Recorded Future V2

Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions
Power Automate Premium All Power Automate regions
Power Apps Premium All Power Apps regions
Contact
Name Recorded Future Support
URL https://support.recordedfuture.com
Email [email protected]
Connector Metadata
Publisher Recorded Future
Website https://www.recordedfuture.com
Privacy Policy https://www.recordedfuture.com/privacy-policy/
Categories AI;Data

Recorded Future V2

The Recorded Future integration allows real-time security intelligence to be integrated into popular Microsoft services like Sentinel, Defender ATP, and others. This empowers our clients to maximize their existing security investments, ensuring they have real-time intelligence to secure their cloud environments and reduce risk to the organization. The Recorded Future connector for Microsoft Azure enables access to dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash, Vulnerabilities), associated context (Risk Score, Risk Rules, High Confidence Links, and an Intelligence Card Link), Recorded Future Alerts, Playbooks Alerts and Detection Rules.

Publisher: Recorded Future

Whats new?

  • Added Recorded Future Playbook Alerts actions
  • New V2 Recorded Future Alerts actions
  • Added Recorded Future Detection Rules actions
  • Added IntelligenceCloud parameter
  • Added HTML response to lookup actions

Prerequisites

To enable the Recorded Future for Microsoft Azure integration, users must be provisioned a Recorded Future API token. Please reach to your account manager to obtain the necessary API token.

How to get credentials

Prior to use of the Recorded Future integration for Microsoft Azure, users must provision an API token from their account manager or from within the Recorded Future portal necessary for the integration.

  1. Login to the Recorded Future Portal (https://app.recordedfuture.com). Click on the menu in the upper right and choose �User Settings�.

  2. On the User Settings menu, choose the �API Access� section and click the �Generate New API Token� link.

  3. Provide a name for your token, select a �Description� of �Microsoft Azure�, and then click the �Create� button. Save the API token that is generated, since you will configure it within the Microsoft Azure connector for the integration.

Supported Operations

This connector is used to pull Recorded Future indicators, alerts, playbook alerts, and detection rules :

  1. IP Enrichment - Enrich an IP with Recorded Future data.
  2. Domain Enrichment - Enrich a domain with Recorded Future data.
  3. URL Enrichment - Enrich a URL with Recorded Future data.
  4. Hash Enrichment - Enrich a hash with Recorded Future data.
  5. Vulnerability Enrichment - Enrich a vulnerability with Recorded Future data.
  6. Search Alert Notification - List Alert Notifications by a set of search parameters.
  7. Get Alert Notification by ID - Get the alert details of a triggered alert
  8. Search Alert Rules - List alert rules by name
  9. Search Alert Notification (Deprecated) - Deprecated
  10. Get Alert Notification by ID (Deprecated) - Deprecated
  11. Search Playbook Alerts - List playbook alerts based on a set of search parameters
  12. Get Playbook Alert by ID - Get the alert details of a playbook alert
  13. Search Detection Rules - Get detection rules matching a search filter
  14. Recorded Future RiskLists and SCF Download - Download Recorded Future Risk Lists and Security Control Feeds
  15. SOAR API - Multi-Entitiy Enrichment - Enrich multiple entities at once (Specific Access is Required)

Known issues and limitations

N/A

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
API Key securestring The API Key for this api True

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Domain Enrichment

Enrich a domain with Recorded Future data

Get Alert Notification by ID

Get the alert details of a triggered alert

Get Alert Notification by ID (Deprecated)

Deprecated, use /v2/alerts/{id} instead. Get the alert details of a triggered alert

Get Playbook Alert by ID

Get the alert details of a playbook alert

Hash Enrichment

Enrich a hash with Recorded Future data

IP Enrichment

Enrich an IP with Recorded Future data

Recorded Future RiskLists and SCF Download

Download Recorded Future Risk Lists and Security Control Feeds

Search Alert Notification

List Alert Notifications by a set of search parameters

Search Alert Notifications (Deprecated)

Deprecated, use /v2/alerts instead. List Alert Notifications by a set of search parameters

Search Alert Rules

List alert rules by name

Search Detection Rules

Get detection rules matching a search filter

Search Playbook Alerts

List playbook alerts based on a set of search parameters

SOAR API - Multi-Entitiy Enrichment

Enrich multiple entities at once (Specific Access is Required)

URL Enrichment

Enrich a URL with Recorded Future data

Vulnerability Enrichment

Enrich a vulnerability with Recorded Future data

Domain Enrichment

Enrich a domain with Recorded Future data

Parameters

Name Key Required Type Description
Domain input
domain True string

The domain to lookup. Must be a single domain

Returns

Name Path Type Description
intelCard
data.intelCard string

Recorded Future Intelligence Card Link

criticalityLabel
data.risk.criticalityLabel string

Recorded Future Indicator Criticality Level

score
data.risk.score integer

Recorded Future Indicator Risk Score

evidenceDetails
data.risk.evidenceDetails array of object

Evidence details

evidenceString
data.risk.evidenceDetails.evidenceString string

Recorded Future Risk Rules Evidence Details

rule
data.risk.evidenceDetails.rule string

Recorded Future Indicator Risk Rules

riskSummary
data.risk.riskSummary string

Recorded Future Risk Rules Summary

links
data.links Links

High Confidence Evidence Based Links

html_response
data.html_response string

Get Alert Notification by ID

Get the alert details of a triggered alert

Parameters

Name Key Required Type Description
Alert Notification ID
id True string

Alert Notification ID

Fields to include
fields string

Fields to include. Returns all if not specified.

Returns

Name Path Type Description
data
data AlertSearchV2

Get Alert Notification by ID (Deprecated)

Deprecated, use /v2/alerts/{id} instead. Get the alert details of a triggered alert

Parameters

Name Key Required Type Description
Alert Notification ID
id True string

Alert Notification ID

Returns

Get Playbook Alert by ID

Get the alert details of a playbook alert

Parameters

Name Key Required Type Description
Playbook Alert ID
id True string

Playbook Alert ID

Returns

Hash Enrichment

Enrich a hash with Recorded Future data

Parameters

Name Key Required Type Description
HASH input
hash True string

The HASH to lookup. Must be a single HASH

Returns

Name Path Type Description
intelCard
data.intelCard string

Recorded Future Intelligence Card Link

criticalityLabel
data.risk.criticalityLabel string

Recorded Future Indicator Criticality Level

score
data.risk.score integer

Recorded Future Indicator Risk Score

evidenceDetails
data.risk.evidenceDetails array of object

Evidence details

evidenceString
data.risk.evidenceDetails.evidenceString string

Recorded Future Risk Rules Evidence Details

rule
data.risk.evidenceDetails.rule string

Recorded Future Indicator Risk Rules

riskSummary
data.risk.riskSummary string

Recorded Future Risk Rules Summary

links
data.links Links

High Confidence Evidence Based Links

html_response
data.html_response string

IP Enrichment

Enrich an IP with Recorded Future data

Parameters

Name Key Required Type Description
IP input
ip True string

The IP address to lookup. Must be a single IP address

Returns

Name Path Type Description
intelCard
data.intelCard string

Recorded Future Intelligence Card Link

criticalityLabel
data.risk.criticalityLabel string

Recorded Future Indicator Criticality Level

score
data.risk.score integer

Recorded Future Indicator Risk Score

evidenceDetails
data.risk.evidenceDetails array of object

Evidence details

evidenceString
data.risk.evidenceDetails.evidenceString string

Recorded Future Risk Rules Evidence Details

rule
data.risk.evidenceDetails.rule string

Recorded Future Indicator Risk Rules

riskSummary
data.risk.riskSummary string

Recorded Future Risk Rules Summary

links
data.links Links

High Confidence Evidence Based Links

html_response
data.html_response string

Recorded Future RiskLists and SCF Download

Download Recorded Future Risk Lists and Security Control Feeds

Parameters

Name Key Required Type Description
Path to file
path True string

Path to file

Returns

Name Path Type Description
array of object
Name
Name string
Risk
Risk integer
RiskString
RiskString string
EvidenceDetails
EvidenceDetails.EvidenceDetails array of object
Rule
EvidenceDetails.EvidenceDetails.Rule string
EvidenceString
EvidenceDetails.EvidenceDetails.EvidenceString string
CriticalityLabel
EvidenceDetails.EvidenceDetails.CriticalityLabel string
Timestamp
EvidenceDetails.EvidenceDetails.Timestamp integer
MitigationString
EvidenceDetails.EvidenceDetails.MitigationString string
Criticality
EvidenceDetails.EvidenceDetails.Criticality integer

Search Alert Notification

List Alert Notifications by a set of search parameters

Parameters

Name Key Required Type Description
Triggered
triggered string

The timeframe for which to include triggered alerts.

Alert Rule ID
alertRule string

Only return alerts triggered for the specified alert rule id.

Maximum number of records
limit integer

Limits the number of returned alerts.

Records from offset
from integer

Records from offset

Fields to include
fields string

Fields to include. Returns all if not specified.

Returns

Name Path Type Description
data
data array of AlertSearchV2
returned
counts.returned integer
total
counts.total integer

Search Alert Notifications (Deprecated)

Deprecated, use /v2/alerts instead. List Alert Notifications by a set of search parameters

Parameters

Name Key Required Type Description
Triggered
triggered string

All Elasticsearch compatible date formats are valid.

Alert Rule ID
alertRule True string

Alert Rule ID

Maximum number of records
limit integer

Maximum number of records

Records from offset
from integer

Records from offset

Returns

Search Alert Rules

List alert rules by name

Parameters

Name Key Required Type Description
Freetext search
freetext string

Freetext search for Alert Rule Name

Maximum number of records
limit integer

Maximum number of records

Returns

Name Path Type Description
results
data.results array of object

Results

Alert Rule Title
data.results.title string

Title

Alert Rule ID
data.results.id string

Id

Returned Number of Alert Rules
counts.returned integer

Returned

Total Number of Alert Rules
counts.total integer

Total

Search Detection Rules

Get detection rules matching a search filter

Parameters

Name Key Required Type Description
types
types array of string

List of detection rule types to include in the response

entities
entities array of string

List of entities that the detection rules must be related to

before
before date-time

Limit created date. E.g: 2023-06-01T00:00:00Z

after
after date-time

Limit created date. E.g: 2023-01-01T00:00:00Z

Limit
limit integer

Limit the number of returned detection rules

Returns

Name Path Type Description
Detection Rule Count
count integer

Count

Detection Rules
result array of object

Detection Rules

id
result.id string
type
result.type string
title
result.title string
description
result.description string
rules
result.rules array of object
name
result.rules.name string
description
result.rules.description string
file_name
result.rules.file_name string
entities
result.rules.entities array of object
id
result.rules.entities.id string
type
result.rules.entities.type string
name
result.rules.entities.name string
display_name
result.rules.entities.display_name string
content
result.rules.content string
created
result.created string
updated
result.updated string

Search Playbook Alerts

List playbook alerts based on a set of search parameters

Parameters

Name Key Required Type Description
entities
entities array of string

A list of entities

statuses
statuses array of string

A list of alert statuses

priorities
priorities array of string

A list of alert priorities

categories
categories array of string

A list of alert categories

Relative created from
created_from_relative string

Limit the response to playbook alerts created at most this many hours in the past. Defaults to '-168' (one week back).

Relative created until
created_until_relative string

Limit the response to playbook alerts created at the latest this many hours in the past. Defaults to '0' (now).

Relative updated from
updated_from_relative string

Limit the response to playbook alerts updated at most this many hours in the past. Defaults to '-168' (one week back).

Relative updated until
updated_until_relative string

Limit the response to playbook alerts updated at the latest this many hours in the past. Defaults to '0' (now).

Returns

Playbook Alerts matching the search criteria

SOAR API - Multi-Entitiy Enrichment

Enrich multiple entities at once (Specific Access is Required)

Parameters

Name Key Required Type Description
ip
ip array of string

Ip

url
url array of string

Url

domain
domain array of string

Domain

hash
hash array of string

Hash

vulnerability
vulnerability array of string

Vulnerability

Returns

Name Path Type Description
returned
counts.returned integer
total
counts.total integer
results
data.results array of object
id
data.results.entity.id string
name
data.results.entity.name string
type
data.results.entity.type string
context
data.results.risk.context object
level
data.results.risk.level number
rule
data.results.risk.rule object
score
data.results.risk.score number

URL Enrichment

Enrich a URL with Recorded Future data

Parameters

Name Key Required Type Description
URL input
url True string

The URL to lookup. Must be a single URL

Returns

Name Path Type Description
criticalityLabel
data.risk.criticalityLabel string

Recorded Future Indicator Criticality Level

score
data.risk.score integer

Recorded Future Indicator Risk Score

evidenceDetails
data.risk.evidenceDetails array of object

Evidence details

evidenceString
data.risk.evidenceDetails.evidenceString string

Recorded Future Risk Rules Evidence Details

rule
data.risk.evidenceDetails.rule string

Recorded Future Indicator Risk Rules

riskSummary
data.risk.riskSummary string

Recorded Future Risk Rules Summary

links
data.links Links

High Confidence Evidence Based Links

html_response
data.html_response string

Vulnerability Enrichment

Enrich a vulnerability with Recorded Future data

Parameters

Name Key Required Type Description
Vulnerability ID (CVE, name) input
id True string

The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name)

Returns

Name Path Type Description
intelCard
data.intelCard string

Recorded Future Intelligence Card Link

criticalityLabel
data.risk.criticalityLabel string

Recorded Future Vulnerability Criticality Level

score
data.risk.score integer

Recorded Future Vulnerability Risk Score

evidenceDetails
data.risk.evidenceDetails array of object

Evidence details

evidenceString
data.risk.evidenceDetails.evidenceString string

Recorded Future Risk Rules Evidence Details

rule
data.risk.evidenceDetails.rule string

Recorded Future Vulnerability Risk Rules

riskSummary
data.risk.riskSummary string

Recorded Future Risk Rules Summary

links
data.links Links

High Confidence Evidence Based Links

html_response
data.html_response string

Definitions

High Confidence Evidence Based Links

Name Path Type Description
startDate
technical.start_date string

Link start date

stopDate
technical.stop_date string

Link stop date

entities
technical.entities array of LinkEntities

Related entities

startDate
research.start_date string

Link start date

stopDate
research.stop_date string

Link stop date

entities
research.entities array of LinkEntities

Related entities

LinkEntities

Name Path Type Description
type
type string

Enitity type

name
name string

Entity name

score
score integer

Risk score

category
category string

Entity category

AlertSearchV2

Name Path Type Description
review
review AlertReviewV2
owner_organisation_details
owner_organisation_details AlertOwnerV2
url
url AlertURLV2
rule
rule AlertRuleV2
id
id AlertID
hits
hits AlertHitsV2
log
log AlertLogV2
title
title AlertTitle
type
type AlertType
ai_insights
ai_insights AlertAiV2

AlertAiV2

Name Path Type Description
comment
comment string
text
text string

AlertHitsV2

Name Path Type Description
entities
entities array of object
id
entities.id string
name
entities.name string
type
entities.type string
id
document.source.id string
name
document.source.name string
type
document.source.type string
title
document.title string
url
document.url string
authors
document.authors array of object
id
document.authors.id string
name
document.authors.name string
type
document.authors.type string
fragment
fragment string
id
id string
language
language string
id
primary_entity.id string
name
primary_entity.name string
type
primary_entity.type string
analyst_note
analyst_note string

AlertSearch

Name Path Type Description
results
data.results array of object
review
data.results.review AlertReview
url
data.results.url AlertURL
rule
data.results.rule AlertRule
triggered
data.results.triggered AlertTriggered
id
data.results.id AlertID
title
data.results.title AlertTitle
type
data.results.type AlertType
returned
counts.returned integer
total
counts.total integer

AlertLookup

Name Path Type Description
review
data.review AlertReview
entities
data.entities AlertEntities
url
data.url AlertURL
rule
data.rule AlertRule
triggered
data.triggered AlertTriggered
id
data.id AlertID
references
data.counts.references integer
entities
data.counts.entities integer
documents
data.counts.documents integer
title
data.title AlertTitle
type
data.type AlertType

AlertLogV2

Name Path Type Description
note_author
note_author string
note_date
note_date date-time
status_date
status_date string
triggered
triggered string
status_change_by
status_change_by string

AlertOwnerV2

Name Path Type Description
organisations
organisations array of object
organisation_id
organisations.organisation_id string
organisation_name
organisations.organisation_name string
enterprise_id
enterprise_id string
enterprise_name
enterprise_name string

AlertReviewV2

Name Path Type Description
assignee
assignee string
status
status string
status_in_portal
status_in_portal string
note
note string

AlertReview

Name Path Type Description
assignee
assignee string
status
status string
noteDate
noteDate string
noteAuthor
noteAuthor string
note
note string

AlertEntities

Name Path Type Description
trend
trend object
documents
documents array of object
references
documents.references array of object
fragment
documents.references.fragment string
entities
documents.references.entities array of object
id
documents.references.entities.id string
name
documents.references.entities.name string
type
documents.references.entities.type string
language
documents.references.language string
id
documents.source.id string
name
documents.source.name string
type
documents.source.type string
title
documents.title string
url
documents.url string
risk
risk object
id
entity.id string
name
entity.name string
type
entity.type string

AlertURL

AlertRule

Name Path Type Description
name
name string
id
id string
url
url string

AlertURLV2

Name Path Type Description
api
api string
portal
portal string

AlertRuleV2

Name Path Type Description
name
name string
id
id string
portal
url.portal string

AlertTriggered

AlertID

AlertTitle

AlertType

PlaybookAlertSearch

Playbook Alerts matching the search criteria

Name Path Type Description
playbook_alert_id
playbook_alert_id string
created
created string
updated
updated string
status
status string
category
category string
priority
priority string
title
title string
owner_id
owner_id string
owner_name
owner_name string
organisation_id
organisation_id string
organistaion_name
organistaion_name string
organisations
owner_organisation_details.organisations array of object
organisation_id
owner_organisation_details.organisations.organisation_id string
organisation_name
owner_organisation_details.organisations.organisation_name string
enterprise_id
owner_organisation_details.enterprise_id string
enterprise_name
owner_organisation_details.enterprise_name string

PlaybookAlertLookup

Name Path Type Description
title
title string
id
id string
category
category string
rule_label
rule_label string
status
status string
priority
priority string
targets
targets string
created_date
created_date string
updated_date
updated_date string
evidence_summary
evidence_summary string
link
link string
json_alert
json_alert string