Recorded Future V2 (Preview)
Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions - US Department of Defense (DoD) |
| Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Contact | |
|---|---|
| Name | Recorded Future Support |
| URL | https://support.recordedfuture.com |
| support@recordedfuture.com |
| Connector Metadata | |
|---|---|
| Publisher | Recorded Future |
| Website | https://www.recordedfuture.com |
| Privacy Policy | https://www.recordedfuture.com/privacy-policy/ |
| Categories | AI;Data |
The Recorded Future Azure Connector allows real-time security intelligence to be integrated into popular Microsoft services like Sentinel, Defender ATP, and Microsoft products. This empowers our clients to maximize their existing security investments, ensuring they have real-time intelligence to secure their cloud environments and reduce risk to the organization. The Recorded Future connector for Microsoft Azure enables access to dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash, Vulnerabilities), associated context (Risk Score, Risk Rules, High Confidence Links, and an Intelligence Card Link), and Recorded Future alerts.
Prerequisites
This connector requires an API token from Recorded Future.
How to get credentials
To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future. Please consult with your Intelligence Services representative if you have already purchased the integration from Recorded Future. If you would like to try Recorded Future for Sentinel free for 30 days, sign up for the 30 Day free trial here.
Get started with your connector
Recorded Future combines sophisticated machine and human analysis to fuse open source, dark web, and technical sources with original research. This approach automatically creates outcomes that can be consumed by analysts easily and integrated with security systems to support three primary uses cases for security operations and incident response:
Threat Prevention: Block Threats with high confidence for Less Business Disruption
- Command & Control IPs
- Weaponized Domains
- Weaponized URLs
Threat Detection: Correlate Recorded Future intelligence with your internal data to detect previously undetected threats. Recorded Future provides multiple types of datasets, called Risklists, for detection purposes.
Detection based on Recorded Future IP Risklists:
- Default
- IPs with Score 90+ (very malicious)
- Current C&C Server
- Actively Communicating C&C Server
- Recent Botnet Traffic
- Phishing Host
- Recently Reported by Insikt Group
Detection based on Recorded Future Domain Risklists:
- Default
- Domains with Score 90+ (very malicious)
- C&C DNS Name
- Recently Reported by Insikt Group
- Recent COVID-19-Related Domain Lure: Malicious
- Recent Phishing Lure: Malicious
- Ransomware Payment DNS Name
- Recently Active Weaponized Domain
Detection based on Recorded Future URL Risklists:
- URLs with Score 90+ (very malicious)
- C&C URL
- Ransomware Distribution URL
- Recently Reported by Insikt Group
- Positive Malware Verdict
- Compromised URL
Detection based on Recorded Future Hash Risklists:
- Recently Active Targeting Vulnerabilities in the Wild
- Observed in Underground Virus Testing Sites
- Malware SSL Certificate Fingerprint
Sentinel Alert/Incident Triage/Enrichment: Confidently Prioritize and Resolve Alerts.
Recorded Future Alerts (configured via Recorded Future Portal/UI)
Obs.: The integration capabilities are not limited to the areas mentioned above but cover other areas according to the coverage provided by Recorded Future intelligence and data.
Common errors and remedies
Common connector error codes:
- 403 Not Authenticated - The provided API key is not valid or does not have the correct access. Please reach out to your Intelligence Services representative for support. Also note that an API key specifically provisioned to the Recorded Future Microsoft connector is required.
- 404 Not Found - Many of the connector endpoints will return 404 if Recorded Future does not have any information on the requested resource. This is expected behavior.
Creating a connection
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| API Key | securestring | The API Key for this api | True |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| Domain Enrichment |
Domain Enrichment with Recorded Future data |
| Hash Enrichment |
Hash Enrichment with Recorded Future data |
| IP Enrichment |
IP Enrichment with Recorded Future data |
| Lookup Alert Notification |
Lookup Alert Notification |
|
Recorded Future Risk |
Recorded Future RiskList & Security Control Feeds Download |
| Search Alert Notifications |
Search Alert Notifications |
| Search Alert Rules |
Search Recorded Future UI Alert Rules |
| SOAR API - Look up multiple entities |
SOAR API - Look up multiple entities (Specific Access is Required) |
| URL Enrichment |
URL Enrichment with Recorded Future data |
| Vulnerability Enrichment |
Vulnerability Enrichment with Recorded Future data |
Domain Enrichment
Domain Enrichment with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Domain input
|
domain | True | string |
The domain to lookup. Must be a single domain |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
Hash Enrichment
Hash Enrichment with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
HASH input
|
hash | True | string |
The HASH to lookup. Must be a single HASH |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
IP Enrichment
IP Enrichment with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
IP input
|
ip | True | string |
The IP address to lookup. Must be a single IP address |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
Lookup Alert Notification
Lookup Alert Notification
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Alert Notification ID
|
id | True | string |
Alert Notification ID |
Returns
- Body
- AlertLookup
Recorded Future RiskLists and SCF Download
Recorded Future RiskList & Security Control Feeds Download
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Path to file
|
path | True | string |
Path to file |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
|
array of object | ||
|
Name
|
Name | string | |
|
Risk
|
Risk | integer | |
|
RiskString
|
RiskString | string | |
|
EvidenceDetails
|
EvidenceDetails.EvidenceDetails | array of object | |
|
Rule
|
EvidenceDetails.EvidenceDetails.Rule | string | |
|
EvidenceString
|
EvidenceDetails.EvidenceDetails.EvidenceString | string | |
|
CriticalityLabel
|
EvidenceDetails.EvidenceDetails.CriticalityLabel | string | |
|
Timestamp
|
EvidenceDetails.EvidenceDetails.Timestamp | integer | |
|
MitigationString
|
EvidenceDetails.EvidenceDetails.MitigationString | string | |
|
Criticality
|
EvidenceDetails.EvidenceDetails.Criticality | integer |
Search Alert Notifications
Search Alert Notifications
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Triggered
|
triggered | string |
All Elasticsearch compatible date formats are valid. |
|
|
Alert Rule ID
|
alertRule | True | string |
Alert Rule ID |
|
Maximum number of records
|
limit | integer |
Maximum number of records |
|
|
Records from offset
|
from | integer |
Records from offset |
Returns
- Body
- AlertSearch
Search Alert Rules
Search Recorded Future UI Alert Rules
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Freetext search
|
freetext | string |
Freetext search for Alert Rule Name |
|
|
Maximum number of records
|
limit | integer |
Maximum number of records |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
results
|
data.results | array of object |
Results |
|
Alert Rule Title
|
data.results.title | string |
Title |
|
Alert Rule ID
|
data.results.id | string |
Id |
|
Returned Number of Alert Rules
|
counts.returned | integer |
Returned |
|
Total Number of Alert Rules
|
counts.total | integer |
Total |
SOAR API - Look up multiple entities
SOAR API - Look up multiple entities (Specific Access is Required)
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
IP
|
ip | string |
An IP or array of IPs: array[string] |
|
|
URL
|
url | string |
An URL or array of URLs: array[string] |
|
|
Domain
|
domain | string |
A domain or array of domains: array[string] |
|
|
HASH
|
hash | string |
A hash or array of hashes: array[string] |
|
|
Vulnerability
|
vulnerability | string |
A vulnerability ID or an array of vulnerability IDs: array[string] |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
returned
|
counts.returned | integer | |
|
total
|
counts.total | integer | |
|
results
|
data.results | array of object | |
|
id
|
data.results.entity.id | string | |
|
name
|
data.results.entity.name | string | |
|
type
|
data.results.entity.type | string | |
|
context
|
data.results.risk.context | object | |
|
level
|
data.results.risk.level | number | |
|
rule
|
data.results.risk.rule | object | |
|
score
|
data.results.risk.score | number |
URL Enrichment
URL Enrichment with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
URL input
|
url | True | string |
The URL to lookup. Must be a single URL |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
Vulnerability Enrichment
Vulnerability Enrichment with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Vulnerability ID (CVE, name) input
|
id | True | string |
The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name) |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Vulnerability Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Vulnerability Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Vulnerability Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
Definitions
Links
High Confidence Evidence Based Links
| Name | Path | Type | Description |
|---|---|---|---|
|
startDate
|
technical.start_date | string |
Link start date |
|
stopDate
|
technical.stop_date | string |
Link stop date |
|
entities
|
technical.entities | array of LinkEntities |
Related entities |
|
startDate
|
research.start_date | string |
Link start date |
|
stopDate
|
research.stop_date | string |
Link stop date |
|
entities
|
research.entities | array of LinkEntities |
Related entities |
LinkEntities
| Name | Path | Type | Description |
|---|---|---|---|
|
type
|
type | string |
Enitity type |
|
name
|
name | string |
Entity name |
|
score
|
score | integer |
Risk score |
|
category
|
category | string |
Entity category |
AlertSearch
| Name | Path | Type | Description |
|---|---|---|---|
|
results
|
data.results | array of object | |
|
review
|
data.results.review | AlertReview | |
|
url
|
data.results.url | AlertURL | |
|
rule
|
data.results.rule | AlertRule | |
|
triggered
|
data.results.triggered | AlertTriggered | |
|
id
|
data.results.id | AlertID | |
|
title
|
data.results.title | AlertTitle | |
|
type
|
data.results.type | AlertType | |
|
returned
|
counts.returned | integer | |
|
total
|
counts.total | integer |
AlertLookup
| Name | Path | Type | Description |
|---|---|---|---|
|
review
|
data.review | AlertReview | |
|
entities
|
data.entities | AlertEntities | |
|
url
|
data.url | AlertURL | |
|
rule
|
data.rule | AlertRule | |
|
triggered
|
data.triggered | AlertTriggered | |
|
id
|
data.id | AlertID | |
|
references
|
data.counts.references | integer | |
|
entities
|
data.counts.entities | integer | |
|
documents
|
data.counts.documents | integer | |
|
title
|
data.title | AlertTitle | |
|
type
|
data.type | AlertType |
AlertReview
| Name | Path | Type | Description |
|---|---|---|---|
|
assignee
|
assignee | string | |
|
status
|
status | string | |
|
noteDate
|
noteDate | string | |
|
noteAuthor
|
noteAuthor | string | |
|
note
|
note | string |
AlertEntities
| Name | Path | Type | Description |
|---|---|---|---|
|
trend
|
trend | object | |
|
documents
|
documents | array of object | |
|
references
|
documents.references | array of object | |
|
fragment
|
documents.references.fragment | string | |
|
entities
|
documents.references.entities | array of object | |
|
id
|
documents.references.entities.id | string | |
|
name
|
documents.references.entities.name | string | |
|
type
|
documents.references.entities.type | string | |
|
language
|
documents.references.language | string | |
|
id
|
documents.source.id | string | |
|
name
|
documents.source.name | string | |
|
type
|
documents.source.type | string | |
|
title
|
documents.title | string | |
|
url
|
documents.url | string | |
|
risk
|
risk | object | |
|
id
|
entity.id | string | |
|
name
|
entity.name | string | |
|
type
|
entity.type | string |
AlertURL
AlertRule
| Name | Path | Type | Description |
|---|---|---|---|
|
name
|
name | string | |
|
id
|
id | string | |
|
url
|
url | string |