Recorded Future Sandbox (Preview)

The Recorded Future Sandbox Connector enables security and IT teams to analyze and understand files and URLs, which provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. Through this connector, organizations can incorporate the malware analysis sandbox into automated workflows with applications such as Microsoft Defender for Endpoint and Microsoft Sentinel.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name Recorded Future Support
URL https://support.recordedfuture.com
Email [email protected]
Connector Metadata
Publisher Recorded Future
Website https://www.recordedfuture.com
Privacy Policy https://www.recordedfuture.com/privacy-policy/
Categories AI;Data

With the Recorded Future Sandbox Connector, IT and security teams can conduct safe and prompt behavioral analysis of files and URLs, gaining insights into key artifacts in an investigation and facilitating quicker triage.

Prerequisites

To enable the Recorded Future Sandbox for Microsoft Azure integration, users must be provisioned two API tokens, one Recorded Future API token and one Sandbox API token. Please reach out to your account manager to obtain the necessary API token.

How to get credentials

Recorded Future clients interested in API access for custom scripts or to enable a paid integration can request an API Token via this Integration Support Ticket form. Please fill out the following fields, based on intended API usage. Recorded Future API Services - Choose if your token is pertaining to one of the below Recorded Future API offerings:

  • Connect API
  • Entity Match API
  • List API
  • Identity API (Note: Identity API is included with a license to Identity Intelligence Module)
  • Detection Rule API
  • Playbook Alert API (currently in Beta)

Integration Partner Category - Choose if your token is pertaining to a supported partner integration offering:

  • Premier Integrations
  • Partner Owned Integrations
  • Client Owned Integration
  • Intelligence Card Extensions

Select Your Problem - Choose "Upgrade" or "New Installation"

Note that for API access to enable a paid integration, Recorded Future Support will connect with your account team to confirm licensing and ensure the token is set up with the correct specifications and permissions.

Additional questions about API token requests not covered by the above can be sent via email to our support team, [email protected].

How to obtain Recorded Future Sandbox API token

To obtain the Sandbox API token sign in with your Recorded Future account here. Click on your account settings in the upper right corner. There you can find your API key in API Access.

If you were not able to sign in and obtain the Sandbox API token, request the token via this Integration Support Ticket form or [email protected].

Get started with your connector

This connector is used to submit URLs and files to Recorded Future Sandbox and then retrieve the summary and the report of the sample. The connector has no triggers and four actions:

  1. Submit file sample - A file is submitted to the Sandbox. Returns an overview of the submission, including sample ID.
  2. Submit URL sample - A URL is submitted to the Sandbox. Returns an overview of the submission, including sample ID.
  3. Get the summary - Returns a short summary of the submission, including the status of the full report
  4. Get the full report - Returns the full report

Common errors and remedies

401 - Bad Request. Sandbox token is missing.

403 - Not authenticated. Recorded Future API token is missing or wrong

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
API Key securestring The key for this API True

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Get the full report

Get the full report on the submitted sample.

Get the full summary

Get the full summary on the submitted sample.

Submit file samples

Submit file samples to Recorded Future Sandbox.

Submit url samples

Submit url samples to Recorded Future Sandbox.

Get the full report

Get the full report on the submitted sample.

Parameters

Name Key Required Type Description
Sandbox API token
SandboxToken True string

Token to the Sandbox API

Sample ID
sampleID True string

ID of the analyzed sample

Returns

Name Path Type Description
score_analysis_report
analysis.score integer
html_report
html_report string
completed_sample
sample.completed string
created_sample
sample.created string
id_sample
sample.id string
score_sample
sample.score integer
target_sample
sample.target string
signatures
signatures array of object
label_signatures
signatures.label string
name_signatures
signatures.name string
tags
signatures.tags array of string
ttp
signatures.ttp array of string
targets
targets array of object
domains
targets.iocs.domains array of string
ips
targets.iocs.ips array of string
urls
targets.iocs.urls array of string
score_targets
targets.score integer
signatures
targets.signatures array of object
label_signatures
targets.signatures.label string
name_signatures
targets.signatures.name string
tags
targets.signatures.tags array of string
ttp
targets.signatures.ttp array of string
target_targets
targets.target string
tasks
targets.tasks array of string
tasks
tasks object
version
version string

Get the full summary

Get the full summary on the submitted sample.

Parameters

Name Key Required Type Description
Sandbox API Token
SandboxToken True string

Token to the Sandbox API

Sample ID
sampleID True string

ID of the analyzed sample

Returns

Name Path Type Description
id_summary
id string
kind_summary
kind string
private_summary
private boolean
status_summary
status string
submitted_summary
submitted string
url_summary
url string

Submit file samples

Submit file samples to Recorded Future Sandbox.

Parameters

Name Key Required Type Description
Sandbox API Token
SandboxToken True string

Token to the Sandbox API

File
file True file

File to submit to the Sandbox

Password
password string

A password that may be used to decrypt the provided file, usually an archive (zip/rar/etc).

User tags
user_tags string

An optional array of user-defined strings that lets the user mark a sample. The resulting tags will be embedded in the reports. The total size cannot exceed 1kB and tags cannot be empty.

Returns

Name Path Type Description
id_submitted
id string
kind_submitted
kind string
private_submitted
private boolean
status_submitted
status string
submitted_time
submitted string
url_submitted
url string

Submit url samples

Submit url samples to Recorded Future Sandbox.

Parameters

Name Key Required Type Description
Sandbox API Token
SandboxToken True string

Token to the Sandbox API

url
url string

url

Returns

Name Path Type Description
id_submitted
id string
kind_submitted
kind string
private_submitted
private boolean
status
status string
submitted_time
submitted string
url_submitted
url string