Overview
Recorded Future for XSOAR offers 3 different apps (packs): Recorded Future for XSOAR Intelligence, Recorded Future for XSOAR Feeds and Recorded Future Identity for XSOAR. Each app requires a specific API token from Recorded Future to function. Below describes the primary function of each app (pack).
Playbooks created by Recorded Future automation experts can be accessed on the Template Library page
Recorded Future for XSOAR Intelligence
This PAN content pack contains three integrations: Recorded Future v2, Recorded Future - Lists and Recorded Future - Playbook Alerts.
Recorded Future v2 is used to enrich IPs, domains, URLs, CVEs, and files and assess threats in regards to a specific context. This content related to this integration includes the following commands:
- Reputation look ups: Look up IOC reputation data from Recorded Future for URLs, CVEs, Hashes Domains, URLs, Vulnerabilities (Note: Vulnerability Module required for vulnerability look ups)
- Intelligence Actions: Fetch full Recorded Future intelligence
- Fetch Recorded Future Alerts including:
- List of alerts defined in your Recorded Future Enterprise
- Alert summaries for one or more Recorded Future alerting rules
- Full Recorded Future alert details for a single alert
- Change Recorded Future alert status
- Add notes to a single alert in Recorded Future
Recorded Future - Lists is used to used to add/search/remove entities from lists along with ability to search for lists. This content related to this integration includes the following commands:
- recordedfuture-lists-add-entities
- Add entities to a list
- Separate entities delimited by comma
- recordedfuture-lists-entities
- Get the entities that are currently in the given lists
- recordedfuture-lists-remove-entities
- Remove entities from a list
- Separate entities delimited by comma
- recordedfuture-lists-search
- Search for lists in Recorded Future
Recorded Future Playbook Alerts integration is used to Fetch & triage Recorded Future Playbook Alerts in XSOAR. This integration should be set up if clients have any playbook alerts set up in their Recorded Future Enterprise that they want to triage in XSOAR. Commands for this integration include:
- recordedfuture-playbook-alerts-details
- View details of a specific Recorded Future playbook alert
- Get Playbook alert details by id
- recordedfuture-playbook-alerts-update
- Update the status of one or multiple Playbook alerts
- recordedfuture-playbook-alerts-search
- View which Recorded Future playbook alerts are set up in Recorded Future enterprise to be brought into XSOAR
- Search playbook alerts based on filters
Recorded Future Collective Insights for XSOAR
Recorded Future Intelligence Cloud features are only available to clients running Recorded Future Intelligence for XSOAR v2.4+
Collective Insights can be enabled when setting up and instance of the Recorded Future Intelligence app for XSOAR integration. The setting for collective insights must be set to 'on'. This setting can be found when setting up the Recorded Future Intelligence for XSOAR app. Any IOC that is enriched using the Recorded Future 'intelligence' command in a playbook will be part of a client's Collective Insights and used to populate the SecOps Dashboard.
Recorded Future for XSOAR Intelligence: Marketplace Listing
Recorded Future for XSOAR Feeds
This app is used to access Recorded Future Threat Lists. Recorded Future threat are built for IPs, Hashes, Domains, URLs, and Vulnerabilities ((Note: Vulnerability Module required for vulnerability risk lists). More information about Recorded Future risk lists can be found here
Note: Using the Recorded Future for XSOAR Feeds App requires a PAN TIM License
Recorded Future for XSOAR Feeds App: Marketplace Listing
Recorded Future Identity for XSOAR
The Recorded Future for Identity for XSOAR enables security and IT teams to detect identity compromises, for both employees and customers, and respond confidently. Recorded Future’s integration for XSOAR continuously monitors for identity compromises, pulling in only those that align with the organization’s domain.
Watch a video of how to integrate.
The Recorded Future Identity for XSOAR has three commands:
- recordedfuture-identity-search - looking for email address related to you company
- recordedfuture-identity-lookup - get the details of a specific leaked credential
- recordedfuture-password-lookup - find out if a password is commonly used; note that this works with the full password hash, or just a prefix of the hash (i.e., first few characters of the hash, up to the full hash length. Note: it is recommended to use at least 6 of the first characters of the hash, otherwise accuracy of the lookup is not guaranteed).
The integration app is also bundled with some playbooks that can be used as templates for the most common use cases (workforce compromise monitoring, determining if customer logins are compromised, and creating incidents to follow up on remediation).
Recorded Future Identity for XSOAR: Marketplace Listing
Detailed documentation on the integration itself is available at this link.
System Requirements
If you are upgrading from Recorded Future for XSOAR v1.x.x or any version of Demisto to Recorded Future for XSOAR v2.x.x, you will need a new Recorded Future API token. To get a token for Recorded Future for XSOAR token, please fill out the following Recorded Future support form requesting a new integration API token for XSOAR.