The extension configuration file must be named extension.json. It specifies the extension name, title, which intelligence card types (entity types) are supported, authentication info and points out the other artifacts needed for the extension.
Example
{
"name": "virustotal",
"title": "VirusTotal",
"supported_types": {
"Hash": "Search for scan reports that involve this hash",
"IpAddress": "Search for scan reports that involve this IP Address",
"InternetDomainName": "Search for scan reports that involve this Domain",
"URL": "Search for scan reports that involve this URL"
},
"access_type": "commercial",
"auto_run": false,
"authentication_fields": [
{
"key": "apikey",
"label": "apikey",
"type": "password",
"hint": "Enter VirusTotal apikey"
}
],
"source":"virustotal.py",
"libs": [
"lib1.py"
],
"metadata":"metadata.json",
"logo_full": "virustotalFull.png",
"logo_thumbnail": "virustotalThumbnail.png",
"acl" : {
"read" : {
"user": [
"user:role-module-threat-intelligence",
"user:role-module-geopolitics",
"user:role-module-third-party-risk"
]
}
}
}- name is the identification of the extension and must be unique. Please confirm with Recorded Future if you're concerned about the uniqueness of your proposed name. The name must also be a single word (underscores are allowed).
- title is a brief title for the extension.
- description is a longer description of the extension. We recommend that the description end with the last update date for the extension.
- supported_types is a dictionary from Recorded Future entity types that specifies for which entity types this extension can provide data. The value for each entity type in the supported_types dictionary shall describe what kind of data the extension will provide for the specific entity type. This text is shown in the intelligence card before the extension is run. Common entity types for intelligence card extensions include:
- IpAddress
- InternetDomainName
- URL
- Hash
- CyberVulnerability
- Malware
- access_type will auto-generate a message about the type of access needed for this extension as shown in the Extension Gallery. Accepted values are "commercial", "community", and "open"
- auto_run is a boolean value; true means the extension will run automatically as soon as the intelligence card is opened; false means it must be manually opened by the user.
- authentication_fields specifies which fields are needed for the authentication against the external service and how they shall be displayed in the Edit extension credentials page (see this support page on enabling an extension)
- position specifies the page flow position for the extension. Valid values are default (by omitting the key-value pair) and top. However, the value top is reserved for use by Recorded Future.
- source specifies the name of the extension source file.
- libs is optional; it's a list of any/all non-standard library files imported by the source code.
- metadata specifies the name of the extension metadata file.
- logo_full specifies the name of the extension logo image file.
- logo_thumbnail specifies the name of the extension logo thumbnail image file.
- acl specifies the module licenses that have access to this extension. The possible values include
"user:role-module-threat-intelligence",
"user:role-module-geopolitics",
"user:role-module-third-party-risk",
"user:role-module-secops",
"user:role-module-brand",
"user:role-module-vulnerability"