Recorded Future Lookup for Palo Alto Network Cortex Datalake

This article describes the Intelligence Card Extension the leverages Palo Alto Network Cortex Data lake (formerly known as the Application Framework).  

Important June 2023 Update: After several discussions with our partner Palo Alto Networks and internal teams, we have decided to no longer support this integration in its current form.

 

 

 

 

PANW_small_logo.pngCortex_Datalake_logo.png

About Palo Alto Network Cortex

Cortex is a Palo Alto Networks product suite designed to provide advanced features and functionality to security operations teams.  While there are now analytic, SOAR, and threat intelligence products included within the Cortex umbrella, it was originally focused on being a platform that gives third parties, such as Recorded Future, a way to develop apps that clients can easily turn on or off.  At the heart of Cortex is a cloud-based data lake that includes firewall logs and directory services, along with APIs to let third parties read and write to the data lake.  More information is available at https://www.paloaltonetworks.com/cortex.

To use this intelligence card extension, first log into the Palo Alto Networks apps site: https://apps.paloaltonetworks.com/apps

Click on the "Recorded Future Lookup" app to enable it.

Step1.jpg

You should be prompted to log in to Recorded Future.  After login, or if you are already logged in, you will see a simple "Activate" button. Click on it to activate the app.

Step2.jpg

Click "Allow" to grant Recorded Future permission to read from the logging service:

Step3.jpg

After successful activation of the app - you should see an "Activation Complete" message.

Step4.jpg

Within Recorded Future, assuming you have Extension Admin privileges, you can now enable the "Palo Alto Networks" extension by clicking "Enable":

mceclip1.png

Once enabled, the extension will now appear on IP, Domain, URLs, and Hash Intelligence Cards.  For example, on the intelligence card for IP address 91.189.89.198:

mceclip5.png

The following will appear in the middle of the card:

mceclip0.png

And once clicked, a search of the logging service over the past 24 hours will ensue, with details shown of any traffic matching this IP address:

mceclip4.png

here is another example of the extension response, this time for IP address 8.8.8.8:

Screen_Shot_2020-08-24_at_11.29.42_AM.png

 

Here is an example from a Domain Intelligence Card (for getfond.info): 

mceclip6.png

Here's another example (for google.com):

Screen_Shot_2020-08-24_at_11.35.04_AM.png

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
2 out of 3 found this helpful

Articles in this section

See more