbox API |
Sample ID
|
sampleID | True | string |
ID of the analyzed sample |
Returns
Name | Path | Type | Description |
---|---|---|---|
id_summary
|
id | string | |
kind_summary
|
kind | string | |
private_summary
|
private | boolean | |
status_summary
|
status | string | |
submitted_summary
|
submitted | string | |
url_summary
|
url | string |
Submit file samples
Submit file samples to Recorded Future Sandbox.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Sandbox API Token
|
SandboxToken | True | string |
Token to the Sandbox API |
File
|
file | True | file |
File to submit to the Sandbox |
Password
|
password | string |
A password that may be used to decrypt the provided file, usually an archive (zip/rar/etc). |
|
User tags
|
user_tags | string |
An optional array of user-defined strings that lets the user mark a sample. The resulting tags will be embedded in the reports. The total size cannot exceed 1kB and tags cannot be empty. |
Returns
Name | Path | Type | Description |
---|---|---|---|
id_submitted
|
id | string | |
kind_submitted
|
kind | string | |
private_submitted
|
private | boolean | |
status_submitted
|
status | string | |
submitted_time
|
submitted | string | |
url_submitted
|
url | string |
Submit url samples
Submit url samples to Recorded Future Sandbox.
Parameters
Name | Key | Required | Type | Description |
---|---|---|---|---|
Sandbox API Token
|
SandboxToken | True | string |
Token to the Sandbox API |
url
|
url | string |
url |
Returns
Name | Path | Type | Description |
---|---|---|---|
id_submitted
|
id | string | |
kind_submitted
|
kind | string | |
private_submitted
|
private | boolean | |
status
|
status | string | |
submitted_time
|
submitted | string | |
url_submitted
|
url | string |