"Recorded Future Intelligence" Pack Documentation

This pack is used to access Recorded Future data to enrich IPs, domains, URLs, CVEs, Files, and Malwares and assess
threats in regards to a specific context.

Integration

The integration is used to access the data from the API.

Available Actions

Reputation actions
- Using the new Recorded Future SOAR Enrichment API.
- Available actions: ip, domain, url, file(hashes), cve.
Intelligence action
- Fetches full information for the entity.
- Supports IPs, Domains, URLs, Files(hashes), Vulnerabilities(cve), Malwares.
Malware search action
Alert actions
- Fetch alerting rules defined at Recorded Future.
- Fetch alert summaries from one or more alerting rules.
- Set alert status in Recorded Future
- Set alert note in Recorded Future
Threat assessment action
- Takes a context, such as phishing or malware and one or more IOC as input.
- Outputs a verdict (true/false) and related evidence (risk rules) for this context.

Dashboards and indicators

Includes a dashboard that details various metrics related to indicators that was generated from Recorded Future data and
incidents that was created from Recorded Future data.

There are two indicator fields added to record which risk rules indicators have triggered as well as whether an
indicator is a malware, c2, or phishing when it has gone through the playbook for threat assessment.

Playbooks

All the playbooks are meant to be used as sub-playbooks to get reputation, intelligence or assess the threat level in
regards to a context.

Available Reputation sub-playbooks

IP
Domain
CVE
File
URL
One combined playbook that returns the reputation for all of the above types

Available Intelligence/Enrichment sub-playbooks

IP
Domain
CVE
File
URL

Threat assessment sub-playbooks for the following contexts

Malware
Phishing
Command and Control (C2)

Available template playbooks

Recorded Future Entity Enrichment
Recorded Future Sandbox (Hatching)
Recorded Future Leaked Credentials Alert Handling
Recorded Future Typosquat Alert Handling
Recorded Future Vulnerability Alert Handling

Incident Types

Recorded Future Alert
Recorded Future Leaked Credential Monitoring
Recorded Future New Critical or Pre NVD Vulnerabilities
Recorded Future Potential Typosquat

Classifier and Incoming Mapper

Classifier and Incoming Mapper allows you to classify and map fetched incident onto Recorded Future Incident Types.

Available classifier and incoming mapper

Recorded Future - Classifier
Recorded Future - Incoming Mapper

Name	Description
Recorded Future Alert
Recorded Future Potential Typosquat
Recorded Future Leaked Credential Monitoring
Recorded Future New Critical or Pre NVD Vulnerabilities

Name	Description
Recorded Future v2 (Partner Contribution)	Unique threat intel technology that automatically serves up relevant insights in real time.

Name	Description
Recorded Future - Incoming Mapper
Recorded Future - Classifier

Name	Description
Recorded Future Alert Entities

Name	Description
RecordedFuture Threat assessment
RecordedFuture Risk rules

Name	Description
Recorded Future

Name	Description
Recorded Future Incident	Custom layout for Recorded Future Incident type.
RecordedFutureLayout	Deprecated. Custom layout for Recorded Future Incident type.

Name	Description
Recorded Future Sandbox	Template playbook utilizing Hatching.io to sandbox a given file and generate an analysis report. Indicators from the given report are then extracted and enriched with Recorded Future data.
Recorded Future File Intelligence	File enrichment using Recorded Future intelligence
Recorded Future File Reputation	File reputation using Recorded Future SOAR enrichment
Recorded Future Detailed Alert example
Recorded Future Domain Reputation	Domain reputation using Recorded Future SOAR enrichment
Recorded Future CVE Reputation	CVE reputation with Recorded Future SOAR enrichment
Recorded Future URL Intelligence	URL Enrichment using Recorded Future intelligence
Recorded Future IP Reputation	IP address reputation using Recorded Future SOAR enrichment
Recorded Future CVE Intelligence	CVE enrichment using Recorded Future intelligence
Recorded Future Domain Intelligence	Domain enrichment using Recorded Future intelligence
Recorded Future Threat Assessment	Threat Assessment using the Recorded Future SOAR Triage API and the context Phishing.
Recorded Future Entity Enrichment	Template playbook to incorporate Recorded Future enrichment for IPs, Hashes, Domains, URLs into your current workflows. Playbook also shows how to look up available 'Links' data for IOCs.
Recorded Future Typosquat Alert Handling	Template playbook showing suggested steps to triage typo squat alerts. Classifier/Mapper are available to ingest Recorded Future Typo squat Alerts.
Recorded Future IP Intelligence	IP Address Enrichment using Recorded Future Intelligence
Recorded Future Leaked Credential Alert Handling	Template playbook showing suggested steps to triage leaked credential alerts. Classifier/Mapper are available to ingest Recorded Future Leaked Credential Alerts.
Recorded Future Vulnerability Alert Handling	Template playbook showing suggested steps to triage new critical vulnerability alerts. Playbook include New and Critical CVEs. Classifier/Mapper are available to ingest Recorded Future New, Critical or Pre NVD Vulnerability Alerts.
Recorded Future URL Reputation	URL reputation using Recorded Future SOAR enrichment
Recorded Future IOC Reputation	Entity Reputation using sub-playbooks

Name	Description
Recorded Future Alert
Recorded Future Potential Typosquat
Recorded Future Leaked Credential Monitoring
Recorded Future New Critical or Pre NVD Vulnerabilities

Name	Description
Recorded Future v2 (Partner Contribution)	Unique threat intel technology that automatically serves up relevant insights in real time.

Name	Description
Recorded Future - Incoming Mapper
Recorded Future - Classifier

Name	Description
Recorded Future Alert Entities

Name	Description
RecordedFuture Threat assessment
RecordedFuture Risk rules

Name	Description
Recorded Future Sandbox	Template playbook utilizing Hatching.io to sandbox a given file and generate an analysis report. Indicators from the given report are then extracted and enriched with Recorded Future data.
Recorded Future File Intelligence	File enrichment using Recorded Future intelligence
Recorded Future File Reputation	File reputation using Recorded Future SOAR enrichment
Recorded Future Detailed Alert example
Recorded Future Domain Reputation	Domain reputation using Recorded Future SOAR enrichment
Recorded Future CVE Reputation	CVE reputation with Recorded Future SOAR enrichment
Recorded Future URL Intelligence	URL Enrichment using Recorded Future intelligence
Recorded Future IP Reputation	IP address reputation using Recorded Future SOAR enrichment
Recorded Future CVE Intelligence	CVE enrichment using Recorded Future intelligence
Recorded Future Domain Intelligence	Domain enrichment using Recorded Future intelligence
Recorded Future Threat Assessment	Threat Assessment using the Recorded Future SOAR Triage API and the context Phishing.
Recorded Future Entity Enrichment	Template playbook to incorporate Recorded Future enrichment for IPs, Hashes, Domains, URLs into your current workflows. Playbook also shows how to look up available 'Links' data for IOCs.
Recorded Future Typosquat Alert Handling	Template playbook showing suggested steps to triage typo squat alerts. Classifier/Mapper are available to ingest Recorded Future Typo squat Alerts.
Recorded Future IP Intelligence	IP Address Enrichment using Recorded Future Intelligence
Recorded Future Leaked Credential Alert Handling	Template playbook showing suggested steps to triage leaked credential alerts. Classifier/Mapper are available to ingest Recorded Future Leaked Credential Alerts.
Recorded Future Vulnerability Alert Handling	Template playbook showing suggested steps to triage new critical vulnerability alerts. Playbook include New and Critical CVEs. Classifier/Mapper are available to ingest Recorded Future New, Critical or Pre NVD Vulnerability Alerts.
Recorded Future URL Reputation	URL reputation using Recorded Future SOAR enrichment
Recorded Future IOC Reputation	Entity Reputation using sub-playbooks

Pack Name	Pack By
Whois	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Hatching Triage	By: Hatching
Censys	By: Cortex XSOAR
URLScan.io	By: urlscan GmbH
Base	By: Cortex XSOAR
Default Playbook	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

Pack Name	Pack By
Common Types	By: Cortex XSOAR

Pack Name	Pack By
Zscaler Internet Access	By: Cortex XSOAR
Image OCR	By: Cortex XSOAR
Rapid7 InsightVM	By: Cortex XSOAR
Akamai WAF	By: Cortex XSOAR
Cisco Secure Cloud Analytics (Stealthwatch Cloud)	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
VulnDB	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
Remote Access	By: Cortex XSOAR
Slack	By: Cortex XSOAR
Cisco Umbrella Investigate	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
FortiGate	By: Cortex XSOAR
Signal Sciences WAF	By: Cortex XSOAR
Censys	By: Cortex XSOAR
Hatching Triage	By: Hatching
URLScan.io	By: urlscan GmbH
ARIAPacketIntelligence	By: ARIA Cybersecurity Solutions
CrowdStrike Falcon Intelligence Sandbox	By: Cortex XSOAR
Kenna	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cylance Protect	By: Cortex XSOAR
Whois	By: Cortex XSOAR
VirusTotal - Private API (Deprecated)	By: VirusTotal
Check Point Firewall	By: Cortex XSOAR
Default Playbook	By: Cortex XSOAR
Cisco ASA	By: Cortex XSOAR
Active Directory Query	By: Cortex XSOAR
Cisco Firepower	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Sophos XG Firewall	By: Cortex XSOAR
Google Maps	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
F5 Silverline	By: Cortex XSOAR
ThreatX	By: Cortex XSOAR
CVE Search	By: Cortex XSOAR

Classifiers

New: Recorded Future - Classifier

Added the Recorded Future - Classifier which Classifies Recorded Future alerts to respective incidents types.

Incident Fields

Recorded Future Alert Entities

Incident Types

Recorded Future Leaked Credential Monitoring
Recorded Future New Critical or Pre NVD Vulnerabilities
Recorded Future Potential Typosquat

Integrations

Recorded Future v2

Added the recordedfuture-malware-search command.
Added the ability to get intelligence for malware using the entity_type argument and added the ability to fetch
analyst notes using the new argument: fetch_analyst_notes for recordedfuture-intelligence command.
Made the argument fetch_related_entities be optional for recordedfuture-intelligence command. Default value
is "no".
Added the Alert Statuses to include in the fetch integration parameter, which specify alert statuses to include in the fetch. If empty,
the default value of 'no-action' will be used.
Added the Update alert status on fetch integration parameter, which specify whether to update alert status to "pending" after it
have been fetched (only for alerts with "no-action" status).
Added Turn on "Incident Sharing" integration parameter, which allows users to share anonymized correlations from
playbooks with Recorded Future to improve intelligence quality.
Fixed an issue where the integration would repeatedly fetch the same alerts due to incorrectly setting the last fetch
time in last run dict.
Renamed "File Threshold. Minimum risk score from Recorded Future to consider the file malicious." integration parameter to File Threshold.
Renamed "CVE Threshold. Minimum risk score from Recorded Future to consider the CVE malicious." integration parameter to CVE Threshold.
Renamed "IP Threshold. Minimum risk score from RF to consider the IP malicious." integration parameter to IP Threshold.
Renamed "Domain Threshold. Minimum risk score from Recorded Future to consider the domain malicious." integration parameter to Domain Threshold.
Renamed "URL Threshold. Minimum risk score from Recorded Future to consider the URL malicious." integration parameter to URL Threshold.
Renamed "Vulnerability Threshold. Minimum risk score from Recorded Future to consider the vulnerability critical." integration parameter to Vulnerability Threshold.
Renamed "Rule names to fetch alerts by, separated by semicolon. If empty, all alerts will be fetched." integration parameter to Rule names to fetch alerts by.
Renamed "First fetch time ( , e.g., 12 hours, 7 days, 3 months, 1 year)." integration parameter to First fetch time.

Layouts

Recorded Future Incident
RecordedFutureLayout - deprecated. Use Recorded Future Incident instead.

Mappers

New: Recorded Future - Incoming Mapper

Added the Recorded Future - Incoming Mapper which maps incoming Recorded Future alert data to incident fields.

Playbooks

New: Recorded Future Entity Enrichment

Added the Recorded Future Entity Enrichment template playbook which incorporate Recorded Future enrichment for
IPs, Hashes, Domains, URLs into your current workflows. Playbook also shows how to look up available 'Links' data for
IOCs.

New: Recorded Future Sandbox

Added the Recorded Future Sandbox template Playbook which detonate files and URLs, retrieve the sandbox
report and enrich IOCs from malware report with Recorded Future data.

New: Recorded Future Leaked Credential Alert Handling

Added the Recorded Future Leaked Credential Alert Handling template playbook that shows suggested steps to
triage leaked credential alerts. Classifier/Mapper are available to ingest Recorded Future Leaked Credential Alerts.

New: Recorded Future Typosquat Alert Handling

Added the Recorded Future Typosquat Alert Handling template playbook that shows suggested steps to triage typo
squat alerts. Classifier/Mapper are available to ingest Recorded Future Typo squat Alerts.

New: Recorded Future Vulnerability Alert Handling

Added the Recorded Future Vulnerability Alert Handling template playbook that show suggested steps to triage new
critical vulnerability alerts. Playbook include New and Critical CVEs. Classifier/Mapper are available to ingest
Recorded Future New, Critical or Pre NVD Vulnerability Alerts.

Certification	Certified	Read more
Supported By	Partner
Created	September 23, 2020
Last Release	February 1, 2023

Recorded Future Intelligence

"Recorded Future Intelligence" Pack Documentation

Integration

Available Actions

Dashboards and indicators

Playbooks

Available Reputation sub-playbooks

Available Intelligence/Enrichment sub-playbooks

Threat assessment sub-playbooks for the following contexts

Available template playbooks

Incident Types

Classifier and Incoming Mapper

Available classifier and incoming mapper

Layouts

Dashboards

Recorded Future

Classifiers

New: Recorded Future - Classifier

Incident Fields

Incident Types

Integrations

Recorded Future v2

Layouts

Mappers

New: Recorded Future - Incoming Mapper

Playbooks

New: Recorded Future Entity Enrichment

New: Recorded Future Sandbox

New: Recorded Future Leaked Credential Alert Handling

New: Recorded Future Typosquat Alert Handling

New: Recorded Future Vulnerability Alert Handling

Integrations

Recorded Future v2

Integrations

Recorded Future v2

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER