Recorded Future Identity (Preview)

The Recorded Future Identity Intelligence Connector enables security and IT teams to detect identity compromises, for both employees and customers. To do this, Recorded Future automates the collection, analysis, and production of identity intelligence from a vast range of sources. Through this connector, organizations can incorporate identity intelligence into automated workflows (e.g., password resets) with applications such as Azure Active Directory and Microsoft Sentinel.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name Recorded Future Support
URL https://support.recordedfuture.com
Email support@recordedfuture.com
Connector Metadata
Publisher Recorded Future
Website https://www.recordedfuture.com
Privacy Policy https://www.recordedfuture.com/privacy-policy/
Categories AI;Data

Prerequisites

To enable the Recorded Future Identity Connector for Microsoft Azure, users must be provisioned a Recorded Future API token.

How to get credentials

Please reach to your Recorded Future account manager to obtain the necessary API token.

Get started with your connector

The connector offers two actions:

  • Credential Search - Use this action to list exposed credentials for both internal and external accounts. Note that external account search is only possible for credentials compromised in malware logs, where a search by authorization url domain is possible.
  • Credential Lookup - Use this action to get detailed information on a specific account's exposed credentials. This includes the dump or breach details if the credential was found in such a collection, download date, password analytics, and if in a malware log, then additional information such as exfiltration date, type of malware used, authorization url, and many more attributes are available.

The suggested use cases for this connector are as follows: For internal or "workforce" security: on a periodic basis (e.g., once a day or once a week), use this Recorded Future Identity Intelligence connector to search for any "new" employee credentials that may have been exposed recently. When such credentials are found, use the lookup action to get greater details about the compromised credential. Alternatively, when suspicious employee behavior is noticed (e.g., logins from uncommon geographic locations, or large downloads of information during non business hours), use the Recorded Future identity intelligence connector lookup action to check if that user has had credentials exposed in prior dumps or malware logs. Possible remediations and next steps (to be set up downstream of this connector and its associated workflow) include password resets, user privilege revocation, credential compromise history logging, MFA set up, and/or user quarantining. Advanced teams may also choose to flag users suspected of takeover by a threat actor to track usage through their system. For external or "customer" security: Similar to 1a above, Recorded Future's Identity Intelligence malware logs can be searched periodically for specific authorization domains (belonging to this organization) with compromised credentials. Another use case: during new customer account creation, use the Recorded Future Identity Intelligence module to check whether the username and/or username/password pair have been previously compromised Another use case: during a customer login, check the Recorded Future Identity Intelligence module for whether the username/password pair is compromised Possible remediations include requiring a password reset, or temporarily locking down the account and requesting the user contact customer service for a user re-authentication process.

Common errors and remedies

The following error codes are commonly returned by the connector actions:

  • 400 Bad Request - Returned if the server receives a faulty request, such as one with poorly formatted parameters.
  • 403 Forbidden - Returned if the provided API token does not have enough access, or, if the user tries to access exposed credentials belonging to a domain not recognized as their own in Recorded Future. Both of these issues are resolved by reaching out to your account manager.

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
API Key securestring The key for this API True

Throttling Limits

Name Calls Renewal Period
API calls per connection10060 seconds

Actions

Credential Lookup - Look up credential data for one or more users

Look up exposed credential data for a specific set of subjects

Credential Search - Search credential data for one or more domains

Search credential data exposed in data dumps and through malware logs

Credential Lookup - Look up credential data for one or more users

Look up exposed credential data for a specific set of subjects

Parameters

Name Key Required Type Description
Email
Emails string

An email-address with exposed credentials

Hash of email
Hashed emails string

The SHA1 hash of an email-address with exposed credentials

Username
login string

Either input username or hash of username

Hash of username
login_sha1 string

Either input username or hash of username

Domain
domain string

domain.com

From
first_downloaded_gte string

YYYY-MM-DD (until today)

Credential property
Credential properties string

Credentials must include

Breach name
name string

E.g. Cit0day

Breaches from
date string

YYYY-MM-DD (until today)

Dump name
name string

E.g. XSS.is Dump 2021

Dumps from
date string

YYYY-MM-DD (until today)

Returns

Name Path Type Description
Exposed credentials
exposed_credentials array of object

List of exposed credentials

signature
exposed_credentials.signature string

Requested signature

exposed_secret_format
exposed_credentials.exposed_secret_format string

Format of the exposed secret. Either the hash algorithm or clear for cleartext.

first_seen
exposed_credentials.first_seen string

Date when the signature was first seen exposed

last_seen
exposed_credentials.last_seen string

Date when the signature was last seen exposed

clear_text_hint
exposed_credentials.clear_text_hint string

First two letters of the exposed secret. Only available for secrets exposed in clear text

secret_properties
exposed_credentials.secret_properties array of string

Properties of the clear text

secret_rank
exposed_credentials.secret_rank string

Any common password collections the password is part of

secret_hashes
exposed_credentials.secret_hashes array of object
algorithm
exposed_credentials.secret_hashes.algorithm string

Hash algorithm used

hash
exposed_credentials.secret_hashes.hash string

Hash value

Malware family
exposed_credentials.malware_family string

Family of malware used to extract the credentials

dumps
exposed_credentials.dumps array of object

List of data dumps in which the signature has been involved.

name
exposed_credentials.dumps.name string

Name of the dump

description
exposed_credentials.dumps.description string

Description of the dump

downloaded
exposed_credentials.dumps.downloaded string

Date when the dump was downloaded

type
exposed_credentials.dumps.type string

Type of the dump

breaches
exposed_credentials.dumps.breaches array of object

List of data breaches related to the dump

name
exposed_credentials.dumps.breaches.name string
domain
exposed_credentials.dumps.breaches.domain string
type
exposed_credentials.dumps.breaches.type string
breached
exposed_credentials.dumps.breaches.breached string
start
exposed_credentials.dumps.breaches.start string
stop
exposed_credentials.dumps.breaches.stop string
precision
exposed_credentials.dumps.breaches.precision string
description
exposed_credentials.dumps.breaches.description string
site_description
exposed_credentials.dumps.breaches.site_description string

Credential Search - Search credential data for one or more domains

Search credential data exposed in data dumps and through malware logs

Parameters

Name Key Required Type Description
Domain
Domains string

A domain owned by your organization

Credential type
domain_type string

Select credential type

From
latest_downloaded_gte string

YYYY-MM-DD (until today)

Credential property
Credential properties string

Credentials must include

Breach name
name string

E.g. Cit0day

Breaches from
date string

YYYY-MM-DD (until today)

Dump name
name string

E.g. XSS.is Dump 2021

Dumps from
date string

YYYY-MM-DD (until today)

Offset
offset string

Records from offset

Results
limit number

Maxiumum number of results

Returns

Name Path Type Description
Credential dumps
credential_dumps array of string

List of credentials exposed in data dumps

Malware logs
malware_logs array of object

List of credentials exposed through malware logs

Login
malware_logs.login string

Login username

Domain
malware_logs.domain string

Login domain

Count
count number

Number of returned credentials

Next offset
next_offset string

Offset used to request succeeding records