Linking to Intelligence Cards

Recorded Future makes it straightforward to quickly navigate or link to Intelligence Cards for IP Addresses, Domains, and Hashes. These cards serve as a starting point for investigation or incident response, e.g., what can external threat intelligence from Recorded Future tell me about this observable?

The summary pages have a consistent URL structure, which makes it easy to deep link into Recorded Future from other systems.

The URL structure for these deep links to app.recordedfuture.com is:

  • /live/sc/entity/ip:<IP Address> Example

Please note: URLs to IP Intelligence Cards need to have leading zeros removed from IPv4 Addresses

  • /live/sc/entity/idn:<Internet Domain Name> Example
  • /live/sc/entity/hash:<Hash value> Example
  • /live/sc/entity/?name=< Vulnerability name or CVE number> Example 1Example 2


Clients who do not wish to expose the Intelligence Card details in the URL may instead POST a request to the following link with entity parameters in the body of the POST:

https://app.recordedfuture.com/live/sc/entity

For example, here is a simple HTML file illustrating this method; note the different "Name" field for CVEs compared to the other indicator types.

<html>
<body>
Hash,IP,IDN
<form method="post" action="https://app.recordedfuture.com/live/sc/entity">
<label>Entity id:<label><input type="text" name="id"/>
<button type="submit">Submit</button>
</form>
<br>
<br>
CVE
<form method="post" action="https://app.recordedfuture.com/live/sc/entity">
<label>Entity name:<label><input type="text" name="name"/>
<button type="submit">Submit</button>
</form>
</body>
</html>

Please note: Authenticated Recorded Future users will see the full Intelligence Card; non-Recorded Future users will see an abbreviated set of information on the Intelligence Card.

Was this article helpful?
0 out of 0 found this helpful

This content is confidential. Downloading or distributing this content is in violation of your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Have more questions? Submit a request

Comments

2 comments
  • Why does the Vuln Name URL have a ? before "name="?

  • Hi David, thanks for your inquiry! I've created a support ticket from this question and will work with you from there.

Please sign in to leave a comment. Please note that your name will be displayed. If you would like to change how your name appears, please update your profile name.