Recorded Future

the recorded future connector provides seamless access to a vast repository of threat intelligence, enabling users to enrich and analyze security data for informed decision making recorded future delivers cutting edge threat intelligence directly into swimlane turbine's low code security automation platform this connector enables users to perform detailed lookups and bulk enrichments of alerts, domains, ips, hashes, urls, and vulnerabilities, providing a comprehensive risk analysis by integrating with recorded future, swimlane turbine users gain access to actionable intelligence that informs security decisions, enhances incident response, and automates alert management the connector's capabilities facilitate efficient identification and mitigation of identity threats, allowing security teams to prioritize and respond to risks with precision and speed leverage the power of recorded future's intelligence within swimlane turbine to streamline your security operations and reduce response times prerequisites to effectively utilize the recorded future connector with swimlane turbine, ensure you have the following prerequisites api key authentication url the endpoint url for the recorded future api api token your unique authentication token to access the recorded future api limitations none to date supported versions this connector uses the "connect api" from recorded future actions use v2 unless otherwise noted additional docs recorded future connect api https //api recordedfuture com/v2/rfapi python https //github com/recordedfuture/rfapi python configuration authentication methods api key authentication url the endpoint for the recorded future api api token your unique authentication token to access the recorded future api capabilities important use bulk ioc enrichment when looking up multiple iocs the recorded future connector has the following capabilities bulk ioc enrichment search alert rules search alert search alert hits search alert by id search update alert get alert from an alert rule search for an alert from an alert rule lookup alert notification get domain risk list list domain risk rules get hash risk list list hash risk rules get ip risk list list ip risk rules and so on bulk ioc enrichment this endpoint is designed for high volume lookups of entities recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/soar/soar lookup of entities search alert rules recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/alerts/alert rule search search alert hits this action uses the v3 api recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/alerts/alert notification hits lookup search alert by id this action uses the v3 api recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/alerts/alert notification lookup search update alert recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/alerts/alert notification update search alert note this action uses a deprecated api endpoint it is recommended to use the v3 api endpoint for alert searches recorded future's documentation for the deprecated action can be found here https //api recordedfuture com/v2/#!/alerts/search alert notifications the v3 api documentation can be found here https //api recordedfuture com/v2/#!/alerts/triggered alerts get alert from an alert rule this action uses the v3 api you can retrieve alerts associated with a specific alert rule by using the alertrule parameter recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/alerts/alert notification search search for an alert from an alert rule this action uses the v3 api you can search for alerts associated with a specific alert rule by specifying the alertrule parameter recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/alerts/alert notification search lookup alert notification note this action uses the v2 api endpoint recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/alerts/lookup alert notification get domain risk list you can download the domain risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/domain/domain risk lists list domain risk rules recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/domain/domain risk rules get hash risk list you can download the hash risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/hash/hash risk lists list hash risk rules recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/hash/hash risk rules get ip risk list you can download the ip address risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/ip/ip address risk lists list ip risk rules recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/ip/ip address risk rules lookup (url, ip, hash, and domain lookups) these actions allow you to retrieve detailed intelligence on specific entities such as urls, ip addresses, hashes, and domains recorded future's documentation for these actions can be found at lookup url here https //api recordedfuture com/v2/#!/url/lookup url lookup ip address here https //api recordedfuture com/v2/#!/ip/lookup ip address lookup hash here https //api recordedfuture com/v2/#!/hash/lookup hash lookup domain here https //api recordedfuture com/v2/#!/domain/lookup domain get url risk list you can download the url risk list in various formats such as csv or splunk, and choose to receive it compressed using gzip recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/url/url risk lists list url risk rules recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/url/url risk rules lookup vulnerability recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/vulnerability/vulnerability lookup get vulnerability risk list you can download the vulnerability risk list in various formats such as csv or splunk+cpe, and choose to receive it compressed using gzip recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/vulnerability/vulnerability risk lists list vulnerability risk rules recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/vulnerability/vulnerability risk rules get credentials leaked this action allows you to retrieve references related to exposed credentials for a company you can filter the results by risk category, such as exposedcredential , to focus on leaked credentials recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/company/company references query ip extensions this action retrieve extended details for an ip address, including specified extensions from the recorded future recorded future's documentation for this action can be found here https //api recordedfuture com/v2/#!/ip/ip address extension lookup configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions alert lookup retrieve detailed information for a specified alert in recorded future using its unique identifier endpoint url v2/alert/{{id}} method get input argument name type required description input argument name type required description id string required unique identifier taggedtext boolean optional parameter for alert lookup output parameter type description parameter type description status code number http status code of the response reason string response reason phrase data object response data review object output field review assignee object output field assignee statusdate object status value statusinportal string status value status string status value notedate object date value statuschangeby object status value noteauthor object output field noteauthor note object output field note entities array output field entities trend object output field trend documents array output field documents file name string name of the resource file string output field file risk object output field risk criticalitylabel string output field criticalitylabel score object score value documents array output field documents source object output field source url object url endpoint for the request references array output field references example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 16 35 06 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node016hnx3pnie7pf1tvh7j74fpyza3994472 node0; path=/rfq; secure; http ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774e316b5bdd603c gru" }, "reason" "ok", "json body" { "data" {} } } ] bulk ioc enrichment enrich multiple indicators of compromise at once with recorded future's extensive threat intelligence data for improved security analysis endpoint url v2/soar/enrichment method post input argument name type required description input argument name type required description ip array optional parameter for bulk ioc enrichment domain array optional parameter for bulk ioc enrichment url array optional url endpoint for the request hash array optional parameter for bulk ioc enrichment vulnerability array optional parameter for bulk ioc enrichment domain lookup retrieve detailed threat intelligence for a specified domain from recorded future, with the domain as a required path parameter endpoint url v2/domain/{{domain}} method get input argument name type required description input argument name type required description domain string required parameter for domain lookup fields array optional parameter for domain lookup metadata boolean optional response data comment string optional parameter for domain lookup output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data analystnotes array output field analystnotes file name string name of the resource file string output field file metadata object response data entries array output field entries key string output field key label string output field label item object output field item entries array output field entries key string output field key label string output field label type string type of the resource item object output field item entries array output field entries type string type of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 15 20 06 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node0fd5obnu48hcl16apr2ibzkyva3942193 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774dc38e2ec9022b gru" }, "reason" "ok", "json body" { "data" {}, "metadata" {} } } ] get domain risk list retrieve a list of domain risks from recorded future to gain insights into potential threats associated with domains endpoint url v2/domain/risklist method get input argument name type required description input argument name type required description format string optional parameter for get domain risk list gzip boolean optional parameter for get domain risk list list string optional parameter for get domain risk list output parameter type description output parameter type description attachments object output field attachments example \[ { "attachments" {} } ] get domain risk rules retrieve associated risk rules for domains from recorded future to gain insights into potential threats endpoint url v2/domain/riskrules method get output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data results array result of the operation criticalitylabel string output field criticalitylabel description string output field description criticality number output field criticality relatedentities array output field relatedentities file name string name of the resource file string output field file name string name of the resource count number count value categories array output field categories name string name of the resource framework string output field framework example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 21 30 36 gmt", "content type" "application/json;charset=utf 8", "content length" "1929", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node017j68k3iqy4rm1f6fz8x1eq424168935 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774fe2489dc6520a gru" }, "reason" "ok", "json body" { "data" {} } } ] get hash risk list retrieve a list of hash risk assessments from recorded future for insights into potential security threats endpoint url v2/hash/risklist method get input argument name type required description input argument name type required description format string optional parameter for get hash risk list gzip boolean optional parameter for get hash risk list list string optional parameter for get hash risk list output parameter type description output parameter type description attachments object output field attachments example \[ { "attachments" {} } ] get hash risk rules retrieve risk rules for a specific hash from recorded future to assist in threat assessment and prioritization endpoint url v2/hash/riskrules method get output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data results array result of the operation criticalitylabel string output field criticalitylabel description string output field description categories array output field categories name string name of the resource framework string output field framework criticality number output field criticality relatedentities array output field relatedentities file name string name of the resource file string output field file name string name of the resource count number count value example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 21 18 14 gmt", "content type" "application/json;charset=utf 8", "content length" "827", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node01snqb93wfqqnebjs4mrvs63ig4157334 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774fd02b6f000319 gru" }, "reason" "ok", "json body" { "data" {} } } ] get identities | lookup subjects retrieve identities associated with subjects in recorded future using the provided json body endpoint url identity/credentials/lookup method post input argument name type required description input argument name type required description subjects array optional parameter for get identities lookup subjects subjects sha1 array optional parameter for get identities lookup subjects subjects login array optional parameter for get identities lookup subjects login string optional parameter for get identities lookup subjects login sha1 string optional parameter for get identities lookup subjects domain string optional parameter for get identities lookup subjects filter object optional parameter for get identities lookup subjects first downloaded gte string optional parameter for get identities lookup subjects latest downloaded gte string optional parameter for get identities lookup subjects exfiltration date gte string optional parameter for get identities lookup subjects properties array optional parameter for get identities lookup subjects breach properties object optional parameter for get identities lookup subjects name string optional name of the resource date string optional date value dump properties object optional parameter for get identities lookup subjects name string optional name of the resource date string optional date value username properties array optional name of the resource authorization technologies array optional parameter for get identities lookup subjects authorization protocols array optional parameter for get identities lookup subjects output parameter type description parameter type description status code number http status code of the response reason string response reason phrase identities array unique identifier identity object unique identifier subjects array output field subjects count number count value credentials array output field credentials subject string output field subject dumps array output field dumps name string name of the resource description string output field description downloaded string output field downloaded type string type of the resource breaches array output field breaches name string name of the resource domain string output field domain type string type of the resource breached string output field breached start string output field start stop string output field stop precision string output field precision description string output field description site description string output field site description infrastructure object output field infrastructure example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 22 12 05 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "cf cache status" "dynamic", "strict transport security" "max age=31536000; includesubdomains", "server" "cloudflare", "cf ray" "77501f0adb016b1a gru", "content encoding" "gzip" }, "reason" "ok", "json body" { "identities" \[], "count" 1 } } ] get identities | search domains retrieve identity information for specified domains from recorded future using a json body input endpoint url identity/credentials/search method post input argument name type required description input argument name type required description domains array optional parameter for get identities search domains domain types array optional type of the resource filter object optional parameter for get identities search domains first downloaded gte string optional parameter for get identities search domains latest downloaded gte string optional parameter for get identities search domains exfiltration date gte string optional parameter for get identities search domains properties array optional parameter for get identities search domains breach properties object optional parameter for get identities search domains name string optional name of the resource date string optional date value dump properties object optional parameter for get identities search domains name string optional name of the resource date string optional date value username properties array optional name of the resource authorization technologies array optional parameter for get identities search domains authorization protocols array optional parameter for get identities search domains offset string optional parameter for get identities search domains limit number optional parameter for get identities search domains get ip risk list retrieve a list of ip addresses with associated risk scores from recorded future for enhanced threat analysis endpoint url v2/ip/risklist method get input argument name type required description input argument name type required description format string optional parameter for get ip risk list gzip boolean optional parameter for get ip risk list list string optional parameter for get ip risk list output parameter type description output parameter type description attachments object output field attachments example \[ { "attachments" {} } ] get url risk list retrieve and analyze a list of urls with risk scores from recorded future for enhanced threat prioritization endpoint url v2/url/risklist method get input argument name type required description input argument name type required description format string optional parameter for get url risk list gzip boolean optional parameter for get url risk list list string optional parameter for get url risk list output parameter type description output parameter type description attachments object output field attachments example \[ { "attachments" {} } ] get url risk rules retrieve the list of risk rules applied to urls from recorded future for enhanced threat analysis and informed decision making endpoint url v2/url/riskrules method get output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data results array result of the operation criticalitylabel string output field criticalitylabel description string output field description criticality number output field criticality relatedentities array output field relatedentities file name string name of the resource file string output field file name string name of the resource count number count value categories array output field categories name string name of the resource framework string output field framework example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 18 55 05 gmt", "content type" "application/json;charset=utf 8", "content length" "1115", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node01ntljhka8cig2g8w9rk2sb7gn4079571 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774efe7a09630124 gru" }, "reason" "ok", "json body" { "data" {} } } ] get vulnerability risk list retrieve and prioritize a list of vulnerabilities with risk scores from recorded future endpoint url v2/vulnerability/risklist method get input argument name type required description input argument name type required description format string optional parameter for get vulnerability risk list gzip boolean optional parameter for get vulnerability risk list list string optional parameter for get vulnerability risk list output parameter type description output parameter type description attachments object output field attachments example \[ { "attachments" {} } ] get vulnerability risk rules retrieve a list of vulnerability risk rules from recorded future for enhanced security insights endpoint url v2/vulnerability/riskrules method get output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data results array result of the operation criticalitylabel string output field criticalitylabel description string output field description categories array output field categories name string name of the resource framework string output field framework criticality number output field criticality relatedentities array output field relatedentities file name string name of the resource file string output field file name string name of the resource count number count value example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 21 39 33 gmt", "content type" "application/json;charset=utf 8", "content length" "1326", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node0bno2qyhegmod18z4qv5haifgh4167508 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774fef605b574d15 gru" }, "reason" "ok", "json body" { "data" {} } } ] hash lookup retrieve threat intelligence data for a specified hash from recorded future, utilizing path parameters endpoint url v2/hash/{{hash}} method get input argument name type required description input argument name type required description hash string required parameter for hash lookup fields array optional parameter for hash lookup metadata boolean optional response data comment string optional parameter for hash lookup output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data analystnotes array output field analystnotes file name string name of the resource file string output field file metadata object response data entries array output field entries key string output field key label string output field label item object output field item entries array output field entries key string output field key label string output field label type string type of the resource item object output field item entries array output field entries type string type of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 14 49 27 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node0zue821pxtbpm8k8iaalxgk8p3925540 node0; path=/rfq; secure; httpon ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774d96a67d4900f6 gru" }, "reason" "ok", "json body" { "data" {}, "metadata" {} } } ] ip lookup retrieve comprehensive threat intelligence on an ip address from recorded future, including risk scores and related entities endpoint url v2/ip/{{ip}} method get input argument name type required description input argument name type required description ip string required parameter for ip lookup fields string optional parameter for ip lookup metadata boolean optional response data comment string optional parameter for ip lookup output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data analystnotes array output field analystnotes file name string name of the resource file string output field file metadata object response data entries array output field entries key string output field key label string output field label item object output field item entries array output field entries key string output field key label string output field label type string type of the resource item object output field item entries array output field entries type string type of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 14 04 25 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node09l9ww6ixtnia1ma9kvawcg4hh3649789 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774d54af2fda01c2 gru" }, "reason" "ok", "json body" { "data" {}, "metadata" {} } } ] list ip risk rules retrieve a list of ip risk rules from recorded future for insights into threats associated with ip addresses endpoint url v2/ip/riskrules method get output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data results array result of the operation criticalitylabel string output field criticalitylabel description string output field description categories array output field categories name string name of the resource framework string output field framework criticality number output field criticality relatedentities array output field relatedentities file name string name of the resource file string output field file name string name of the resource count number count value example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 18 36 15 gmt", "content type" "application/json;charset=utf 8", "content length" "1973", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node0hz75vvep08gxas7aete7u6s4071112 node0; path=/rfq; secure; httponl ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774ee2de4f501af7 gru" }, "reason" "ok", "json body" { "data" {} } } ] lookup vulnerability retrieve detailed information on a specific vulnerability from recorded future using its unique identifier endpoint url v2/vulnerability/{{id}} method get input argument name type required description input argument name type required description id string required unique identifier fields array optional parameter for lookup vulnerability metadata boolean optional response data comment string optional parameter for lookup vulnerability output parameter type description parameter type description status code number http status code of the response reason string response reason phrase data object response data analystnotes array output field analystnotes attributes object output field attributes validated on string unique identifier published string output field published text string output field text topic object output field topic id string unique identifier name string name of the resource type string type of the resource description string output field description context entities array output field context entities id string unique identifier name string name of the resource type string type of the resource validation urls array url endpoint for the request id string unique identifier name string name of the resource type string type of the resource title string output field title note entities array output field note entities id string unique identifier example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 21 56 02 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node01knaoe0qzo9fivc0e4y5j2rbr4183315 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "7750076fca574b40 gru" }, "reason" "ok", "json body" { "data" {}, "metadata" {} } } ] malware lookup retrieve detailed malware information from recorded future using a unique malware identifier endpoint url v2/malware/{{id}} method get input argument name type required description input argument name type required description id string required unique identifier fields array optional parameter for malware lookup metadata boolean optional response data comment string optional parameter for malware lookup output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data analystnotes array output field analystnotes file name string name of the resource file string output field file metadata object response data entries array output field entries key string output field key label string output field label item object output field item entries array output field entries key string output field key label string output field label type string type of the resource item object output field item entries array output field entries type string type of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 16 58 04 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node044kroehlurc4ek4pefoxgz2h4004105 node0; path=/rfq; secure; httpon ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774e530fdb0a1a92 gru" }, "reason" "ok", "json body" { "data" {}, "metadata" {} } } ] query ip extensions retrieve extended details and specific extensions for an ip address from recorded future using path parameters endpoint url /v2/ip/{{ip}}/extension/{{extension}} method get input argument name type required description input argument name type required description metadata boolean optional include metadata ip string required the ip address to lookup must be a single ip address extension string required extension to call output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] search executes a search for recorded future alerts using specified filters and returns matching results endpoint url v2/alert/search method get input argument name type required description input argument name type required description triggered string optional parameter for search assignee string optional parameter for search freetext string optional parameter for search limit number optional parameter for search status string optional status value alertrule string optional parameter for search taggedtext boolean optional parameter for search from number optional parameter for search direction string optional parameter for search orderby string optional parameter for search output parameter type description parameter type description status code number http status code of the response reason string response reason phrase data object response data results array result of the operation review object output field review assignee object output field assignee statusdate object status value statusinportal string status value status string status value notedate object date value statuschangeby object status value noteauthor object output field noteauthor note object output field note url string url endpoint for the request rule object output field rule name string name of the resource url string url endpoint for the request owner id string unique identifier owner name string name of the resource id string unique identifier organisation name string name of the resource organisation id string unique identifier triggered string output field triggered id string unique identifier example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 14 10 44 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node0ycr5u0bob499jeiki407m61f3902973 node0; path=/rfq; secure; httpon ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774d5dee894451c5 gru" }, "reason" "ok", "json body" { "data" {}, "counts" {} } } ] search alert by id retrieve details for a specific alert in recorded future using the unique identifier provided endpoint url /v3/alerts/{{id}} method get input argument name type required description input argument name type required description id string required alert id fields string optional fields to include ai insights, hits, id, log, owner organisation details, review, rule, title, type, url taggedtext boolean optional parameter for search alert by id output parameter type description parameter type description status code number http status code of the response reason string response reason phrase data object response data hits array output field hits entities array output field entities id string unique identifier name string name of the resource type string type of the resource document object output field document source object output field source id string unique identifier name string name of the resource type string type of the resource title string output field title url object url endpoint for the request authors array output field authors file name string name of the resource file string output field file fragment string output field fragment id string unique identifier language string output field language primary entity object output field primary entity id string unique identifier name string name of the resource example \[ { "status code" 200, "response headers" { "date" "thu, 01 feb 2024 09 11 22 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "content security policy" "default src 'self' data ; img src 'self' https data blob ; script src 'self' ' ", "set cookie" "jsessionid=node01wvd8zpd1pobxjil19vtbpezi1226314 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "84e9110bbaa4849e bom" }, "reason" "ok", "json body" { "data" {} } } ] search alert rules retrieve a list of alert rules from recorded future based on specified criteria, enabling targeted security responses endpoint url /v2/alert/rule method get input argument name type required description input argument name type required description freetext string optional parameter for search alert rules limit number optional parameter for search alert rules taggedtext boolean optional parameter for search alert rules output parameter type description parameter type description status code number http status code of the response reason string response reason phrase data object response data results array result of the operation intelligence goals array output field intelligence goals file name string name of the resource file string output field file priority boolean output field priority tags array output field tags file name string name of the resource file string output field file use case id object unique identifier id string unique identifier owner object output field owner name string name of the resource id string unique identifier title string output field title created string output field created notification settings object output field notification settings email subscribers array output field email subscribers file name string name of the resource file string output field file mobile subscribers array output field mobile subscribers file name string name of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 17 03 37 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node017juks5vmnh5k1rk5152a1k3et4022289 node0; path=/rfq; secure; http ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774e5b2e7ad26b1a gru" }, "reason" "ok", "json body" { "data" {}, "counts" {} } } ] search alerts retrieve triggered alerts from recorded future using specified criteria to streamline threat analysis endpoint url /v3/alerts/ method get input argument name type required description input argument name type required description triggered string optional filter on triggered timestamp, using time queries and ranges assignee string optional assignee email, or 'none' to match notifications without an assignee statusinportal string optional filter on status (as used in the portal) alertrule string optional filter on alert rule id freetext string optional freetext search limit number optional maximum number of references from which notes are fetched, at most 1000 from number optional offset from first result the api may only return the first 1000 results, meaning limit + from cannot exceed 1000 taggedtext boolean optional enables tags in text fragments orderby string optional sort order direction string optional sort direction fields string optional fields to include ai insights, hits, id, log, owner organisation details, review, rule, title, type, url output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data array response data file name string name of the resource file string output field file counts object output field counts returned number output field returned total number output field total example \[ { "status code" 200, "response headers" { "date" "thu, 01 feb 2024 08 57 04 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "content security policy" "default src 'self' data ; img src 'self' https data blob ; script src 'self' ' ", "set cookie" "jsessionid=node0aj2s5ygdy9icnrd6tvke7wo41211204 node0; path=/rfq; secure; httpon ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "84e8fc124a22849e bom" }, "reason" "ok", "json body" { "data" \[], "counts" {} } } ] search alerts hits retrieve intelligence cloud data hits from recorded future that triggered alerts, filtered by specific alert ids endpoint url /v3/alerts/hits method get input argument name type required description input argument name type required description ids string required alert ids separated by comma taggedtext boolean optional parameter for search alerts hits output parameter type description parameter type description status code number http status code of the response reason string response reason phrase data array response data document object output field document source object output field source id string unique identifier name string name of the resource type string type of the resource title string output field title url object url endpoint for the request authors array output field authors file name string name of the resource file string output field file fragment string output field fragment id string unique identifier language string output field language index number output field index entities array output field entities id string unique identifier name string name of the resource type string type of the resource alert id string unique identifier primary entity object output field primary entity id string unique identifier example \[ { "status code" 200, "response headers" { "date" "thu, 01 feb 2024 09 04 01 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "content security policy" "default src 'self' data ; img src 'self' https data blob ; script src 'self' ' ", "set cookie" "jsessionid=node0djuf4zi3522xmb83gs69kmy01216841 node0; path=/rfq; secure; httpon ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "84e906477abc849e bom" }, "reason" "ok", "json body" { "data" \[] } } ] search update alert updates assignee, status, and notes for recorded future alerts based on a provided json body endpoint url /v2/alert/update method post input argument name type required description input argument name type required description id string optional unique identifier assignee object optional parameter for search update alert output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase success array whether the operation was successful id string unique identifier status string status value statusinportal string status value error array error message if any file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "date" "thu, 01 feb 2024 11 24 41 gmt", "content type" "application/json;charset=utf 8", "content length" "93", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "content security policy" "default src 'self' data ; img src 'self' https data blob ; script src 'self' ' ", "set cookie" "jsessionid=node0q6o1cz9zhvay1rpti0umi1vz11376067 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "84e9d44ccec01bdd bom" }, "reason" "ok", "json body" { "success" \[], "error" \[] } } ] url lookup performs a url lookup in recorded future to provide threat intelligence data for the specified url endpoint url v2/url/{{url}} method get input argument name type required description input argument name type required description url string required url endpoint for the request fields array optional parameter for url lookup metadata boolean optional response data comment string optional parameter for url lookup output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase data object response data analystnotes array output field analystnotes file name string name of the resource file string output field file metadata object response data entries array output field entries key string output field key label string output field label item object output field item entries array output field entries key string output field key label string output field label type string type of the resource item object output field item entries array output field entries type string type of the resource type string type of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 05 dec 2022 15 13 36 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "cache control" "no cache, no store, private, must revalidate, max age=0, no transform", "expires" "thu, 01 jan 1970 00 00 00 gmt", "pragma" "no cache", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains", "set cookie" "jsessionid=node018jn9idiwhfc2qk90vm793phq3945028 node0; path=/rfq; secure; httpo ", "content encoding" "gzip", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "774dba0c89baa4db gru" }, "reason" "ok", "json body" { "data" {}, "metadata" {} } } ] response headers header description example cache control directives for caching mechanisms no cache, no store, private, must revalidate, max age=0, no transform cf cache status http response header cf cache status dynamic cf ray http response header cf ray 774d5dee894451c5 gru connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 1115 content security policy http response header content security policy default src 'self' data ; img src 'self' https data blob ; script src 'self' 'unsafe inline' 'unsafe eval' cdn jsdelivr net; style src 'self' 'unsafe inline' fonts googleapis com cdn jsdelivr net; font src 'self' fonts gstatic com; worker src blob ; content type the media type of the resource application/json date the date and time at which the message was originated mon, 05 dec 2022 15 20 06 gmt expires the date/time after which the response is considered stale thu, 01 jan 1970 00 00 00 gmt pragma http response header pragma no cache server information about the software used by the origin server cloudflare set cookie http response header set cookie jsessionid=node01ntljhka8cig2g8w9rk2sb7gn4079571 node0; path=/rfq; secure; httponly strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff