Recorded Future

the recorded future connector provides seamless access to a vast repository of threat intelligence, enabling users to enrich and analyze security data for informed decision making recorded future delivers cutting edge threat intelligence directly into swimlane turbine's low code security automation platform this connector enables users to perform detailed lookups and bulk enrichments of alerts, domains, ips, hashes, urls, and vulnerabilities, providing a comprehensive risk analysis by integrating with recorded future, swimlane turbine users gain access to actionable intelligence that informs security decisions, enhances incident response, and automates alert management the connector's capabilities facilitate efficient identification and mitigation of identity threats, allowing security teams to prioritize and respond to risks with precision and speed leverage the power of recorded future's intelligence within swimlane turbine to streamline your security operations and reduce response times prerequisites to effectively utilize the recorded future connector with swimlane turbine, ensure you have the following prerequisites api key authentication url the endpoint url for the recorded future api api token your unique authentication token to access the recorded future api limitations none to date supported versions this connector uses the "connect api" from recorded future actions use v2 unless otherwise noted additional docs https //api recordedfuture com/v2/ https //github com/recordedfuture/rfapi python configuration authentication methods api key authentication url the endpoint for the recorded future api api token your unique authentication token to access the recorded future api capabilities important use bulk ioc enrichment when looking up multiple iocs the recorded future connector has the following capabilities bulk ioc enrichment search alert rules search alert search alert hits search alert by id search update alert get alert from an alert rule search for an alert from an alert rule lookup alert notification get domain risk list list domain risk rules get hash risk list list hash risk rules get ip risk list list ip risk rules and so on bulk ioc enrichment this endpoint is designed for high volume lookups of entities recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/soar/soar lookup of entities search alert rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert rule search search alert hits this action uses the v3 api recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification hits lookup search alert by id this action uses the v3 api recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification lookup search update alert recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification update search alert note this action uses a deprecated api endpoint it is recommended to use the v3 api endpoint for alert searches recorded future's documentation for the deprecated action can be found https //api recordedfuture com/v2/#!/alerts/search alert notifications the v3 api documentation can be found https //api recordedfuture com/v2/#!/alerts/triggered alerts get alert from an alert rule this action uses the v3 api you can retrieve alerts associated with a specific alert rule by using the alertrule parameter recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification search search for an alert from an alert rule this action uses the v3 api you can search for alerts associated with a specific alert rule by specifying the alertrule parameter recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification search lookup alert notification note this action uses the v2 api endpoint recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/lookup alert notification get domain risk list you can download the domain risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/domain/domain risk lists list domain risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/domain/domain risk rules get hash risk list you can download the hash risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/hash/hash risk lists list hash risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/hash/hash risk rules get ip risk list you can download the ip address risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/ip/ip address risk lists list ip risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/ip/ip address risk rules lookup (url, ip, hash, and domain lookups) these actions allow you to retrieve detailed intelligence on specific entities such as urls, ip addresses, hashes, and domains recorded future's documentation for these actions can be found at lookup url https //api recordedfuture com/v2/#!/url/lookup url lookup ip address https //api recordedfuture com/v2/#!/ip/lookup ip address lookup hash https //api recordedfuture com/v2/#!/hash/lookup hash lookup domain https //api recordedfuture com/v2/#!/domain/lookup domain get url risk list you can download the url risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/url/url risk lists list url risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/url/url risk rules lookup vulnerability recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/vulnerability/vulnerability lookup get vulnerability risk list you can download the vulnerability risk list in various formats such as csv or splunk+cpe, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/vulnerability/vulnerability risk lists list vulnerability risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/vulnerability/vulnerability risk rules get credentials leaked this action allows you to retrieve references related to exposed credentials for a company you can filter the results by risk category, such as exposedcredential , to focus on leaked credentials recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/company/company references query ip extensions this action retrieve extended details for an ip address, including specified extensions from the recorded future recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/ip/ip address extension lookup configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions alert lookup retrieve detailed information for a specified alert in recorded future using its unique identifier endpoint url v2/alert/{{id}} method get input argument name type required description path parameters id string required parameters for the alert lookup action parameters taggedtext boolean optional parameters for the alert lookup action input example {"parameters" {"taggedtext"\ true},"path parameters" {"id" "lwjyiz"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data review object response data data review\ assignee object response data data review\ statusdate object response data data review\ statusinportal string response data data review\ status string response data data review\ notedate object response data data review\ statuschangeby object response data data review\ noteauthor object response data data review\ note object response data data entities array response data data entities trend object response data data entities documents array response data data entities documents file name string response data data entities documents file string response data data entities risk object response data data entities risk criticalitylabel string response data data entities risk score object response data data entities risk documents array response data data entities risk documents source object response data data entities risk documents url object response data data entities risk documents references array response data data entities risk documents authors array response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 16 35 06 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node016hnx3pnie7pf1tvh7j74fpyza3994472 nod bulk ioc enrichment enrich multiple indicators of compromise at once with recorded future's extensive threat intelligence data for improved security analysis endpoint url v2/soar/enrichment method post input argument name type required description ip array optional parameter for bulk ioc enrichment domain array optional parameter for bulk ioc enrichment url array optional url endpoint for the request hash array optional parameter for bulk ioc enrichment vulnerability array optional parameter for bulk ioc enrichment input example {"json body" {"ip" \["1 0 0 0"],"domain" \["www swimlane com"],"url" \["https //www swimlane com"],"hash" \["bdb237bf8c5de6b60ba1e2dcfe364fc24f583e568d1682f851a9d0f11a45c78d"],"vulnerability" \["zs4cbi"]}} domain lookup retrieve detailed threat intelligence for a specified domain from recorded future, with the domain as a required path parameter endpoint url v2/domain/{{domain}} method get input argument name type required description path parameters domain string required parameters for the domain lookup action parameters fields array optional parameters for the domain lookup action parameters metadata boolean optional parameters for the domain lookup action parameters comment string optional parameters for the domain lookup action input example {"parameters" {"fields" \["analystnotes","counts","enterpriselists","entity","intelcard","links","metrics","relatedentities","risk","riskmapping","sightings","threatlists","timestamps"],"metadata"\ true,"comment" "any comment"},"path parameters" {"domain" "www swimlane com"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 15 20 06 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0fd5obnu48hcl16apr2ibzkyva3942193 node get domain risk list retrieve a list of domain risks from recorded future to gain insights into potential threats associated with domains endpoint url v2/domain/risklist method get input argument name type required description parameters format string optional parameters for the get domain risk list action parameters gzip boolean optional parameters for the get domain risk list action parameters list string optional parameters for the get domain risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "actorinfrastructure"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get domain risk rules retrieve associated risk rules for domains from recorded future to gain insights into potential threats endpoint url v2/domain/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data data results categories array response data data results categories name string response data data results categories framework string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 21 30 36 gmt","content type" "application/json;charset=utf 8","content length" "1929","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node017j68k3iqy4rm1f6fz8x1eq424168935 node0; pat get hash risk list retrieve a list of hash risk assessments from recorded future for insights into potential security threats endpoint url v2/hash/risklist method get input argument name type required description parameters format string optional parameters for the get hash risk list action parameters gzip boolean optional parameters for the get hash risk list action parameters list string optional parameters for the get hash risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "large"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get hash risk rules retrieve risk rules for a specific hash from recorded future to assist in threat assessment and prioritization endpoint url v2/hash/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results categories array response data data results categories name string response data data results categories framework string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 21 18 14 gmt","content type" "application/json;charset=utf 8","content length" "827","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node01snqb93wfqqnebjs4mrvs63ig4157334 node0; path get identities | lookup subjects retrieve identities associated with subjects in recorded future using the provided json body endpoint url identity/credentials/lookup method post input argument name type required description subjects array optional parameter for get identities lookup subjects subjects sha1 array optional parameter for get identities lookup subjects subjects login array optional parameter for get identities lookup subjects subjects login login string optional parameter for get identities lookup subjects subjects login login sha1 string optional parameter for get identities lookup subjects subjects login domain string optional parameter for get identities lookup subjects filter object optional parameter for get identities lookup subjects filter first downloaded gte string optional parameter for get identities lookup subjects filter latest downloaded gte string optional parameter for get identities lookup subjects filter exfiltration date gte string optional parameter for get identities lookup subjects filter properties array optional parameter for get identities lookup subjects filter breach properties object optional parameter for get identities lookup subjects filter breach properties name string optional name of the resource filter breach properties date string optional date value filter dump properties object optional parameter for get identities lookup subjects filter dump properties name string optional name of the resource filter dump properties date string optional date value filter username properties array optional name of the resource filter authorization technologies array optional parameter for get identities lookup subjects filter authorization protocols array optional parameter for get identities lookup subjects input example {"json body" {"subjects" \["alex payte\@recordedfuture com"],"subjects sha1" \["string"],"subjects login" \[{"login" "string","login sha1" "string","domain" "string"}],"filter" {"first downloaded gte" "2022 12 05t22 00 58 463z","latest downloaded gte" "2022 12 05t22 00 58 463z","exfiltration date gte" "2022 12 05t22 00 58 463z","properties" \["letter"],"breach properties" {"name" "string","date" "2022 12 05t22 00 58 463z"},"dump properties" {"name" "string","date" "2022 12 05t22 00 58 463z"},"username properties" \["email"],"authorization technologies" \["string"],"authorization protocols" \["string"]}}} output parameter type description status code number http status code of the response reason string response reason phrase identities array unique identifier identities identity object unique identifier identities identity subjects array unique identifier identities count number unique identifier identities credentials array unique identifier identities credentials subject string unique identifier identities credentials dumps array unique identifier identities credentials dumps name string unique identifier identities credentials dumps description string unique identifier identities credentials dumps downloaded string unique identifier identities credentials dumps type string unique identifier identities credentials dumps breaches array unique identifier identities credentials dumps breaches name string unique identifier identities credentials dumps breaches domain string unique identifier identities credentials dumps breaches type string unique identifier identities credentials dumps breaches breached string unique identifier identities credentials dumps breaches start string unique identifier identities credentials dumps breaches stop string unique identifier identities credentials dumps breaches precision string unique identifier identities credentials dumps breaches description string unique identifier identities credentials dumps breaches site description string unique identifier identities credentials dumps infrastructure object unique identifier identities credentials dumps infrastructure ip string unique identifier output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 22 12 05 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","cf cache status" "dynamic","strict transport security" "max age=31536000; includesubdomains","server" "cloudflare","cf ray" "77501f0adb016b1a gru","content encoding" "gzip"},"reason" "ok","json body" {"identities" \[{}],"count" 1}} get identities | search domains retrieve identity information for specified domains from recorded future using a json body input endpoint url identity/credentials/search method post input argument name type required description domains array optional parameter for get identities search domains domain types array optional type of the resource filter object optional parameter for get identities search domains filter first downloaded gte string optional parameter for get identities search domains filter latest downloaded gte string optional parameter for get identities search domains filter exfiltration date gte string optional parameter for get identities search domains filter properties array optional parameter for get identities search domains filter breach properties object optional parameter for get identities search domains filter breach properties name string optional name of the resource filter breach properties date string optional date value filter dump properties object optional parameter for get identities search domains filter dump properties name string optional name of the resource filter dump properties date string optional date value filter username properties array optional name of the resource filter authorization technologies array optional parameter for get identities search domains filter authorization protocols array optional parameter for get identities search domains offset string optional parameter for get identities search domains limit number optional parameter for get identities search domains input example {"json body" {"domains" \["string"],"domain types" \["authorization"],"filter" {"first downloaded gte" "2022 12 05t22 20 25 745z","latest downloaded gte" "2022 12 05t22 20 25 745z","exfiltration date gte" "2022 12 05t22 20 25 745z","properties" \["letter"],"breach properties" {"name" "string","date" "2022 12 05t22 20 25 745z"},"dump properties" {"name" "string","date" "2022 12 05t22 20 25 745z"},"username properties" \["email"],"authorization technologies" \["string"],"authorization protocols" \["string"]},"offset" "string","limit" 0}} get ip risk list retrieve a list of ip addresses with associated risk scores from recorded future for enhanced threat analysis endpoint url v2/ip/risklist method get input argument name type required description parameters format string optional parameters for the get ip risk list action parameters gzip boolean optional parameters for the get ip risk list action parameters list string optional parameters for the get ip risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "actorinfrastructure"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get url risk list retrieve and analyze a list of urls with risk scores from recorded future for enhanced threat prioritization endpoint url v2/url/risklist method get input argument name type required description parameters format string optional parameters for the get url risk list action parameters gzip boolean optional parameters for the get url risk list action parameters list string optional parameters for the get url risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "actorinfrastructure"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get url risk rules retrieve the list of risk rules applied to urls from recorded future for enhanced threat analysis and informed decision making endpoint url v2/url/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data data results categories array response data data results categories name string response data data results categories framework string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 18 55 05 gmt","content type" "application/json;charset=utf 8","content length" "1115","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node01ntljhka8cig2g8w9rk2sb7gn4079571 node0; pat get vulnerability risk list retrieve and prioritize a list of vulnerabilities with risk scores from recorded future endpoint url v2/vulnerability/risklist method get input argument name type required description parameters format string optional parameters for the get vulnerability risk list action parameters gzip boolean optional parameters for the get vulnerability risk list action parameters list string optional parameters for the get vulnerability risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "actorinfrastructure"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get vulnerability risk rules retrieve a list of vulnerability risk rules from recorded future for enhanced security insights endpoint url v2/vulnerability/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results categories array response data data results categories name string response data data results categories framework string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 21 39 33 gmt","content type" "application/json;charset=utf 8","content length" "1326","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0bno2qyhegmod18z4qv5haifgh4167508 node0; pat hash lookup retrieve threat intelligence data for a specified hash from recorded future, utilizing path parameters endpoint url v2/hash/{{hash}} method get input argument name type required description path parameters hash string required parameters for the hash lookup action parameters fields array optional parameters for the hash lookup action parameters metadata boolean optional parameters for the hash lookup action parameters comment string optional parameters for the hash lookup action input example {"parameters" {"fields" \["analystnotes","counts","enterpriselists","entity","filehashes","hashalgorithm","intelcard","links","metrics","relatedentities","risk","riskmapping","sightings","threatlists","timestamps"],"metadata"\ true,"comment" "any comment"},"path parameters" {"hash" "bdb237bf8c5de6b60ba1e2dcfe364fc24f583e568d1682f851a9d0f11a45c78d"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 14 49 27 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0zue821pxtbpm8k8iaalxgk8p3925540 node0 ip lookup retrieve comprehensive threat intelligence on an ip address from recorded future, including risk scores and related entities endpoint url v2/ip/{{ip}} method get input argument name type required description path parameters ip string required parameters for the ip lookup action parameters fields string optional parameters for the ip lookup action parameters metadata boolean optional parameters for the ip lookup action parameters comment string optional parameters for the ip lookup action input example {"parameters" {"fields" "analystnotes,counts,enterpriselists,entity,intelcard,links,location,metrics,relatedentities,risk,riskmapping,riskycidrips,sightings,threatlists,timestamps","metadata"\ true,"comment" "any comment"},"path parameters" {"ip" "1 0 0 0"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 14 04 25 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node09l9ww6ixtnia1ma9kvawcg4hh3649789 node list ip risk rules retrieve a list of ip risk rules from recorded future for insights into threats associated with ip addresses endpoint url v2/ip/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results categories array response data data results categories name string response data data results categories framework string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 18 36 15 gmt","content type" "application/json;charset=utf 8","content length" "1973","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0hz75vvep08gxas7aete7u6s4071112 node0; path= lookup vulnerability retrieve detailed information on a specific vulnerability from recorded future using its unique identifier endpoint url v2/vulnerability/{{id}} method get input argument name type required description path parameters id string required parameters for the lookup vulnerability action parameters fields array optional parameters for the lookup vulnerability action parameters metadata boolean optional parameters for the lookup vulnerability action parameters comment string optional parameters for the lookup vulnerability action input example {"parameters" {"fields" \["analystnotes","commonnames","counts","cpe","cpe22uri","cvss","cvssv3","enterpriselists","entity","intelcard","links","metrics","nvddescription","rawrisk","relatedentities","relatedlinks","risk","riskmapping","sightings","threatlists","timestamps"],"metadata"\ true,"comment" "a comment"},"path parameters" {"id" "zs4cbi"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes attributes object response data data analystnotes attributes validated on string response data data analystnotes attributes published string response data data analystnotes attributes text string response data data analystnotes attributes topic object response data data analystnotes attributes topic id string response data data analystnotes attributes topic name string response data data analystnotes attributes topic type string response data data analystnotes attributes topic description string response data data analystnotes attributes context entities array response data data analystnotes attributes context entities id string response data data analystnotes attributes context entities name string response data data analystnotes attributes context entities type string response data data analystnotes attributes validation urls array response data data analystnotes attributes validation urls id string response data data analystnotes attributes validation urls name string response data data analystnotes attributes validation urls type string response data data analystnotes attributes title string response data data analystnotes attributes note entities array response data data analystnotes attributes note entities id string response data data analystnotes attributes note entities name string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 21 56 02 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node01knaoe0qzo9fivc0e4y5j2rbr4183315 node malware lookup retrieve detailed malware information from recorded future using a unique malware identifier endpoint url v2/malware/{{id}} method get input argument name type required description path parameters id string required parameters for the malware lookup action parameters fields array optional parameters for the malware lookup action parameters metadata boolean optional parameters for the malware lookup action parameters comment string optional parameters for the malware lookup action input example {"parameters" {"fields" \["analystnotes","categories","counts","entity","intelcard","links","metrics","relatedentities","sightings","timestamps"],"metadata"\ true,"comment" "any comment"},"path parameters" {"id" "some id"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 16 58 04 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node044kroehlurc4ek4pefoxgz2h4004105 node0 query ip extensions retrieve extended details and specific extensions for an ip address from recorded future using path parameters endpoint url /v2/ip/{{ip}}/extension/{{extension}} method get input argument name type required description parameters metadata boolean optional include metadata path parameters ip string required the ip address to lookup must be a single ip address path parameters extension string required extension to call input example {"parameters" {"metadata"\ true},"path parameters" {"ip" "10 0 0 8","extension" "carbonblack"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} search executes a search for recorded future alerts using specified filters and returns matching results endpoint url v2/alert/search method get input argument name type required description parameters triggered string optional parameters for the search action parameters assignee string optional parameters for the search action parameters freetext string optional parameters for the search action parameters limit number optional parameters for the search action parameters status string optional parameters for the search action parameters alertrule string optional parameters for the search action parameters taggedtext boolean optional parameters for the search action parameters from number optional parameters for the search action parameters direction string optional parameters for the search action parameters orderby string optional parameters for the search action input example {"parameters" {"triggered" "2022 01 20t0","assignee" "none","freetext" "a","limit" 10,"status" "no action","alertrule" "iapilc","taggedtext"\ true,"from" 0,"direction" "asc","orderby" "triggered"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results review object response data data results review\ assignee object response data data results review\ statusdate object response data data results review\ statusinportal string response data data results review\ status string response data data results review\ notedate object response data data results review\ statuschangeby object response data data results review\ noteauthor object response data data results review\ note object response data data results url string response data data results rule object response data data results rule name string response data data results rule url string response data data results rule owner id string response data data results rule owner name string response data data results rule id string response data data results rule organisation name string response data data results rule organisation id string response data data results triggered string response data data results id string response data data results title string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 14 10 44 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0ycr5u0bob499jeiki407m61f3902973 node0 search alert by id retrieve details for a specific alert in recorded future using the unique identifier provided endpoint url /v3/alerts/{{id}} method get input argument name type required description path parameters id string required alert id parameters fields string optional fields to include ai insights, hits, id, log, owner organisation details, review, rule, title, type, url parameters taggedtext boolean optional parameters for the search alert by id action input example {"parameters" {"fields" "hits","taggedtext"\ false},"path parameters" {"id" "lwjyiz"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data hits array response data data hits entities array response data data hits entities id string response data data hits entities name string response data data hits entities type string response data data hits document object response data data hits document source object response data data hits document source id string response data data hits document source name string response data data hits document source type string response data data hits document title string response data data hits document url object response data data hits document authors array response data data hits document authors file name string response data data hits document authors file string response data data hits fragment string response data data hits id string response data data hits language string response data data hits primary entity object response data data hits primary entity id string response data data hits primary entity name string response data data hits primary entity type string response data output example {"status code" 200,"response headers" {"date" "thu, 01 feb 2024 09 11 22 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","content security policy" "default src 'self' data ; img src 'self' search alert rules retrieve a list of alert rules from recorded future based on specified criteria, enabling targeted security responses endpoint url /v2/alert/rule method get input argument name type required description parameters freetext string optional parameters for the search alert rules action parameters limit number optional parameters for the search alert rules action parameters taggedtext boolean optional parameters for the search alert rules action input example {"parameters" {"freetext" "","limit" 10,"taggedtext"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results intelligence goals array response data data results intelligence goals file name string response data data results intelligence goals file string response data data results priority boolean response data data results tags array response data data results tags file name string response data data results tags file string response data data results use case id object response data data results id string response data data results owner object response data data results owner name string response data data results owner id string response data data results title string response data data results created string response data data results notification settings object response data data results notification settings email subscribers array response data data results notification settings email subscribers file name string response data data results notification settings email subscribers file string response data data results notification settings mobile subscribers array response data data results notification settings mobile subscribers file name string response data data results notification settings mobile subscribers file string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 17 03 37 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node017juks5vmnh5k1rk5152a1k3et4022289 nod search alerts retrieve triggered alerts from recorded future using specified criteria to streamline threat analysis endpoint url /v3/alerts/ method get input argument name type required description parameters triggered string optional filter on triggered timestamp, using time queries and ranges parameters assignee string optional assignee email, or 'none' to match notifications without an assignee parameters statusinportal string optional filter on status (as used in the portal) parameters alertrule string optional filter on alert rule id parameters freetext string optional freetext search parameters limit number optional maximum number of references from which notes are fetched, at most 1000 parameters from number optional offset from first result the api may only return the first 1000 results, meaning limit + from cannot exceed 1000 parameters taggedtext boolean optional enables tags in text fragments parameters orderby string optional sort order parameters direction string optional sort direction parameters fields string optional fields to include ai insights, hits, id, log, owner organisation details, review, rule, title, type, url input example {"parameters" {"triggered" "2024 01 31t20 36 31 757z","assignee" "new","statusinportal" "new","alertrule" "string","freetext" "string","limit" 10,"from" 1,"taggedtext"\ false,"orderby" "triggered","direction" "asc","fields" "hits"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data file name string response data data file string response data counts object output field counts counts returned number output field counts returned counts total number output field counts total output example {"status code" 200,"response headers" {"date" "thu, 01 feb 2024 08 57 04 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","content security policy" "default src 'self' data ; img src 'self' search alerts hits retrieve intelligence cloud data hits from recorded future that triggered alerts, filtered by specific alert ids endpoint url /v3/alerts/hits method get input argument name type required description parameters ids string required alert ids separated by comma parameters taggedtext boolean optional parameters for the search alerts hits action input example {"parameters" {"ids" "report\ hjefxu","taggedtext"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data document object response data data document source object response data data document source id string response data data document source name string response data data document source type string response data data document title string response data data document url object response data data document authors array response data data document authors file name string response data data document authors file string response data data fragment string response data data id string response data data language string response data data index number response data data entities array response data data entities id string response data data entities name string response data data entities type string response data data alert id string response data data primary entity object response data data primary entity id string response data data primary entity name string response data output example {"status code" 200,"response headers" {"date" "thu, 01 feb 2024 09 04 01 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","content security policy" "default src 'self' data ; img src 'self' search update alert updates assignee, status, and notes for recorded future alerts based on a provided json body endpoint url /v2/alert/update method post output parameter type description status code number http status code of the response reason string response reason phrase success array whether the operation was successful success id string unique identifier success status string status value success statusinportal string status value error array error message if any error file name string name of the resource error file string error message if any output example {"status code" 200,"response headers" {"date" "thu, 01 feb 2024 11 24 41 gmt","content type" "application/json;charset=utf 8","content length" "93","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","content security policy" "default src 'self' data ; img src 'self' https url lookup performs a url lookup in recorded future to provide threat intelligence data for the specified url endpoint url v2/url/{{url}} method get input argument name type required description path parameters url string required parameters for the url lookup action parameters fields array optional parameters for the url lookup action parameters metadata boolean optional parameters for the url lookup action parameters comment string optional parameters for the url lookup action input example {"parameters" {"fields" \["analystnotes","counts","enterpriselists","entity","links","metrics","relatedentities","risk","riskmapping","sightings","timestamps"],"metadata"\ true,"comment" "any comment"},"path parameters" {"url" "http //www swimlane com"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 15 13 36 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node018jn9idiwhfc2qk90vm793phq3945028 node response headers header description example cache control directives for caching mechanisms no cache, no store, private, must revalidate, max age=0, no transform cf cache status http response header cf cache status dynamic cf ray http response header cf ray 774e316b5bdd603c gru connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 1115 content security policy http response header content security policy default src 'self' data ; img src 'self' https data blob ; script src 'self' 'unsafe inline' 'unsafe eval' cdn jsdelivr net; style src 'self' 'unsafe inline' fonts googleapis com cdn jsdelivr net; font src 'self' fonts gstatic com; worker src blob ; content type the media type of the resource application/json date the date and time at which the message was originated mon, 05 dec 2022 15 20 06 gmt expires the date/time after which the response is considered stale thu, 01 jan 1970 00 00 00 gmt pragma http response header pragma no cache server information about the software used by the origin server cloudflare set cookie http response header set cookie jsessionid=node017j68k3iqy4rm1f6fz8x1eq424168935 node0; path=/rfq; secure; httponly strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff