Recorded Future
Integration version: 14.0
Use Cases
- Vulnerability Prioritization.
- Threat Indicator Investigation, Enrichment, and Response.
Configure Recorded Future to work with Google Security Operations SOAR
Product Permission
An API Token is used for authentication which is user specific and tied to the users' enterprise deployment.
Network
| Function | Default Port | Direction | Protocol |
|---|---|---|---|
| API | Multivalues | Outbound | apitoken |
Configure Recorded Future integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| API Url | Sring | https://api.recordedfuture.com | Yes | Address of the Recorded Futureinstance. |
| API Key | String | N/A | Yes | Generated in Recorded Future's console. |
| Verify SSL | Checkbox | Unchecked | No | Use this checkbox, if your Recorded Future connection requires an SSL verification. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Enrich IOC
Description
Fetch information about multiple entities, with different types, from Google Security Operations SOAR.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Risk Score Threshold | Integer | 25 | Yes | Represents the minimum malicious risk score for each entity to be marked is suspicious. |
Run On
Action should take each one of the following entities and send them to enrichment with recorded future:
- IP Address
- URL
- Filehash
- CVE
- DOomain
Action Results
Entity Enrichment
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| isSuspicious | If exceeds threshold parameter | When available in JSON |
| RF_id | Results[ ].Entity.id | When available in JSON |
| RF_name | Results[ ].Entity.name | When available in JSON |
| RF_type | Results[ ].Entity.type | When available in JSON |
| RF_descrription | Results[ ].Entity.description | When available in JSON |
| RF_risk_level | Results[ ].Risk.level | When available in JSON |
| RF_risk_score | Results[ ].Risk.score | When available in JSON |
| RF_number_of_matched_rules | Results[ ].Risk.Rule.count | When available in JSON |
| RF_most_critical_rule | Results[ ].Risk.Rule.mostCritical | When available in JSON |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"results": [
{
"entity": {
"id": "J_IWqd",
"name": "CVE-2012-1723",
"type": "CyberVulnerability",
"description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot."
},
"risk": {
"level": 5.0,
"rule": {
"count": 9,
"mostCritical": "Exploited in the Wild by Recently Active Malware",
"maxCount": 22,
"evidence": {
"linkedToCyberExploit": {
"count": 55.0,
"timestamp": "2019-06-18T13:19:28.000Z",
"description": "2682 sightings on 55 sources including: Guided Collection, fakegogle.blogspot.com, netdna-cdn.com, GitHub, Ver007 APT Tools. Most recent tweet: KAV/Checkpoint CVE-2012-1723 Generic Exploit Kit. Most recent link (Jun 18, 2019): https://twitter.com/EskimoTrolled/statuses/1140972295894249472",
"rule": "Linked to Historical Cyber Exploit",
"mitigation": "",
"level": 1.0
},
"recentMalwareActivity": {
"count": 1.0,
"timestamp": "2020-10-07T00:00:00.000Z",
"description": "66 sightings on 1 source: Recorded Future Malware Hunting. Activity seen on 12 out of the last 28 days with 255 all-time daily sightings. Exploited in the wild by 11 malware families including <e id=LXUcJk>ExpJava</e>, <e id=K05qo4>JavaKC</e>, <e id=KeKuaF>Maljava</e>. Last observed on Oct 7, 2020. Sample hash: <e id=hash:7c0ed2b98af4076c64ec84f7ea38b05ea2432ec0337b963756ffced54a6f69c4>7c0ed2b98af4076c64ec84f7ea38b05ea2432ec0337b963756ffced54a6f69c4</e>.",
"rule": "Exploited in the Wild by Recently Active Malware",
"mitigation": "",
"level": 5.0
},
"linkedToRAT": {
"count": 26.0,
"timestamp": "2020-08-03T00:00:00.000Z",
"description": "174 sightings on 26 sources including: Guided Collection, GitHub, medium.com, MarketWatch, SYS-CON Media. 4 related malwares: Uroburos Rootkit, Blackhole, Icefog, Zeroaccess. Most recent link (Aug 3, 2020): https://reportcybercrime.com/the-epic-turla-snake-uroburos-attacks/",
"rule": "Historically Linked to Remote Access Trojan",
"mitigation": "",
"level": 1.0
},
"linkedToExploitKit": {
"count": 13.0,
"timestamp": "2019-07-30T01:01:59.793Z",
"description": "62 sightings on 13 sources including: Guided Collection, medium.com, GitHub, Avast Blog, TechNet Blogs. 12 related malwares including Nuclear Pack Exploit Kit, Blackhole, Angler Exploit Kit, Blacole, Egypack. Most recent link (Jul 30, 2019): http://blog.malwaremustdie.org/2012/09/monitoring-blackhole-exploit-kit.html",
"rule": "Historically Linked to Exploit Kit",
"mitigation": "",
"level": 1.0
},
"nistCritical": {
"count": 1.0,
"timestamp": "2020-10-01T03:03:20.930Z",
"description": "1 sighting on 1 source: Recorded Future Vulnerability Analysis. CVSS v2 Score (10) calculated using NIST reported CVSS Base Score (10) and Recorded Future Temporal Metrics. Base vector string: AV:N/AC:L/Au:N/C:C/I:C/A:C. Temporal vector string: E:H/RL:X/RC:C.",
"rule": "NIST Severity: Critical",
"mitigation": "",
"level": 4.0
},
"pocVerifiedRemote": {
"count": 1.0,
"timestamp": "2012-07-11T00:00:00.000Z",
"description": "1 sighting on 1 source: ExploitDB. 1 execution type: Remote. Most recent link (Jul 11, 2012): https://www.exploit-db.com/exploits/19717",
"rule": "Historical Verified Proof of Concept Available Using Remote Execution",
"mitigation": "",
"level": 2.0
},
"linkedToIntrusionMethod": {
"count": 9.0,
"timestamp": "2019-06-18T13:19:28.000Z",
"description": "140 sightings on 9 sources including: fakegogle.blogspot.com, Guided Collection, GitHub, McAfee, @xjfftw. 16 related malwares including BrobanDel, Fanny Worm, Ransomware, Banking Trojan, Artemis. Most recent tweet: @PortSwigger Was wondering if you knew why @Virustotal was flagging BS Pro on multiple AVs when scanning the unpacked JAR? KAV/Checkpoint CVE-2012-1723 Generic Exploit Kit. Most recent link (Jun 18, 2019): https://twitter.com/EskimoTrolled/statuses/1140972295894249472",
"rule": "Historically Linked to Malware",
"mitigation": "",
"level": 1.0
},
"linkedToRecentCyberExploit": {
"count": 1.0,
"timestamp": "2020-10-05T17:19:29.000Z",
"description": "35 sightings on 1 source: VirusTotal. Most recent link (Oct 5, 2020): https://www.virustotal.com/gui/file/1a3fa1cac28dffe79752df9bc92932d8b40b6d562d98e3315af7875d2f944edf/",
"rule": "Linked to Recent Cyber Exploit",
"mitigation": "",
"level": 1.0
},
"scannerUptake": {
"count": 5.0,
"timestamp": "2019-10-01T02:58:24.000Z",
"description": "29 sightings on 5 sources: Guided Collection, GitHub, VirusTotal, ReversingLabs, PasteBin. Most recent link (Oct 1, 2019): https://www.virustotal.com/gui/file/911c69c02f5194ccbb5703869c4478e7ff68232ebb78affe98cb86de5b146b20",
"rule": "Historically Linked to Penetration Testing Tools",
"mitigation": "",
"level": 1.0
}
},
"summary": [
{
"count": 1.0,
"level": 2.0
},
{
"count": 1.0,
"level": 5.0
},
{
"count": 1.0,
"level": 4.0
},
{
"count": 6.0,
"level": 1.0
}
]
},
"context": {
"malware": {
"rule": {
"count": 1,
"maxCount": 2
},
"score": 90.0
},
"public": {
"rule": {
"maxCount": 22
},
"summary": [
{
"count": 1.0,
"level": 2.0
},
{
"count": 1.0,
"level": 5.0
},
{
"count": 1.0,
"level": 4.0
},
{
"count": 6.0,
"level": 1.0
}
],
"mostCriticalRule": "Exploited in the Wild by Recently Active Malware",
"score": 99.0
}
},
"score": 99.0
}
},
{
"entity": {
"id": "url:http://www.plexipr.com/vAHzWX.php",
"name": "http://www.plexipr.com/vAHzWX.php",
"type": "URL"
},
"risk": {
"level": 4.0,
"rule": {
"count": 3,
"mostCritical": "C&C URL",
"maxCount": 29,
"evidence": {
"cncUrl": {
"count": 1.0,
"timestamp": "2020-10-12T02:55:38.670Z",
"description": "1 sighting on 1 source: Abuse.ch: Ransomware C&C URL Blocklist.",
"rule": "C&C URL",
"mitigation": "",
"level": 4.0
},
"maliciousSiteDetected": {
"count": 1.0,
"timestamp": "2019-09-13T18:53:31.000Z",
"description": "9 sightings on 1 source: Recorded Future URL Analysis.",
"rule": "Historically Detected Malicious Browser Exploits",
"mitigation": "",
"level": 1.0
},
"malwareSiteDetected": {
"count": 1.0,
"timestamp": "2019-09-13T18:53:31.000Z",
"description": "9 sightings on 1 source: Recorded Future URL Analysis.",
"rule": "Historically Detected Malware Distribution",
"mitigation": "",
"level": 1.0
}
},
"summary": [
{
"count": 1.0,
"level": 4.0
},
{
"count": 2.0,
"level": 1.0
}
]
},
"context": {
"malware": {
"rule": {
"count": 0,
"maxCount": 4
},
"score": 0.0
},
"public": {
"rule": {
"maxCount": 26
},
"summary": [
{
"count": 1.0,
"level": 4.0
},
{
"count": 2.0,
"level": 1.0
}
],
"mostCriticalRule": "C&C URL",
"score": 91.0
},
"c2": {
"score": 90.0,
"rule": {
"maxCount": 1,
"count": 1
}
},
"phishing": {
"score": 0.0,
"rule": {
"maxCount": 3,
"count": 0
}
}
},
"score": 91.0
}
},
{
"entity": {
"id": "hash:44d88612fea8a8f36de82e1278abb02f",
"name": "44d88612fea8a8f36de82e1278abb02f",
"type": "Hash"
},
"risk": {
"level": 3.0,
"rule": {
"count": 4,
"mostCritical": "Positive Malware Verdict",
"maxCount": 13,
"evidence": {
"linkedToVuln": {
"count": 1.0,
"timestamp": "2019-09-21T12:00:07.000Z",
"description": "1 sighting on 1 source: dfir.pro. 2 related cyber vulnerabilities: CVE-2018-11776, CWE-20. Most recent link (Sep 21, 2019): http://dfir.pro/index.php?link_id=98319",
"rule": "Linked to Vulnerability",
"mitigation": "",
"level": 2.0
},
"linkedToVector": {
"count": 2.0,
"timestamp": "2018-08-06T20:50:41.819Z",
"description": "3 sightings on 2 sources: PyPI Recent Updates, Malwr.com. 2 related attack vectors: ShellCode, Phishing. Most recent link (Aug 6, 2018): https://pypi.org/project/python-virustotal/0.0.1a0/",
"rule": "Linked to Attack Vector",
"mitigation": "",
"level": 2.0
},
"linkedToMalware": {
"count": 4.0,
"timestamp": "2020-10-02T14:11:26.000Z",
"description": "40 sightings on 4 sources: GitHub, PyPI Recent Updates, VirusTotal, Malwr.com. 3 related malwares: EICAR-AV-Test, Eicar_test_file, EICAR Test String. Most recent link (Oct 2, 2020): https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/",
"rule": "Linked to Malware",
"mitigation": "",
"level": 2.0
},
"positiveMalwareVerdict": {
"count": 4.0,
"timestamp": "2020-10-10T00:34:03.497Z",
"description": "21 sightings on 4 sources: VirusTotal, Malwr.com, ReversingLabs, PolySwarm. Most recent link (Apr 8, 2020): https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
"rule": "Positive Malware Verdict",
"mitigation": "",
"level": 3.0
}
},
"summary": [
{
"count": 3.0,
"level": 2.0
},
{
"count": 1.0,
"level": 3.0
}
]
},
"context": {
"malware": {
"rule": {
"count": 1,
"maxCount": 2
},
"score": 80.0
},
"public": {
"rule": {
"maxCount": 11
},
"summary": [
{
"count": 3.0,
"level": 2.0
},
{
"count": 1.0,
"level": 3.0
}
],
"mostCriticalRule": "Positive Malware Verdict",
"score": 83.0
}
},
"score": 83.0
}
},
{
"entity": {
"id": "ip:66.240.205.34",
"name": "66.240.205.34",
"type": "IpAddress"
},
"risk": {
"level": 2.0,
"rule": {
"count": 13,
"mostCritical": "Recent Multicategory Blacklist",
"maxCount": 53,
"evidence": {
"cncServer": {
"count": 1.0,
"timestamp": "2020-09-23T01:46:30.620Z",
"description": "17 sightings on 1 source: GitHub. Most recent link (Jul 23, 2019): https://gist.github.com/techhelplist/2a208ae6fc9859f2ff3282d3ff893b46",
"rule": "Historical C&C Server",
"mitigation": "",
"level": 1.0
},
"recentMultiBlacklist": {
"count": 2.0,
"timestamp": "2020-10-08T01:30:47.833Z",
"description": "13 sightings on 2 sources: AbuseIP Database, AlienVault: IP Reputation Data. Most recent link (Oct 7, 2020): https://www.abuseipdb.com/check/66.240.205.34",
"rule": "Recent Multicategory Blacklist",
"mitigation": "",
"level": 2.0
},
"honeypot": {
"count": 8.0,
"timestamp": "2020-06-19T00:58:26.000Z",
"description": "979 sightings on 8 sources including: @atma_es, @WebironBots, @gosint2, @HoneyFog, @HoneyPyLog. Most recent tweet: BFB-attack detected from 66.240.205.34 to Portscan on 19.06.2020 02:58:19. Most recent link (Jun 19, 2020): https://twitter.com/EIS_BFB/statuses/1273782158067404803",
"rule": "Historical Honeypot Sighting",
"mitigation": "",
"level": 1.0
},
"linkedIntrusion": {
"count": 4.0,
"timestamp": "2019-08-05T19:06:11.000Z",
"description": "37 sightings on 4 sources: GitHub, Recorded Future URL Analysis, ReversingLabs, @EIS_BFB. 5 related intrusion methods: Browser Targeted Code Injection, Web Application Exploitation, Brute Force Blocking (BFB), Cross site scripting, Trojan. Most recent tweet: BFB-attack detected from 66.240.205.34 to Portscan on 05.08.2019 21:06:05.",
"rule": "Historically Linked to Intrusion Method",
"mitigation": "",
"level": 1.0
},
"recentDhsAis": {
"count": 1.0,
"timestamp": "2020-10-09T12:44:44.895Z",
"description": "3 sightings on 1 source: DHS Automated Indicator Sharing. 3 reports including NCCIC:STIX_Package-00e3c8ca-0a3c-4a70-9edc-534ea7b51474, from Infoblox Inc, Information Technology Sector, NCCIC:STIX_Package-00e3c8ca-0a3c-4a70-9edc-534ea7b51474 (Oct 9, 2020).",
"rule": "Recently Reported by DHS AIS",
"mitigation": "",
"level": 2.0
},
"linkedToCyberAttack": {
"count": 2.0,
"timestamp": "2019-06-15T09:01:52.000Z",
"description": "483 sightings on 2 sources: @HoneyPyLog, @EIS_BFB. Most recent tweet: honeydbz: #Citrix-ICA-Browser Possible Citrix-ICA-Browser attack from 66.240.205.34 https://t.co/Wpmfyo4di1. Most recent link (Jun 15, 2019): https://twitter.com/HoneyPyLog/statuses/1139820304996478976",
"rule": "Historically Linked to Cyber Attack",
"mitigation": "",
"level": 1.0
},
"dhsAis": {
"count": 1.0,
"timestamp": "2020-09-14T11:12:55.000Z",
"description": "22 sightings on 1 source: DHS Automated Indicator Sharing. 22 reports including NCCIC:STIX_Package-427425f9-cd82-49bc-a4b4-c609aaeddd7d, from Infoblox Inc, Information Technology Sector, NCCIC:STIX_Package-427425f9-cd82-49bc-a4b4-c609aaeddd7d (Sep 14, 2020).",
"rule": "Historically Reported by DHS AIS",
"mitigation": "",
"level": 1.0
},
"recentLinkedIntrusion": {
"count": 1.0,
"timestamp": "2020-10-11T22:30:12.000Z",
"description": "14 sightings on 1 source: Recorded Future URL Analysis. 3 related intrusion methods: Browser Targeted Code Injection, Web Application Exploitation, Cross site scripting.",
"rule": "Recently Linked to Intrusion Method",
"mitigation": "",
"level": 2.0
},
"historicalThreatListMembership": {
"count": 2.0,
"timestamp": "2020-10-11T23:18:11.344Z",
"description": "Previous sightings on 2 sources: University of Science and Technology of China Black IP List, Project Turris Attempted Access Greylist. Observed between Jul 1, 2019, and Jan 28, 2020.",
"rule": "Historically Reported in Threat List",
"mitigation": "",
"level": 1.0
},
"rfTrending": {
"count": 1.0,
"timestamp": "2020-08-03T15:09:58.796Z",
"description": "1 sighting on 1 source: Recorded Future Analyst Community Trending Indicators. Recently viewed by many analysts in many organizations in the Recorded Future community.",
"rule": "Trending in Recorded Future Analyst Community",
"mitigation": "",
"level": 1.0
},
"maliciousPacketSource": {
"count": 1.0,
"timestamp": "2020-10-11T23:18:11.344Z",
"description": "1 sighting on 1 source: CINS: CI Army List.",
"rule": "Malicious Packet Source",
"mitigation": "",
"level": 2.0
},
"multiBlacklist": {
"count": 1.0,
"timestamp": "2017-04-28T10:00:20.345Z",
"description": "7 sightings on 1 source: AbuseIP Database. Most recent link (Apr 28, 2017): https://www.abuseipdb.com/check/66.240.205.34?page=10",
"rule": "Historical Multicategory Blacklist",
"mitigation": "",
"level": 1.0
},
"spam": {
"count": 1.0,
"timestamp": "2019-04-16T13:04:45.428Z",
"description": "284 sightings on 1 source: Daily Botnet Statistics. Most recent link (Apr 16, 2019): http://botnet-tracker.blogspot.com/2019/04/suspected-bot-list-2019-04-06.html",
"rule": "Historical Spam Source",
"mitigation": "",
"level": 1.0
}
},
"summary": [
{
"count": 4.0,
"level": 2.0
},
{
"count": 9.0,
"level": 1.0
}
]
},
"context": {
"public": {
"rule": {
"maxCount": 50
},
"summary": [
{
"count": 3.0,
"level": 2.0
},
{
"count": 9.0,
"level": 1.0
}
],
"mostCriticalRule": "Recent Multicategory Blacklist",
"score": 59.0
},
"c2": {
"score": 0.0,
"rule": {
"maxCount": 2,
"count": 0
}
},
"phishing": {
"score": 0.0,
"rule": {
"maxCount": 1,
"count": 0
}
}
},
"score": 59.0
}
},
{
"entity": {
"id": "idn:passbolt.siemplify.co",
"name": "passbolt.siemplify.co",
"type": "InternetDomainName"
},
"risk": {
"level": 0.0,
"rule": {
"count": 0,
"mostCritical": "",
"summary": [],
"maxCount": 47
},
"context": {
"malware": {
"rule": {
"count": 0,
"maxCount": 2
},
"score": 0.0
},
"public": {
"rule": {
"maxCount": 41
},
"summary": [],
"mostCriticalRule": "",
"score": 0.0
},
"c2": {
"score": 0.0,
"rule": {
"maxCount": 2,
"count": 0
}
},
"phishing": {
"score": 0.0,
"rule": {
"maxCount": 2,
"count": 0
}
}
},
"score": 0.0
}
},
{
"entity": {
"id": "url:http://bolizarsospos.com/703hjdr3ez72",
"name": "http://bolizarsospos.com/703hjdr3ez72",
"type": "URL"
},
"risk": {
"level": 4.0,
"rule": {
"count": 3,
"mostCritical": "C&C URL",
"maxCount": 29,
"evidence": {
"cncUrl": {
"count": 1.0,
"timestamp": "2020-10-12T02:46:13.823Z",
"description": "1 sighting on 1 source: Abuse.ch: Ransomware C&C URL Blocklist.",
"rule": "C&C URL",
"mitigation": "",
"level": 4.0
},
"maliciousSiteDetected": {
"count": 1.0,
"timestamp": "2019-12-07T23:10:05.000Z",
"description": "4 sightings on 1 source: Recorded Future URL Analysis.",
"rule": "Historically Detected Malicious Browser Exploits",
"mitigation": "",
"level": 1.0
},
"malwareSiteDetected": {
"count": 1.0,
"timestamp": "2019-12-07T23:10:05.000Z",
"description": "4 sightings on 1 source: Recorded Future URL Analysis.",
"rule": "Historically Detected Malware Distribution",
"mitigation": "",
"level": 1.0
}
},
"summary": [
{
"count": 1.0,
"level": 4.0
},
{
"count": 2.0,
"level": 1.0
}
]
},
"context": {
"malware": {
"rule": {
"count": 0,
"maxCount": 4
},
"score": 0.0
},
"public": {
"rule": {
"maxCount": 26
},
"summary": [
{
"count": 1.0,
"level": 4.0
},
{
"count": 2.0,
"level": 1.0
}
],
"mostCriticalRule": "C&C URL",
"score": 91.0
},
"c2": {
"score": 90.0,
"rule": {
"maxCount": 1,
"count": 1
}
},
"phishing": {
"score": 0.0,
"rule": {
"maxCount": 3,
"count": 0
}
}
},
"score": 91.0
}
}
]
},
"counts": {
"returned": 6,
"total": 6
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If fail to enrich specific entities(is_success = true): If no entities were enriched (is_success=false): Print "No entities were enriched." The action should fail and stop a playbook execution: Print "Error executing action "Enrich IOC". Reason: {0}''.format(error.Stacktrace) If we get HTTP code 401 - unauthorized: Print " Unauthorized - please check your API token and try again" |
General |
Enrich CVE
Description
The action enables a user to send a CVE to lookup threat intelligence information that summarizes the CVE's reputation.
Parameters
| Parameters | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Risk Score Threshold | String | 25 | Yes | Represents the minimum malicious risk score for a CVE to be marked malicious. The risk score threshold must be a numeric value. Has a range of 0-99. Below is the band levels: Very Malicious: 90-99 Malicious: 65-89 Suspicious: 25-64 Unusual: 5-24 No Malicious content: 0. |
Use cases
A security analyst runs a security assessment on their information technology infrastructure. The user discovers from the findings that their information system is vulnerable to an identified vulnerability whose CVE identity is known. The analyst lacks more details on the vulnerability and would like to find out its reputation. The user can use Recorded Future to lookup for the vulnerability's CVE reputation.
Run On
This action runs on the CVE entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Last Reference | Returns if it exists in JSON result |
| Triggered Rules | Returns if it exists in JSON result |
| First Reference | Returns if it exists in JSON result |
| Risk Score | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_risky | True/False | is_risky:False |
JSON Result
[
{
"EntityResult":
{
"Last Reference": "2019-10-04T18:19:19.044Z",
"Triggered Rules": "7/51",
"First Reference": "16-05-25T11:47:06.812Z",
"Risk Score": "45"
},
"Entity": "CVE-2019-9925"
}
]
Enrich Hash
Description
The action enables a user to send a hash to lookup threat intelligence information that summarizes the Hash's reputation.
Parameters
| Parameters | Type | Default Value | Description |
|---|---|---|---|
| Risk Score Threshold | String | 25 | Represents the minimum malicious risk score for a CVE to be marked malicious. The risk score threshold must be a numeric value. Has a range of 0-99. Below is the band levels: Very Malicious: 90-99 Malicious: 65-89 Suspicious: 25-64 Unusual: 5-24 No Malicious content: 0. |
Use cases
A file is suspected to be infected with a virus on an endpoint. Using Recorded Future a user sends the files hash where its reputation can be obtained through lookup.
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Last Reference | Returns if it exists in JSON result |
| Triggered Rules | Returns if it exists in JSON result |
| First Reference | Returns if it exists in JSON result |
| Risk Score | Returns if it exists in JSON result |
| Hash Algorithm | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched Hash. The insight will be created when the risk score equals or exceeds the minimum suspicious risk score Threshold. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_risky | True/False | is_risky:False |
JSON Result
[
{
"EntityResult":
{
"Last Reference": "2019-10-04T18:19:19.044Z",
"Triggered Rules": "7/51",
"First Reference": "16-05-25T11:47:06.812Z",
"Risk Score": "45",
"Hash Algorithm": "MD5"
},
"Entity": "MD5"
}
]
Enrich Host
Description
The action enables a user to send a host name to look up for threat intelligence information that summarizes the host's reputation.
Parameters
| Parameters | Type | Default Value | Description |
|---|---|---|---|
| Risk Score Threshold | String | 25 | Represents the minimum malicious risk score for a CVE to be marked malicious. The risk score threshold must be a numeric value. Has a range of 0-99. Below is the band levels: Very Malicious: 90-99 Malicious: 65-89 Suspicious: 25-64 Unusual: 5-24 No Malicious content: 0. |
Use cases
A user receives an email redirecting them to a web domain replica of their own domain. The domain claims to be of their registrar of the domain requesting them to input credentials for access while the fake domain has phishing intent. The user can use Recorded Future to lookup for the domain reputation.
Run On
This action runs on the Hostname entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Last Reference | Returns if it exists in JSON result |
| Triggered Rules | Returns if it exists in JSON result |
| First Reference | Returns if it exists in JSON result |
| Risk Score | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_risky | True/False | is_risky:False |
JSON Result
[
{
"EntityResult":
{
"Last Reference": "2019-10-04T18:19:19.044Z",
"Triggered Rules": "7/51",
"First Reference": "16-05-25T11:47:06.812Z",
"Risk Score": "45",
"Geo-City": "Beijing",
"Geo-Country": "China",
"Org": "DigitalOcean",
"Asn": "AS393406"
},
"Entity": "8.8.8.8"
}
]
Enrich IP
Description
The action enables a user to send an IP address to look up threat intelligence information that summarizes the IPs reputation.
Parameters
| Parameters | Type | Default Value | Description |
|---|---|---|---|
| Risk Score Threshold | String | 25 | Represents the minimum malicious risk score for a CVE to be marked malicious. The risk score threshold must be a numeric value. Has a range of 0-99. Below is the band levels: Very Malicious: 90-99 Malicious: 65-89 Suspicious: 25-64 Unusual: 5-24 No Malicious content: 0. |
Use cases
N/A
Run On
This action run on the IP Address entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Last Reference | Returns if it exists in JSON result |
| Triggered Rules | Returns if it exists in JSON result |
| First Reference | Returns if it exists in JSON result |
| Risk Score | Returns if it exists in JSON result |
| Geo-City | Returns if it exists in JSON result |
| Geo-Country | Returns if it exists in JSON result |
| Org | Returns if it exists in JSON result |
| Asn | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_risky | True/False | is_risky:False |
JSON Result
[
{
"EntityResult":
{
"Last Reference": "2019-10-04T18:19:19.044Z",
"Triggered Rules": "7/51",
"First Reference": "16-05-25T11:47:06.812Z",
"Risk Score": "45",
"Geo-City": "Beijing",
"Geo-Country": "China",
"Org": "DigitalOcean",
"Asn": "AS393406"
},
"Entity": "8.8.8.8"
}
]
Enrich URL
Description
The action enables a user to send a URL to look up threat intelligence information that summarizes the URLs reputation.
Parameters
| Parameters | Type | Default Value | Description |
|---|---|---|---|
| Risk Score Threshold | string | 25 | Represents the minimum malicious risk score for a CVE to be marked malicious. The risk score threshold must be a numeric value. Has a range of 0-99. Below is the band levels: Very Malicious: 90-99 Malicious: 65-89 Suspicious: 25-64 Unusual: 5-24 No Malicious content: 0. |
Use cases
A user opens their mailbox and finds a suspicious email with instructions given to them directing them to follow a given URL in order to conduct a crucial password change or software update. The user can use Recorded Future to lookup for the URL reputation.
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
Entities are marked as Suspicious (True) if they exceed threshold. Else: False.
| Enrichment Field Name | Logic - When to apply |
|---|---|
| Triggered Rules | Returns if it exists in JSON result |
| Risk Score | Returns if it exists in JSON result |
Insights
| Severity | Description |
|---|---|
| Warn | A warning insight shall be created to inform on the malicious status of the enriched hash. The insight will be created when the number of detected engines equals or exceeds the minimum suspicious Threshold set before scan. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_risky | True/False | is_risky:False |
JSON Result
[
{
"EntityResult":
{
"Triggered Rules": "7\/51",
"Risk Score": "45"
},
"Entity": "8.8.8.8"
}
]
Get Alert Details
Description
Fetch information about specific Alert and return results to the case.
Use action to get more information available regarding Recorded Future Alerts - Documents, Related Entities, Evidence, etc.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert for which you would like to fetch details |
Run On
This action shouldn't run on entities, and only on Google Security Operations SOAR TicketId - which will be Recorded future alertID.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"review": {
"assignee": null,
"noteAuthor": null,
"note": null,
"status": "no-action",
"noteDate": null
},
"entities": [
{
"entity": {
"id": "idn:gmail.com.sabsepehlelic.com",
"name": "gmail.com.sabsepehlelic.com",
"type": "InternetDomainName"
},
"risk": {
"criticalityLabel": "Suspicious",
"score": null,
"documents": [
{
"references": [
{
"fragment": "A certificate for the domain gmail.com.sabsepehlelic.com has been registered",
"entities": [
{
"id": "idn:gmail.com.sabsepehlelic.com",
"name": "gmail.com.sabsepehlelic.com",
"type": "InternetDomainName"
}
],
"language": "eng"
}
],
"source": {
"id": "beD_4-",
"name": "New Certificate Registrations",
"type": "Source"
},
"url": null,
"title": "Certificate Registration"
}
],
"evidence": [
{
"mitigationString": "",
"timestamp": "2020-09-28T02:36:23.924Z",
"criticalityLabel": "Suspicious",
"evidenceString": "1 sighting on 1 source: New Certificate Registrations. Certificate registered on Sep 28, 2020.",
"rule": "Newly Registered Certificate With Potential for Abuse - DNS Sandwich",
"criticality": 2
},
{
"mitigationString": "",
"timestamp": "2020-09-28T02:36:25.000Z",
"criticalityLabel": "Suspicious",
"evidenceString": "Identified by Recorded Future as potential typosquatting: DNS Sandwich similarity found between gmail.com.sabsepehlelic.com and 1 possible target: gmail.com.",
"rule": "Recent Typosquat Similarity - DNS Sandwich",
"criticality": 2
}
],
"criticality": 2
},
"trend": {},
"documents": []
},
{
"entity": {
"id": "idn:www.gmail.com.sabsepehlelic.com",
"name": "www.gmail.com.sabsepehlelic.com",
"type": "InternetDomainName"
},
"risk": {
"criticalityLabel": "Suspicious",
"score": null,
"documents": [
{
"references": [
{
"fragment": "A certificate for the domain www.gmail.com.sabsepehlelic.com has been registered",
"entities": [
{
"id": "idn:www.gmail.com.sabsepehlelic.com",
"name": "www.gmail.com.sabsepehlelic.com",
"type": "InternetDomainName"
}
],
"language": "eng"
}
],
"source": {
"id": "beD_4-",
"name": "New Certificate Registrations",
"type": "Source"
},
"url": null,
"title": "Certificate Registration"
}
],
"evidence": [
{
"mitigationString": "",
"timestamp": "2020-09-28T02:36:23.924Z",
"criticalityLabel": "Suspicious",
"evidenceString": "1 sighting on 1 source: New Certificate Registrations. Certificate registered on Sep 28, 2020.",
"rule": "Newly Registered Certificate With Potential for Abuse - DNS Sandwich",
"criticality": 2
},
{
"mitigationString": "",
"timestamp": "2020-09-28T02:36:25.000Z",
"criticalityLabel": "Suspicious",
"evidenceString": "Identified by Recorded Future as potential typosquatting: DNS Sandwich similarity found between www.gmail.com.sabsepehlelic.com and 1 possible target: gmail.com.",
"rule": "Recent Typosquat Similarity - DNS Sandwich",
"criticality": 2
}
],
"criticality": 2
},
"trend": {},
"documents": []
}
],
"url": "https://app.recordedfuture.com/live/sc/notification/?id=feRS3x",
"rule": {
"url": "https://app.recordedfuture.com/live/sc/ViewIdkobra_view_report_item_alert_editor?view_opts=%7B%22reportId%22%3A%22eOFFb0%22%2C%22bTitle%22%3Atrue%2C%22title%22%3A%22Infrastructure+and+Brand+Risk%2C+Potential+Typosquatting+Watch+List+Domains%22%7D&state.bNavbar=false",
"name": "Infrastructure and Brand Risk, Potential Typosquatting Watch List Domains",
"id": "eOFFb0"
},
"triggered": "2020-09-28T10:13:40.466Z",
"id": "feRS3x",
"counts": {
"references": 2,
"entities": 2,
"documents": 1
},
"title": "Infrastructure and Brand Risk, Potential Typosquatting Watch List Domains ...",
"type": "ENTITY"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: The action should fail and stop a playbook execution:
If we don't have a way to differentiate between the cases :
If we get HTTP code 401 - unauthorized: Print " Unauthorized - please check your API token and try again" |
General |
Get CVE Related Entities
Description
The action allows a user to send a CVE to search for all CVE related entities. Very important information, which is raw information that is important for decisions, can be gathered from the context information provided.
Parameters
N/A
Use cases
During a system vulnerability assessment an analyst realizes that their system is vulnerable to a CVE. The analyst performs a lookup action and the CVE is found malicious. The analyst decides to get related entities information to learn more about the technologies and vectors used by the CVE.
Run On
This action runs on the CVE entity.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_successful | True/False | is_successful:False |
Get Hash Related Entities
Description
Query the RecordedFuture to get related entities for the Hash.
Parameters
N/A
Use cases
A user identifies a malicious hash in one of the endpoints' antivirus quarantine at their organization. The would like to get more information concerning the hash that can assist them with coming up with a way to mitigate it. Using Recorded future he can get more threat information on it.
Run On
This action runs on the Filehash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_successful | True/False | is_successful:False |
Get Host Related Entities
Description
The action enables a user to send a host to look up all entities related to the host. Very important information can be gathered from the context information provided which is raw information that is important for decision making.
Parameters
N/A
Use cases
A user identifies a malicious hash in one of the endpoints antivirus quarantine at their organization. the user would like to get more information concerning the hash that can assist him coming up with a way to mitigate it. Using Recorded Future he can get more threat information on it.
Run On
This action runs on the Hostname entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_successful | True/False | is_successful:False |
Get IP Related Entities
Description
The action enables a user to send an IP address to look up for all entities related to the IP. The information gathered enables a user to acquire vital insights as to who is attacking them, what their motivation and capabilities are, and what indicators of compromises are in your systems. Through the information a user can make an informed decision on security.
Parameters
N/A
Use cases
A WAF (Web Application Firewall) makes a log entry for suspicious web traffic from an IP address. Once the log entry is acknowledged by the analyst, the IP address is sent for enrichment by Recorded Future in an effort to find its reputation. If the IP was found risky the playbook will block the IP.
Run On
This action runs on the IP Address entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_successful | True/False | is_successful:False |
Ping
Description
Test Connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_successful | True/False | is_successful:False |
Add Analyst Note
Description
Add an analyst note to previously enriched entities in Google Security Operations SOAR, to Recorded Future entities. Action will add the note to the relevant scope entities.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Note Title | String | Note Title | Yes | Specify the title for the note |
| Note Text | String | Note Text | Yes | Specify the Text for the note |
| Note Source | String | N/A | Yes | Specify the RF ID for note source; the API explorer shows what RF IDs are accessible to the user whose API token is enabled. For example, VWKdVr is the RF ID for an analyst note and is only available to user in the same enterprise account in Recorded Future. |
| Topic | DDL (see table below) |
None | No | Specify the relevant Note topic from the list, if needed. |
| Enrich Entity? | Checkbox | Checked | Yes | Specify whether the action should enrich the entity with the "Enrich IOC" output. |
DDL Values for the "Topic" field
| Display text | String to send in the request |
|---|---|
| None (default) | Send nothing |
| Actor Profile | TXSFt2 |
| Analyst On-Demand Report | VlIhvH |
| Cyber Threat Analysis | TXSFt1 |
| Flash Report | TXSFt0 |
| Indicator | TXSFt4 |
| Informational | UrMRnT |
| Malware/Tool Profile | UX0YlU |
| Source Profile | UZmDut |
| Threat Lead | TXSFt3 |
| Validated Intelligence Event | TXSFt5 |
| Weekly Threat Landscape | VlIhvG |
| YARA Rule | VTrvnW |
Run On
This action runs on the following entity types:
- IP Address
- URL
- Filehash
- CVE
- Domain
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| RF_doc_id | When available in JSON. |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If couldn't find at least one entity on Recorded Future when running Enrich IOC,: "Following entities does not exist in Recorded Future -{non_existing_entities} The action should fail : If no entities had an RF_ID , and they weren't found in enrich IOC: "Recorded Future couldn't find any of the entities provided in the "Enrich IOC", and thus, couldn't publish the analyst note." If we get HTTP code 401 - unauthorized - " Unauthorized - please check your API token and try again" |
General |
Update Alert
Description
Update alert in Recorded Future.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | String | N/A | Yes | Specify the ID of the alert that needs to be updated. |
| Status | DDL | Select One Possible Values: Unassigned Assigned Pending Dismissed New Resolved Flag For Tuning |
No | Specify the new status for the alert. |
| Assign To | String | No | Specify to whom to assign the alert. You can provide id, username, user hash, or email. | |
| Note | String | Specify a note that should be updated on the alert. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: The action should fail and stop a playbook execution: If error list is not empty: "Error executing action "Update Alert". Reason: {0}''.format(error/reason) If Status is "Select One" and none of the other values are provided: "Error executing action "Update Alert". Reason: at least one of the action parameters should have a provided value. |
General |
Connectors
Recorded Future - Security Alerts Connector
Description
Pull security alerts from Recorded Future.
Whitelist and blacklist work with Recorded Future rule names.
Configure Recorded Future - Security Alerts Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | title | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | ID | Yes | Enter the source field name in order to retrieve the Event Field name. |
Environment Field Name |
String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
Environment Regex Pattern |
String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API URL | String | https://api.recordedfuture.com | Yes | API Root of the Recorded Future instance. |
| API Key | Password | N/A | Yes | API Key of the Recorded Future. |
| Fetch Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch events. |
| Max Alerts To Fetch | Integer | 100 | No | How many alerts to process per one connector iteration. |
| Severity | String | Medium | Yes | Severity will be one from the following values Low, Medium, High, Critical. |
| Get Alert's Details | Checkbox | Unchecked | Yes | Get alert's full details from Recorded Future. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the Recorded Future server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports proxy.