Recorded Future has developed a library of template playbooks that can be used in Splunk SOAR as a starting point for leveraging intelligence in your automation processes. These playbooks are built to provide guidance as you build use case-specific playbooks. Client configuration is required to get playbooks running in client environments.
This page contains both certified and Beta playbooks. The purpose with Beta playbooks is to distribute Splunk SOAR assets built by the Recorded Future Professional Services team, while Playbooks and other Splunk SOAR assets are pending certification with Splunk to be included in the Recorded Future for Splunk SOAR Splunkbase listing..
Below is information on playbooks, requirements, and certification status.
| Playbook Name | Playbook Description | Solution Brief | Modules | Assets | Certified? |
| Artifact Enrichment [BETA] | This playbook enriches ingested artifacts that contain file hashes, IP addresses, domain names, or URLs in some of the most common CEF fields. This enrichment pulls a variety of threat intelligence details from Recorded Future into the investigation, allowing further analysis and contextual actions. |
Artifact Enrichment.pdf | SecOps Intelligence, Threat Intelligence |
recorded_future_artifact_enrichment.tgz (compatible with versions 4.1.0 and later) |
No |
| Recorded Future Sandbox Submission [BETA] | This playbook is designed to run on containers created from the EWS for Office 365 app's polling feature that monitors an email inbox, ingests emails, and submits any files to Recorded Future for analysis. | SecOps Intelligence, Threat Intelligence |
recorded_future_email_sandbox_detonation.tgz (compatible with versions 4.1.0 and later) |
No | |
| Threat Hunting [BETA] | Starting with a single IP address, this playbook gathers a list of linked IP addresses, domain names, file hashes, URLs, and vulnerability CVEs from Recorded Future. Then, Splunk is used to build threat hunting lookup tables and search across multiple data sources for events containing the linked entities. Finally, IP addresses are blocked if approved by an analyst and an email is sent to notify a responder of the activity. |
Threat Hunting.pdf |
SecOps Intelligence, Threat Intelligence, Vulnerability Intelligence |
recorded_future_threat_hunting.tgz (compatible with versions 4.1.0 and later) |
No |
| Automated Hunting with Recorded Future Threat Maps [BETA] |
recorded_future_threat_map_pull: recorded_future_threat_map_actor_hunt: |
Configuration Guide- Automated Hunting with Recorded Future Threat Maps.pdf |
SecOps Intelligence, Threat Intelligence, |
recorded_future_threat_map_actor_hunt.tgz recorded_future_threat_map_pull.tgz (compatible with version 4.3.0) |
No |
| Leaked Credential Alert Handling [BETA] | Template playbook showing suggested steps to triage leaked credential alerts. | Leaked Credential.pdf | Brand Intelligence |
recorded_future_leaked_credentials_handling.tgz (compatible with versions 4.1.0 and later) |
No |
| Typosquat Alert Handling [BETA] | Template playbook showing suggested steps to triage typo squat alerts. | Typosquat.pdf | Brand Intelligence |
recorded_future_typosquat_handling.tgz (compatible with versions 4.1.0 and later) |
No |
| Vulnerability Alert Handling [BETA] | Template playbook showing suggested steps to triage new critical vulnerability alerts. Playbook include New and Critical CVEs. | Vulnerability.pdf | Vulnerability Intelligence |
recorded_future_vulnerability_alert_handling.tgz (compatible with versions 4.1.0 and later) |
No |
|
Vulnerability Playbook Alert Handling [BETA] |
Template playbook showing suggested steps to triage Recorded Future's vulnerability playbook alerts. | Vulnerability.pdf | Vulnerability Intelligence |
recorded_future_vulnerability_pb_alert_handling.tgz (compatible with versions 4.1.0 and later) |
No |
|
Utilize List API [BETA] |
Two template playbooks demonstrating maintaining Recorded Future watch lists. The Update List playbook is used as a sub-playbook in other automation workflows and will either add or remove an entity based on the input. The Vulnerability Watch List playbook demonstrates using the sub-playbook to add and remove hypothetical vulnerability scans to and from a Vulnerability Watch List. | Update Watchlists.pdf |
SecOps Intelligence, Threat Intelligence, Vulnerability Intelligence (for vulnerability playbook) |
recorded_future_update_list.tgz recorded_future_update_vulnerability_list.tgz (compatible with versions 4.2.0 and later) |
No |