This article describes the Intelligence Card Extension the leverages Palo Alto Network Cortex Data lake (formerly known as the Application Framework).
About Palo Alto Network Cortex
Cortex is a Palo Alto Networks product suite designed to provide advanced features and functionality to security operations teams. While there are now analytic, SOAR, and threat intelligence products included within the Cortex umbrella, it was originally focused on being a platform that gives third parties, such as Recorded Future, a way to develop apps that clients can easily turn on or off. At the heart of Cortex is a cloud-based data lake that includes firewall logs and directory services, along with APIs to let third parties read and write to the data lake. More information is available at https://www.paloaltonetworks.com/cortex.
To use this intelligence card extension, first log into the Palo Alto Networks apps site: https://apps.paloaltonetworks.com/apps.
Click on the "Recorded Future Lookup" app to enable it.
You should be prompted to log in to Recorded Future. After login, or if you are already logged in, you will see a simple "Activate" button. Click on it to activate the app.
Click "Allow" to grant Recorded Future permission to read from the logging service:
After successful activation of the app - you should see an "Activation Complete" message.
Within Recorded Future, assuming you have Extension Admin privileges, you can now enable the "Palo Alto Networks" extension by clicking "Enable":
Once enabled, the extension will now appear on IP, Domain, URLs, and Hash Intelligence Cards. For example, on the intelligence card for IP address 91.189.89.198:
The following will appear in the middle of the card:
And once clicked, a search of the logging service over the past 24 hours will ensue, with details shown of any traffic matching this IP address:
here is another example of the extension response, this time for IP address 8.8.8.8:
Here is an example from a Domain Intelligence Card (for getfond.info):
Here's another example (for google.com):