How to write an Intelligence Card Extension

You can extend Recorded Future intelligence cards with integrations to other threat intelligence providers, enrichment services, and security products. This is achieved by defining an Extension that will run under the Recorded Future Extension API.

Screen_Shot_2018-04-23_at_1.41.51_PM.png

Above: example of some intelligence card extensions on the IP intelligence card for 31.210.111.154. 


The extension is implemented as a python program that makes requests to a remote web service*, based on input from the Recorded Future intelligence card and user credentials for the remote service. Analyst teams manage their own user credential settings for each extension, through the Recorded Future portal.

*required: the remote web service must have a REST API

 

Screen_Shot_2018-04-23_at_1.42.47_PM.png

Above: example of the Extension gallery where intelligence card extensions can be enabled/disabled.

Extension artifacts

An extension has four components:

1. A configuration file (extension.json) which contains information about the extension and specifies the names of the other required files.
2. A response metadata file (conventionally metadata.json) which specifies how the extension response data should be displayed in the intelligence card.
3. A python source code file which implements the query time logic of the extension.
4. Two logo image files

The extension may include additional python library files.

Packaging an Extension

Please package your extension as a tarball (a compressed archive file in TAR format.) All extension component files should be in the root directory of the archive.

Example command:
tar zcvf myExtension.tgz myPython.py myLogoThumbnail.png myLogoFull.png metadata.json extension.json 

Other notes

Attached to this support page is an example extension, fully packaged, that does a simple reverse DNS lookup.

Testing and Validation
Common Troubleshooting Issues

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
1 out of 1 found this helpful

Articles in this section