Recorded Future

the recorded future connector provides seamless access to comprehensive threat intelligence, enabling users to enrich their security data and automate responses to emerging threats recorded future delivers cutting edge threat intelligence to identify risks and threats across the digital landscape this connector enables swimlane turbine users to integrate real time intelligence on indicators of compromise (iocs), vulnerabilities, and identity exposures directly into their security workflows by leveraging recorded future's comprehensive intelligence, users can enhance their threat detection, automate risk assessments, and expedite incident response, ensuring a proactive security posture within their organization prerequisites before integrating the recorded future connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the following parameters url the endpoint url for recorded future's api api token a valid api token from recorded future to authenticate requests limitations none to date supported versions this connector uses the "connect api" from recorded future actions use v2 unless otherwise noted additional docs https //api recordedfuture com/v2/ https //github com/recordedfuture/rfapi python configuration authentication methods api key authentication url the endpoint for the recorded future api api token your unique authentication token to access the recorded future api capabilities important use bulk ioc enrichment when looking up multiple iocs the recorded future connector has the following capabilities bulk ioc enrichment search alert rules search alert search alert hits search alert by id search update alert get alert from an alert rule search for an alert from an alert rule lookup alert notification get domain risk list list domain risk rules get hash risk list list hash risk rules get ip risk list list ip risk rules and so on bulk ioc enrichment this endpoint is designed for high volume lookups of entities recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/soar/soar lookup of entities search alert rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert rule search search alert hits this action uses the v3 api recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification hits lookup search alert by id this action uses the v3 api recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification lookup search update alert recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification update search alert note this action uses a deprecated api endpoint it is recommended to use the v3 api endpoint for alert searches recorded future's documentation for the deprecated action can be found https //api recordedfuture com/v2/#!/alerts/search alert notifications the v3 api documentation can be found https //api recordedfuture com/v2/#!/alerts/triggered alerts get alert from an alert rule this action uses the v3 api you can retrieve alerts associated with a specific alert rule by using the alertrule parameter recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification search search for an alert from an alert rule this action uses the v3 api you can search for alerts associated with a specific alert rule by specifying the alertrule parameter recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/alert notification search lookup alert notification note this action uses the v2 api endpoint recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/alerts/lookup alert notification get domain risk list you can download the domain risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/domain/domain risk lists list domain risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/domain/domain risk rules get hash risk list you can download the hash risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/hash/hash risk lists list hash risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/hash/hash risk rules get ip risk list you can download the ip address risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/ip/ip address risk lists list ip risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/ip/ip address risk rules lookup (url, ip, hash, and domain lookups) these actions allow you to retrieve detailed intelligence on specific entities such as urls, ip addresses, hashes, and domains recorded future's documentation for these actions can be found at lookup url https //api recordedfuture com/v2/#!/url/lookup url lookup ip address https //api recordedfuture com/v2/#!/ip/lookup ip address lookup hash https //api recordedfuture com/v2/#!/hash/lookup hash lookup domain https //api recordedfuture com/v2/#!/domain/lookup domain get url risk list you can download the url risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/url/url risk lists list url risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/url/url risk rules lookup vulnerability recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/vulnerability/vulnerability lookup get vulnerability risk list you can download the vulnerability risk list in various formats such as csv or splunk+cpe, and choose to receive it compressed using gzip recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/vulnerability/vulnerability risk lists list vulnerability risk rules recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/vulnerability/vulnerability risk rules get credentials leaked this action allows you to retrieve references related to exposed credentials for a company you can filter the results by risk category, such as exposedcredential , to focus on leaked credentials recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/company/company references query ip extensions this action retrieve extended details for an ip address, including specified extensions from the recorded future recorded future's documentation for this action can be found https //api recordedfuture com/v2/#!/ip/ip address extension lookup identity detections retrieve credential exposures classified as external or workforce from breach dumps and stealer logs recorded future's documentation for this action can be found https //docs recordedfuture com/reference/identity detections identity incident report generate an incident report for a stealer malware infection with all harvested credentials and machine context recorded future's documentation for this action can be found https //docs recordedfuture com/reference/identity incident report identity hostname lookup retrieve all stolen credentials from a compromised machine by its windows computer name recorded future's documentation for this action can be found https //docs recordedfuture com/reference/identity hostname identity ip lookup retrieve stolen credentials by the compromised machine's ip address or range at time of infection recorded future's documentation for this action can be found https //docs recordedfuture com/reference/identity ip identity password lookup check whether password hashes appear in breach data or stealer logs, with k anonymity prefix support recorded future's documentation for this action can be found https //docs recordedfuture com/reference/identity password identity dump metadata search search metadata for data dumps and breach databases by name recorded future's documentation for this action can be found https //docs recordedfuture com/reference/identity dump metadata configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions alert lookup retrieve detailed information for a specified alert in recorded future using its unique identifier endpoint url v2/alert/{{id}} method get input argument name type required description path parameters id string required parameters for the alert lookup action parameters taggedtext boolean optional parameters for the alert lookup action input example {"parameters" {"taggedtext"\ true},"path parameters" {"id" "lwjyiz"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data review object response data data review\ assignee object response data data review\ statusdate object response data data review\ statusinportal string response data data review\ status string response data data review\ notedate object response data data review\ statuschangeby object response data data review\ noteauthor object response data data review\ note object response data data entities array response data data entities trend object response data data entities documents array response data data entities documents file name string response data data entities documents file string response data data entities risk object response data data entities risk criticalitylabel string response data data entities risk score object response data data entities risk documents array response data data entities risk documents source object response data data entities risk documents url object response data data entities risk documents references array response data data entities risk documents authors array response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 16 35 06 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node016hnx3pnie7pf1tvh7j74fpyza3994472 nod bulk ioc enrichment enrich multiple indicators of compromise simultaneously using recorded future's threat intelligence for enhanced security insights endpoint url v2/soar/enrichment method post input argument name type required description ip array optional parameter for bulk ioc enrichment domain array optional parameter for bulk ioc enrichment url array optional url endpoint for the request hash array optional parameter for bulk ioc enrichment vulnerability array optional parameter for bulk ioc enrichment input example {"json body" {"ip" \["1 0 0 0"],"domain" \["www swimlane com"],"url" \["https //www swimlane com"],"hash" \["bdb237bf8c5de6b60ba1e2dcfe364fc24f583e568d1682f851a9d0f11a45c78d"],"vulnerability" \["zs4cbi"]}} domain lookup retrieve detailed threat intelligence for a specified domain from recorded future, requiring the domain as a path parameter endpoint url v2/domain/{{domain}} method get input argument name type required description path parameters domain string required parameters for the domain lookup action parameters fields array optional parameters for the domain lookup action parameters metadata boolean optional parameters for the domain lookup action parameters comment string optional parameters for the domain lookup action input example {"parameters" {"fields" \["analystnotes","counts","enterpriselists","entity","intelcard","links","metrics","relatedentities","risk","riskmapping","sightings","threatlists","timestamps"],"metadata"\ true,"comment" "any comment"},"path parameters" {"domain" "www swimlane com"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 15 20 06 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0fd5obnu48hcl16apr2ibzkyva3942193 node get domain risk list retrieve a list of domain risks from recorded future, providing insights into potential threats associated with domains endpoint url v2/domain/risklist method get input argument name type required description parameters format string optional parameters for the get domain risk list action parameters gzip boolean optional parameters for the get domain risk list action parameters list string optional parameters for the get domain risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "actorinfrastructure"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get domain risk rules retrieve risk rules associated with domains from recorded future, providing insights into potential threats endpoint url v2/domain/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data data results categories array response data data results categories name string response data data results categories framework string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 21 30 36 gmt","content type" "application/json;charset=utf 8","content length" "1929","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node017j68k3iqy4rm1f6fz8x1eq424168935 node0; pat get hash risk list retrieve a list of hash risk assessments from recorded future, providing insights into potential security threats endpoint url v2/hash/risklist method get input argument name type required description parameters format string optional parameters for the get hash risk list action parameters gzip boolean optional parameters for the get hash risk list action parameters list string optional parameters for the get hash risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "large"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get hash risk rules retrieve risk rules associated with a specific hash from recorded future, aiding in threat assessment and prioritization endpoint url v2/hash/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results categories array response data data results categories name string response data data results categories framework string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 21 18 14 gmt","content type" "application/json;charset=utf 8","content length" "827","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node01snqb93wfqqnebjs4mrvs63ig4157334 node0; path get identities | lookup subjects retrieve identities associated with subjects in recorded future using the provided json body endpoint url identity/credentials/lookup method post input argument name type required description subjects array optional parameter for get identities lookup subjects subjects sha1 array optional parameter for get identities lookup subjects subjects login array optional parameter for get identities lookup subjects subjects login login string optional parameter for get identities lookup subjects subjects login login sha1 string optional parameter for get identities lookup subjects subjects login domain string optional parameter for get identities lookup subjects filter object optional parameter for get identities lookup subjects filter first downloaded gte string optional parameter for get identities lookup subjects filter latest downloaded gte string optional parameter for get identities lookup subjects filter exfiltration date gte string optional parameter for get identities lookup subjects filter properties array optional parameter for get identities lookup subjects filter breach properties object optional parameter for get identities lookup subjects filter breach properties name string optional name of the resource filter breach properties date string optional date value filter dump properties object optional parameter for get identities lookup subjects filter dump properties name string optional name of the resource filter dump properties date string optional date value filter username properties array optional name of the resource filter authorization technologies array optional parameter for get identities lookup subjects filter authorization protocols array optional parameter for get identities lookup subjects input example {"json body" {"subjects" \["alex payte\@recordedfuture com"],"subjects sha1" \["string"],"subjects login" \[{"login" "string","login sha1" "string","domain" "string"}],"filter" {"first downloaded gte" "2022 12 05t22 00 58 463z","latest downloaded gte" "2022 12 05t22 00 58 463z","exfiltration date gte" "2022 12 05t22 00 58 463z","properties" \["letter"],"breach properties" {"name" "string","date" "2022 12 05t22 00 58 463z"},"dump properties" {"name" "string","date" "2022 12 05t22 00 58 463z"},"username properties" \["email"],"authorization technologies" \["string"],"authorization protocols" \["string"]}}} output parameter type description status code number http status code of the response reason string response reason phrase identities array unique identifier identities identity object unique identifier identities identity subjects array unique identifier identities count number unique identifier identities credentials array unique identifier identities credentials subject string unique identifier identities credentials dumps array unique identifier identities credentials dumps name string unique identifier identities credentials dumps description string unique identifier identities credentials dumps downloaded string unique identifier identities credentials dumps type string unique identifier identities credentials dumps breaches array unique identifier identities credentials dumps breaches name string unique identifier identities credentials dumps breaches domain string unique identifier identities credentials dumps breaches type string unique identifier identities credentials dumps breaches breached string unique identifier identities credentials dumps breaches start string unique identifier identities credentials dumps breaches stop string unique identifier identities credentials dumps breaches precision string unique identifier identities credentials dumps breaches description string unique identifier identities credentials dumps breaches site description string unique identifier identities credentials dumps infrastructure object unique identifier identities credentials dumps infrastructure ip string unique identifier output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 22 12 05 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","cf cache status" "dynamic","strict transport security" "max age=31536000; includesubdomains","server" "cloudflare","cf ray" "77501f0adb016b1a gru","content encoding" "gzip"},"reason" "ok","json body" {"identities" \[{}],"count" 1}} get identities | search domains retrieve identity information for specified domains from recorded future, utilizing a json body input for detailed queries endpoint url identity/credentials/search method post input argument name type required description domains array optional parameter for get identities search domains domain types array optional type of the resource filter object optional parameter for get identities search domains filter first downloaded gte string optional parameter for get identities search domains filter latest downloaded gte string optional parameter for get identities search domains filter exfiltration date gte string optional parameter for get identities search domains filter properties array optional parameter for get identities search domains filter breach properties object optional parameter for get identities search domains filter breach properties name string optional name of the resource filter breach properties date string optional date value filter dump properties object optional parameter for get identities search domains filter dump properties name string optional name of the resource filter dump properties date string optional date value filter username properties array optional name of the resource filter authorization technologies array optional parameter for get identities search domains filter authorization protocols array optional parameter for get identities search domains offset string optional parameter for get identities search domains limit number optional parameter for get identities search domains input example {"json body" {"domains" \["string"],"domain types" \["authorization"],"filter" {"first downloaded gte" "2022 12 05t22 20 25 745z","latest downloaded gte" "2022 12 05t22 20 25 745z","exfiltration date gte" "2022 12 05t22 20 25 745z","properties" \["letter"],"breach properties" {"name" "string","date" "2022 12 05t22 20 25 745z"},"dump properties" {"name" "string","date" "2022 12 05t22 20 25 745z"},"username properties" \["email"],"authorization technologies" \["string"],"authorization protocols" \["string"]},"offset" "string","limit" 0}} get ip risk list retrieve a list of ip addresses with associated risk scores from recorded future for enhanced threat analysis endpoint url v2/ip/risklist method get input argument name type required description parameters format string optional parameters for the get ip risk list action parameters gzip boolean optional parameters for the get ip risk list action parameters list string optional parameters for the get ip risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "actorinfrastructure"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get url risk list retrieve a list of urls with associated risk scores from recorded future to prioritize threats effectively endpoint url v2/url/risklist method get input argument name type required description parameters format string optional parameters for the get url risk list action parameters gzip boolean optional parameters for the get url risk list action parameters list string optional parameters for the get url risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "actorinfrastructure"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get url risk rules retrieve the list of risk rules applied to urls from recorded future for enhanced threat analysis and informed decision making endpoint url v2/url/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data data results categories array response data data results categories name string response data data results categories framework string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 18 55 05 gmt","content type" "application/json;charset=utf 8","content length" "1115","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node01ntljhka8cig2g8w9rk2sb7gn4079571 node0; pat get vulnerability risk list retrieve and prioritize vulnerabilities with risk scores from recorded future to enhance security posture endpoint url v2/vulnerability/risklist method get input argument name type required description parameters format string optional parameters for the get vulnerability risk list action parameters gzip boolean optional parameters for the get vulnerability risk list action parameters list string optional parameters for the get vulnerability risk list action input example {"parameters" {"format" "csv/splunk","gzip"\ true,"list" "actorinfrastructure"}} output parameter type description attachments object output field attachments output example {"attachments" {}} get vulnerability risk rules retrieve a list of vulnerability risk rules from recorded future to enhance security insights endpoint url v2/vulnerability/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results categories array response data data results categories name string response data data results categories framework string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 21 39 33 gmt","content type" "application/json;charset=utf 8","content length" "1326","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0bno2qyhegmod18z4qv5haifgh4167508 node0; pat hash lookup retrieve threat intelligence data for a specified hash from recorded future, using the provided path parameter endpoint url v2/hash/{{hash}} method get input argument name type required description path parameters hash string required parameters for the hash lookup action parameters fields array optional parameters for the hash lookup action parameters metadata boolean optional parameters for the hash lookup action parameters comment string optional parameters for the hash lookup action input example {"parameters" {"fields" \["analystnotes","counts","enterpriselists","entity","filehashes","hashalgorithm","intelcard","links","metrics","relatedentities","risk","riskmapping","sightings","threatlists","timestamps"],"metadata"\ true,"comment" "any comment"},"path parameters" {"hash" "bdb237bf8c5de6b60ba1e2dcfe364fc24f583e568d1682f851a9d0f11a45c78d"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 14 49 27 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0zue821pxtbpm8k8iaalxgk8p3925540 node0 identity detections retrieve classified credential exposures from breach dumps and stealer logs in recorded future endpoint url identity/detections method post input argument name type required description filter object optional filter criteria to narrow down the detections returned by the query filter detection types array optional filter by detection type filter novel only boolean optional filter for novel detections that have not been previously observed filter malware only boolean optional filter for detections associated with malware filter domains array optional filter by associated domains filter source type array optional filter by source type of the detection filter detection type string optional filter by detection type filter authorization technology object optional filter by associated authorization technologies filter authorization technology any boolean optional match detections with any authorization technology filter authorization technology id array optional filter by authorization technology id filter authorization technology name array optional filter by authorization technology name filter cookies string optional filter for detections with unexpired cookies filter created object optional filter by detection creation date filter created gte string optional filter for detections created on or after this date filter created lt string optional filter for detections created before this date organization id array optional organization ids to scope the detections query include enterprise level boolean optional include enterprise level detections across all organizations limit number optional maximum number of detections to return offset string optional pagination token for next page input example {"json body" {"filter" {"detection types" \["external"],"novel only"\ true,"malware only"\ true,"domains" \["example corp com"],"source type" \["malwarelogs"],"detection type" "external","authorization technology" {"any"\ true,"id" \["tech okta sso"],"name" \["okta single sign on"]},"cookies" "unexpiredcookies","created" {"gte" "2024 07 20t10 00 00z","lt" "2024 07 25t10 00 00z"}},"organization id" \["uhash\ a1b2c3d4"],"include enterprise level"\ true,"limit" 1000,"offset" "cd1lmze5ntq2os1hyjyxltq1ntgtyjkyoc1iyje3mwnkm2qyy2u"}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total detections array output field detections detections id string unique identifier detections type string type of the resource detections novel boolean output field detections novel detections source type string type of the resource detections subject string output field detections subject detections password string output field detections password detections authorization service object output field detections authorization service detections authorization service url string url endpoint for the request detections authorization service domain string output field detections authorization service domain detections authorization service fqdn string output field detections authorization service fqdn detections authorization service technology array output field detections authorization service technology detections authorization service technology name string name of the resource detections authorization service technology id string unique identifier detections authorization service technology category string output field detections authorization service technology category detections authorization service protocols array output field detections authorization service protocols detections cookies array output field detections cookies detections cookies dns string output field detections cookies dns detections cookies name string name of the resource detections cookies http boolean output field detections cookies http detections cookies expiration string output field detections cookies expiration detections cookies secure boolean output field detections cookies secure output example {"status code" 200,"reason" "ok","json body" {"total" 10,"detections" \[{}],"next offset" "10"}} identity dump metadata search search for metadata in recorded future related to data dumps and breach databases using specific criteria endpoint url identity/metadata/dump/search method post input argument name type required description names array optional list of dump or breach database names to search for in metadata limit number optional maximum number of results to return input example {"json body" {"names" \["collection 1"],"limit" 1000}} output parameter type description status code number http status code of the response reason string response reason phrase dumps array output field dumps dumps name string name of the resource dumps type string type of the resource dumps source string output field dumps source dumps description string output field dumps description dumps infrastructure object output field dumps infrastructure dumps infrastructure ip string output field dumps infrastructure ip dumps compromise object output field dumps compromise dumps compromise os string output field dumps compromise os dumps compromise os username string name of the resource dumps compromise malware file string output field dumps compromise malware file dumps compromise timezone string output field dumps compromise timezone dumps compromise computer name string name of the resource dumps compromise uac string output field dumps compromise uac dumps compromise antivirus array output field dumps compromise antivirus dumps compromise exfiltration date string date value dumps location object output field dumps location dumps location country object output field dumps location country dumps location country name string name of the resource dumps location country displayname string name of the resource dumps location country countrycode string output field dumps location country countrycode dumps location country alpha2code string output field dumps location country alpha2code dumps location country alpha3code string output field dumps location country alpha3code output example {"status code" 200,"reason" "ok","json body" {"dumps" \[{}]}} identity hostname lookup retrieve all stolen credentials from a compromised machine using its hostname in recorded future endpoint url identity/hostname/lookup method post input argument name type required description organization id string optional unique identifier for the organization to query within hostname string optional windows computer name to search for associated credentials filter object optional filter criteria to narrow down the credentials returned by the query filter first downloaded gte string optional filter for credentials first downloaded on or after this date filter latest downloaded gte string optional filter for credentials latest downloaded on or after this date filter exfiltration date gte string optional filter for credentials with exfiltration date on or after this date filter properties array optional filter for credentials that have specific properties, such as containing uppercase letters or being at least 8 characters long filter username properties array optional filter for credentials with specific username properties, such as being an email address filter breach properties object optional filter for credentials that were involved in breaches with specific properties, such as the breach name or date filter breach properties name string optional filter for credentials involved in breaches with this name filter breach properties date string optional filter for credentials involved in breaches that occurred on this date filter dump properties object optional filter for credentials that were found in dumps with specific properties, such as the dump name or date filter dump properties name string optional filter for credentials found in dumps with this name filter dump properties date string optional filter for credentials found in dumps that were published on this date filter authorization technologies array optional filter for credentials associated with specific authorization technologies, such as saml or oauth filter authorization protocols array optional filter for credentials associated with specific authorization protocols, such as rdp or ssh filter malware families array optional filter for credentials associated with specific malware families, such as redline stealer or vidar limit number optional maximum number of credentials to return offset string optional pagination token for next page of results input example {"json body" {"organization id" "uhash\ a1b2c3d4","hostname" "server 01 us east","filter" {"first downloaded gte" "2024 01 01t00 00 00z","latest downloaded gte" "2024 12 01t00 00 00z","exfiltration date gte" "2024 01 01t00 00 00z","properties" \["uppercase","atleast8characters"],"username properties" \["email"],"breach properties" {"name" "examplecorp breach 2024","date" "2024 03 15t00 00 00z"},"dump properties" {"name" "collection","date" "2019 01 07t00 00 00z"},"authorization technologies" \["saml"],"authorization protocols" \["rdp"],"malware families" \["redline stealer"]},"limit" 1000,"offset" "cd1lmze5ntq2os1hyjyxltq1ntgtyjkyoc1iyje3mwnkm2qyy2u="}} output parameter type description status code number http status code of the response reason string response reason phrase identities array unique identifier identities identity object unique identifier identities identity subjects array unique identifier identities count number unique identifier identities credentials array unique identifier identities credentials subject string unique identifier identities credentials authorization service object unique identifier identities credentials authorization service url string url endpoint for the request identities credentials authorization service domain string unique identifier identities credentials authorization service fqdn string unique identifier identities credentials authorization service protocols array unique identifier identities credentials authorization service technology array unique identifier identities credentials authorization service technology id string unique identifier identities credentials authorization service technology name string unique identifier identities credentials authorization service technology category string unique identifier identities credentials authorization services array unique identifier identities credentials authorization services url string url endpoint for the request identities credentials authorization services domain string unique identifier identities credentials authorization services fqdn string unique identifier identities credentials authorization services protocols array unique identifier identities credentials authorization services technology array unique identifier identities credentials authorization services technology id string unique identifier identities credentials authorization services technology name string unique identifier output example {"status code" 200,"reason" "ok","json body" {"identities" \[{}],"count" 0,"next offset" "cd1lmze5ntq2os1hyjyxltq1ntgtyjkyoc1iyje3mwnkm2qyy2u="}} identity incident report generate a detailed incident report for stealer malware infections, including credentials and machine context, using recorded future endpoint url identity/incident/report method post input argument name type required description include details boolean optional include extended device and malware details in the response organization id string optional unique identifier for the organization associated with the incident report source string optional the dump source identifier (e g , dump redline 2024 07 21 001) limit number optional maximum number of credential entries to return offset string optional pagination token for next page input example {"json body" {"include details"\ true,"organization id" "uhash\ a1b2c3d4","source" "dump redline 2024 07 21 001","limit" 1000,"offset" "eyjsaw1pdci6idewmcwgim9mznnldci6idewmh0="}} output parameter type description status code number http status code of the response reason string response reason phrase count number count value total count number count value credentials array output field credentials credentials authorization domain string output field credentials authorization domain credentials email or login string output field credentials email or login credentials password string output field credentials password credentials password sha1 string output field credentials password sha1 credentials domain category string output field credentials domain category credentials domain technology string output field credentials domain technology credentials contains cookies boolean output field credentials contains cookies credentials contains active cookies boolean output field credentials contains active cookies credentials contains high risk technologies boolean output field credentials contains high risk technologies details object output field details details malware family string output field details malware family details os string output field details os details os username string name of the resource details malware file string output field details malware file details timezone string output field details timezone details uac string output field details uac details exfiltration date string date value details antivirus string output field details antivirus details ip address string output field details ip address details postal code string output field details postal code output example {"status code" 200,"reason" "ok","json body" {"count" 0,"total count" 0,"credentials" \[{}],"details" {"malware family" "redline stealer","os" "windows 10 pro","os username" "jsmith","malware file" "c \\\users\\\jsmith\\\appdata\\\local\\\temp\\\winmgr exe","timezone" "america/new york","uac" "uac admin","exfiltration date" "2025 07 24t14 30 00z","antivirus" "windows defender","ip address" "198 51 100 14","postal code" "90210","country" "united states"},"next offset" "eyjsaw1pdci6idewmcwgim9mznnldci6id identity ip lookup retrieve credentials compromised by a specific ip address or range at the time of infection using recorded future endpoint url identity/ip/lookup method post input argument name type required description organization id string optional unique identifier for the organization to scope the search within ip string optional ip address of the compromised machine at time of infection range object optional ip range of the compromised machine at time of infection, using comparison operators range gte string optional filter for credentials from machines with ip addresses greater than or equal to this value range gt string optional filter for credentials from machines with ip addresses greater than this value range lte string optional filter for credentials from machines with ip addresses less than or equal to this value range lt string optional filter for credentials from machines with ip addresses less than this value filter object optional additional filters to apply to the search query, such as date ranges, properties, and associated breach or dump information filter first downloaded gte string optional the first date when these credentials were received and indexed by recorded future filter latest downloaded gte string optional latest date when these credentials were received and indexed by recorded future it is not unusual for the same credentials to be exposed multiple times, in data from different dumps and/or logs filter exfiltration date gte string optional the date when data was exfiltrated (stolen) from the victim filter properties array optional password property filters filter username properties array optional username property filters filter breach properties object optional filters for breach properties to further refine the search results based on the associated breach information filter breach properties name string optional name of the breach to filter by filter breach properties date string optional date of the breach to filter by filter dump properties object optional filters for dump properties to further refine the search results based on the associated dump information filter dump properties name string optional name of the dump to filter by filter dump properties date string optional date of the dump to filter by filter authorization technologies array optional filter for credentials associated with specific authorization technologies filter authorization protocols array optional parameter for identity ip lookup filter malware families array optional filter for credentials associated with specific malware families limit number optional maximum number of credential entries to return offset string optional pagination token for next page of results input example {"json body" {"organization id" "uhash\ a1b2c3d4","ip" "198 51 100 1","range" {"gte" "192 0 2 0","gt" "192 0 2 0","lte" "192 0 2 255","lt" "192 0 2 255"},"filter" {"first downloaded gte" "2024 01 01t00 00 00z","latest downloaded gte" "2024 01 01t00 00 00z","exfiltration date gte" "2024 01 01t00 00 00z","properties" \["symbol"],"username properties" \["email"],"breach properties" {"name" "examplecorp breach 2024","date" "2024 03 15t00 00 00z"},"dump properties" {"name" "collection","date" "2019 01 07t00 00 00z"},"authorization technologies" \["saml"],"authorization protocols" \["rdp"],"malware families" \["redline stealer"]},"limit" 1000,"offset" "cd1lmze5ntq2os1hyjyxltq1ntgtyjkyoc1iyje3mwnkm2qyy2u="}} output parameter type description status code number http status code of the response reason string response reason phrase identities array unique identifier identities identity object unique identifier identities identity subjects array unique identifier identities count number unique identifier identities credentials array unique identifier identities credentials subject string unique identifier identities credentials authorization service object unique identifier identities credentials authorization service url string url endpoint for the request identities credentials authorization service domain string unique identifier identities credentials authorization service fqdn string unique identifier identities credentials authorization service protocols array unique identifier identities credentials authorization service technology array unique identifier identities credentials authorization service technology id string unique identifier identities credentials authorization service technology name string unique identifier identities credentials authorization service technology category string unique identifier identities credentials authorization services array unique identifier identities credentials authorization services url string url endpoint for the request identities credentials authorization services domain string unique identifier identities credentials authorization services fqdn string unique identifier identities credentials authorization services protocols array unique identifier identities credentials authorization services technology array unique identifier identities credentials authorization services technology id string unique identifier identities credentials authorization services technology name string unique identifier output example {"status code" 200,"reason" "ok","json body" {"identities" \[{}],"count" 0,"next offset" "cd1lmze5ntq2os1hyjyxltq1ntgtyjkyoc1iyje3mwnkm2qyy2u="}} identity password lookup verify if password hashes are present in breach data or stealer logs using k anonymity prefix support with recorded future endpoint url identity/password/lookup method post input argument name type required description passwords array optional parameter for identity password lookup passwords algorithm string required the hashing algorithm used to generate the password hash, which determines the formatting of the hash value for lookup passwords hash string required the password hash value to look up, formatted according to the specified algorithm input example {"json body" {"passwords" \[{"algorithm" "hash32","hash" "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"}]}} output parameter type description status code number http status code of the response reason string response reason phrase results array result of the operation results password object result of the operation results password algorithm string result of the operation results password hash string result of the operation results exposure status string status value output example {"status code" 200,"reason" "ok","json body" {"results" \[{}]}} ip lookup retrieve threat intelligence, risk scores, and related entities for a specified ip address from recorded future endpoint url v2/ip/{{ip}} method get input argument name type required description path parameters ip string required parameters for the ip lookup action parameters fields string optional parameters for the ip lookup action parameters metadata boolean optional parameters for the ip lookup action parameters comment string optional parameters for the ip lookup action input example {"parameters" {"fields" "analystnotes,counts,enterpriselists,entity,intelcard,links,location,metrics,relatedentities,risk,riskmapping,riskycidrips,sightings,threatlists,timestamps","metadata"\ true,"comment" "any comment"},"path parameters" {"ip" "1 0 0 0"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 14 04 25 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node09l9ww6ixtnia1ma9kvawcg4hh3649789 node list ip risk rules retrieve a list of ip risk rules from recorded future, providing insights into threats associated with ip addresses endpoint url v2/ip/riskrules method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results criticalitylabel string response data data results description string response data data results categories array response data data results categories name string response data data results categories framework string response data data results criticality number response data data results relatedentities array response data data results relatedentities file name string response data data results relatedentities file string response data data results name string response data data results count number response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 18 36 15 gmt","content type" "application/json;charset=utf 8","content length" "1973","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0hz75vvep08gxas7aete7u6s4071112 node0; path= lookup vulnerability retrieve detailed vulnerability information from recorded future using a unique identifier endpoint url v2/vulnerability/{{id}} method get input argument name type required description path parameters id string required parameters for the lookup vulnerability action parameters fields array optional parameters for the lookup vulnerability action parameters metadata boolean optional parameters for the lookup vulnerability action parameters comment string optional parameters for the lookup vulnerability action input example {"parameters" {"fields" \["analystnotes","commonnames","counts","cpe","cpe22uri","cvss","cvssv3","enterpriselists","entity","intelcard","links","metrics","nvddescription","rawrisk","relatedentities","relatedlinks","risk","riskmapping","sightings","threatlists","timestamps"],"metadata"\ true,"comment" "a comment"},"path parameters" {"id" "zs4cbi"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes attributes object response data data analystnotes attributes validated on string response data data analystnotes attributes published string response data data analystnotes attributes text string response data data analystnotes attributes topic object response data data analystnotes attributes topic id string response data data analystnotes attributes topic name string response data data analystnotes attributes topic type string response data data analystnotes attributes topic description string response data data analystnotes attributes context entities array response data data analystnotes attributes context entities id string response data data analystnotes attributes context entities name string response data data analystnotes attributes context entities type string response data data analystnotes attributes validation urls array response data data analystnotes attributes validation urls id string response data data analystnotes attributes validation urls name string response data data analystnotes attributes validation urls type string response data data analystnotes attributes title string response data data analystnotes attributes note entities array response data data analystnotes attributes note entities id string response data data analystnotes attributes note entities name string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 21 56 02 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node01knaoe0qzo9fivc0e4y5j2rbr4183315 node malware lookup retrieve detailed malware information from recorded future using a unique identifier provided in the path parameters endpoint url v2/malware/{{id}} method get input argument name type required description path parameters id string required parameters for the malware lookup action parameters fields array optional parameters for the malware lookup action parameters metadata boolean optional parameters for the malware lookup action parameters comment string optional parameters for the malware lookup action input example {"parameters" {"fields" \["analystnotes","categories","counts","entity","intelcard","links","metrics","relatedentities","sightings","timestamps"],"metadata"\ true,"comment" "any comment"},"path parameters" {"id" "some id"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 16 58 04 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node044kroehlurc4ek4pefoxgz2h4004105 node0 query ip extensions retrieve extended details and specific extensions for an ip address from recorded future, utilizing provided path parameters endpoint url /v2/ip/{{ip}}/extension/{{extension}} method get input argument name type required description parameters metadata boolean optional include metadata path parameters ip string required the ip address to lookup must be a single ip address path parameters extension string required extension to call input example {"parameters" {"metadata"\ true},"path parameters" {"ip" "10 0 0 8","extension" "carbonblack"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} search executes a search for recorded future alerts using specified filters and returns matching results endpoint url v2/alert/search method get input argument name type required description parameters triggered string optional parameters for the search action parameters assignee string optional parameters for the search action parameters freetext string optional parameters for the search action parameters limit number optional parameters for the search action parameters status string optional parameters for the search action parameters alertrule string optional parameters for the search action parameters taggedtext boolean optional parameters for the search action parameters from number optional parameters for the search action parameters direction string optional parameters for the search action parameters orderby string optional parameters for the search action input example {"parameters" {"triggered" "2022 01 20t0","assignee" "none","freetext" "a","limit" 10,"status" "no action","alertrule" "iapilc","taggedtext"\ true,"from" 0,"direction" "asc","orderby" "triggered"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results review object response data data results review\ assignee object response data data results review\ statusdate object response data data results review\ statusinportal string response data data results review\ status string response data data results review\ notedate object response data data results review\ statuschangeby object response data data results review\ noteauthor object response data data results review\ note object response data data results url string response data data results rule object response data data results rule name string response data data results rule url string response data data results rule owner id string response data data results rule owner name string response data data results rule id string response data data results rule organisation name string response data data results rule organisation id string response data data results triggered string response data data results id string response data data results title string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 14 10 44 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node0ycr5u0bob499jeiki407m61f3902973 node0 search alert by id retrieve details for a specific alert in recorded future using the provided unique identifier endpoint url /v3/alerts/{{id}} method get input argument name type required description path parameters id string required alert id parameters fields string optional fields to include ai insights, hits, id, log, owner organisation details, review, rule, title, type, url parameters taggedtext boolean optional parameters for the search alert by id action input example {"parameters" {"fields" "hits","taggedtext"\ false},"path parameters" {"id" "lwjyiz"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data hits array response data data hits entities array response data data hits entities id string response data data hits entities name string response data data hits entities type string response data data hits document object response data data hits document source object response data data hits document source id string response data data hits document source name string response data data hits document source type string response data data hits document title string response data data hits document url object response data data hits document authors array response data data hits document authors file name string response data data hits document authors file string response data data hits fragment string response data data hits id string response data data hits language string response data data hits primary entity object response data data hits primary entity id string response data data hits primary entity name string response data data hits primary entity type string response data output example {"status code" 200,"response headers" {"date" "thu, 01 feb 2024 09 11 22 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","content security policy" "default src 'self' data ; img src 'self' search alert rules retrieve a list of alert rules from recorded future based on specified criteria for targeted security responses endpoint url /v2/alert/rule method get input argument name type required description parameters freetext string optional parameters for the search alert rules action parameters limit number optional parameters for the search alert rules action parameters taggedtext boolean optional parameters for the search alert rules action input example {"parameters" {"freetext" "","limit" 10,"taggedtext"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data results array response data data results intelligence goals array response data data results intelligence goals file name string response data data results intelligence goals file string response data data results priority boolean response data data results tags array response data data results tags file name string response data data results tags file string response data data results use case id object response data data results id string response data data results owner object response data data results owner name string response data data results owner id string response data data results title string response data data results created string response data data results notification settings object response data data results notification settings email subscribers array response data data results notification settings email subscribers file name string response data data results notification settings email subscribers file string response data data results notification settings mobile subscribers array response data data results notification settings mobile subscribers file name string response data data results notification settings mobile subscribers file string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 17 03 37 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node017juks5vmnh5k1rk5152a1k3et4022289 nod search alerts retrieve triggered alerts from recorded future based on specified criteria to aid in threat analysis endpoint url /v3/alerts/ method get input argument name type required description parameters triggered string optional filter on triggered timestamp, using time queries and ranges parameters assignee string optional assignee email, or 'none' to match notifications without an assignee parameters statusinportal string optional filter on status (as used in the portal) parameters alertrule string optional filter on alert rule id parameters freetext string optional freetext search parameters limit number optional maximum number of references from which notes are fetched, at most 1000 parameters from number optional offset from first result the api may only return the first 1000 results, meaning limit + from cannot exceed 1000 parameters taggedtext boolean optional enables tags in text fragments parameters orderby string optional sort order parameters direction string optional sort direction parameters fields string optional fields to include ai insights, hits, id, log, owner organisation details, review, rule, title, type, url input example {"parameters" {"triggered" "2024 01 31t20 36 31 757z","assignee" "new","statusinportal" "new","alertrule" "string","freetext" "string","limit" 10,"from" 1,"taggedtext"\ false,"orderby" "triggered","direction" "asc","fields" "hits"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data file name string response data data file string response data counts object output field counts counts returned number output field counts returned counts total number output field counts total output example {"status code" 200,"response headers" {"date" "thu, 01 feb 2024 08 57 04 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","content security policy" "default src 'self' data ; img src 'self' search alerts hits retrieve data hits from recorded future intelligence cloud that triggered alerts, using specific alert ids for filtering endpoint url /v3/alerts/hits method get input argument name type required description parameters ids string required alert ids separated by comma parameters taggedtext boolean optional parameters for the search alerts hits action input example {"parameters" {"ids" "report\ hjefxu","taggedtext"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data document object response data data document source object response data data document source id string response data data document source name string response data data document source type string response data data document title string response data data document url object response data data document authors array response data data document authors file name string response data data document authors file string response data data fragment string response data data id string response data data language string response data data index number response data data entities array response data data entities id string response data data entities name string response data data entities type string response data data alert id string response data data primary entity object response data data primary entity id string response data data primary entity name string response data output example {"status code" 200,"response headers" {"date" "thu, 01 feb 2024 09 04 01 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","content security policy" "default src 'self' data ; img src 'self' search update alert updates assignee, status, and notes for recorded future alerts using a specified json body endpoint url /v2/alert/update method post output parameter type description status code number http status code of the response reason string response reason phrase success array whether the operation was successful success id string unique identifier success status string status value success statusinportal string status value error array error message if any error file name string name of the resource error file string error message if any output example {"status code" 200,"response headers" {"date" "thu, 01 feb 2024 11 24 41 gmt","content type" "application/json;charset=utf 8","content length" "93","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","content security policy" "default src 'self' data ; img src 'self' https url lookup performs a url lookup in recorded future, providing threat intelligence data for the specified url endpoint url v2/url/{{url}} method get input argument name type required description path parameters url string required parameters for the url lookup action parameters fields array optional parameters for the url lookup action parameters metadata boolean optional parameters for the url lookup action parameters comment string optional parameters for the url lookup action input example {"parameters" {"fields" \["analystnotes","counts","enterpriselists","entity","links","metrics","relatedentities","risk","riskmapping","sightings","timestamps"],"metadata"\ true,"comment" "any comment"},"path parameters" {"url" "http //www swimlane com"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data analystnotes array response data data analystnotes file name string response data data analystnotes file string response data metadata object response data metadata entries array response data metadata entries key string response data metadata entries label string response data metadata entries item object response data metadata entries item entries array response data metadata entries item entries key string response data metadata entries item entries label string response data metadata entries item entries type string response data metadata entries item entries item object response data metadata entries item entries entries array response data metadata entries item type string response data metadata entries type string response data output example {"status code" 200,"response headers" {"date" "mon, 05 dec 2022 15 13 36 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive","cache control" "no cache, no store, private, must revalidate, max age=0, no transform","expires" "thu, 01 jan 1970 00 00 00 gmt","pragma" "no cache","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains","set cookie" "jsessionid=node018jn9idiwhfc2qk90vm793phq3945028 node response headers header description example cache control directives for caching mechanisms no cache, no store, private, must revalidate, max age=0, no transform cf cache status http response header cf cache status dynamic cf ray http response header cf ray 774e316b5bdd603c gru connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 93 content security policy http response header content security policy default src 'self' data ; img src 'self' https data blob ; script src 'self' 'unsafe inline' 'unsafe eval' cdn jsdelivr net; style src 'self' 'unsafe inline' fonts googleapis com cdn jsdelivr net; font src 'self' fonts gstatic com; worker src blob ; content type the media type of the resource application/json date the date and time at which the message was originated mon, 05 dec 2022 21 30 36 gmt expires the date/time after which the response is considered stale thu, 01 jan 1970 00 00 00 gmt pragma http response header pragma no cache server information about the software used by the origin server cloudflare set cookie http response header set cookie jsessionid=node0q6o1cz9zhvay1rpti0umi1vz11376067 node0; path=/rfq; secure; httponly strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff