Recorded Future for Cortex XSIAM

Overview:

There are five different content packs pertaining to Recorded Future available in the marketplace of Cortex XSIAM. Each content pack contains integration(s) and requires different API token(s) from Recorded Future for activation. Please find more details about each content pack below.

1. Recorded Future Intelligence
   • The following 4 integrations can added from this content pack:
     • Recorded Future Event Collector
     • Recorded Future - Lists (Partner Contribution)
     • Recorded Future - Playbook Alerts (Partner Contribution)
     • Recorded Future v2 (Partner Contribution)
2. Recorded Future Identity
   • The following integration can be added from this content pack
     • Recorded Future Identity (Partner Contribution)
3. Recorded Future Attack Surface Intelligence
   • The following integration can be added from  this content pack
     • Recorded Future Attack Surface Intelligence (Partner Contribution)
4. Recorded Future Feed
   • The following integration can be added from this content pack
     • Recorded Future RiskList Feed
5. Hatching Triage
   • The following integration can be added from this content pack
     • Hatching Triage (Partner Contribution)

Recorded Future Event Collector

This integration is intended to fetch alerts from Recorded Future into Cortex XSIAM and is supported by Palo Alto Networks.

Available Actions:

• Gets events from Recorded Future

Note: This integration fetches alerts from the new alerts v3 endpoint

Recorded Future - Lists (Partner Contribution)

This integration is intended to search and manage watchlists in Recorded Future from within Cortex XSIAM and is supported by Recorded Future.

Available Actions:

• Search action
  • Search and filter available list in Recorded Future
• Add entity to list action
  • Add entities to lists using Recorded Future entity ids, or base your addition on freetext name and relevant entity type
• Remove entities from list action
  • Remove entities from lists using Recorded Future entity IDs, or base your addition on freetext name and relevant entity type.
• Fetch entities from lists
  • Fetch all entities of any number of given lists. Use search command to find unique list IDs.

Recorded Future - Playbook Alerts (Partner Contribution)

This integration is intended to fetch & update Playbook Alerts from Recorded Future and is supported by Recorded Future.

Available Actions:

• Search action
  • Search and filter Playbook alerts from Recorded Future to find what is available
  • Searches for the last 24 hours by default
• Details action
  • Provide a Playbook alert id and retrieve the details of that alert
• Update action
  • Update the status of Playbook alerts in Recorded Future

Recorded Future v2 (Partner Contribution)

This integration is intended to fetch real time intelligence and alerts from Recorded Future and is supported by Recorded Future.

Available Actions:

• Reputation actions
  • Using the new Recorded Future SOAR Enrichment API.
  • Available actions: ip, domain, url, file(hashes), cve.
• Intelligence action
  • Fetches full information for the entity.
  • Supports IPs, Domains, URLs, Files(hashes), Vulnerabilities(cve), Malwares.
• Malware search action
• Alert actions
  • Fetch alerting rules defined at Recorded Future.
  • Fetch alert summaries from one or more alerting rules.
  • Set alert status in Recorded Future
  • Set alert note in Recorded Future
• Threat assessment action
  • Takes a context, such as phishing or malware and one or more IOC as input.
  • Outputs a verdict (true/false) and related evidence (risk rules) for this context.

Recorded Future Identity (Partner Contribution)

This integration is intended to provide access to Identity Intelligence from Recorded Future and is supported by Recorded Future.

Available Actions:

• Identity actions
  • Search for identities
  • Lookup for specific identity
  • Password lookup

Recorded Future Attack Surface Intelligence (Partner Contribution)

This integration is intended to provide access to Attack Surface Intelligence from Recorded Future and is supported by Recorded Future.

Available Actions:

• Gets the issues for a project from a particular snapshot (defaults to recent)

Recorded Future RiskList Feed

This integration is intended to ingest risk lists from Recorded Future and is not supported by either Recorded Future or Palo Alto Networks. 

Available Actions:

• Gets indicators from the feed
• Get a list of the risk rules available for an indicator

Hatching Triage (Partner Contribution)

This integration is intended to submit samples to Recorded Future Sandbox for detonation and view analysis reports and is supported by Recorded Future.

Available Actions:

• Creates a new key that can be used to make API calls on behalf of the specified user. The user should have been granted the access_api permission beforehand.
• Create a new profile
• Creates a new user and returns it. The user will become a member of the company the requesting user is a member of
• Delete the user's API key with the specified name
• Update the profile with the specified ID or name. The stored profile is overwritten, so it is important that the submitted profile has all fields, with the exception of the ID
• Deletes a sample from the sandbox
• Delete a user and all associated data, invalidating any sessions and removing their API keys. Any samples submitted by this user are kept
• Lists all API keys that the user has
• Retrieves files dumped by the sample. The names can be found under the "dumped" section from the triage report output
• Retrieves the output of the kernel monitor
• Retrieves the PCAP of the analysis for further manual analysis
• List all profiles that your company has
• Retrieves the generated Triage behavioral report for a single task
• Pulls back basic information about the sample id given
• Gets a summary report of the sample id provided
• Get the static analysis of a sample
• Return all users within the company as a paginated list. Returns a single user if a userID is provided
• Get a list of all samples either private or public
• Get a list of private and public samples matching the search query
• When a sample is in the static_analysis status, a profile should be selected in order to continue
• Submits a file or url for analysis
• Update an existing profile

FAQ:

1. Can I use the same Recorded Future API token for all the integrations under different content packs in Cortex XSIAM ?
No. Each content pack requires a different API token from Recorded Future with the only exception for Events Collector integration under Recorded Future Intelligence content pack which requires a different API token separate from the integrations.

2. What is the difference between fetching alerts from Recorded Future via Events Collector integration vs Recorded Future v2 (Partner Contribution) integration ?

Event Collector use the built-in unified data model along with correlation rules to create alerts map incoming event data to alert fields within the platform. v2 utilizes the traditional mapper/classifier/incident type to create alerts and map event data to alert fields

3. I transitioned from Cortex XSOAR to XSIAM. What are the differences in the behaviour of different integrations between XSOAR and XSIAM

The following components have been tested (in the playground) to work with both XSOAR and XSIAM:

Known Limitations:

1. The Events Collector integration only support classic alerts from Recorded Future

2. The Playbook alerts from Recorded Future - Playbook Alerts (Partner Contribution) content pack doesn't work out of the box and require custom configuration