Recorded Future V2
Recorded Future Connector enables access to the Recorded Future Intelligence. The connector has dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash) and associated context (Risk Score, Risk Rules, Intelligence Card Link and High Confidence Evidence Based Links), Vulnerabilities, Recorded Future Alerts and enables access to Recorded Future SOAR API and Fusion Files
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Copilot Studio | Premium | All Power Automate regions |
| Logic Apps | Standard | All Logic Apps regions |
| Power Apps | Premium | All Power Apps regions |
| Power Automate | Premium | All Power Automate regions |
| Contact | |
|---|---|
| Name | Recorded Future Support |
| URL | https://support.recordedfuture.com |
| support@recordedfuture.com |
| Connector Metadata | |
|---|---|
| Publisher | Recorded Future |
| Website | https://www.recordedfuture.com |
| Privacy Policy | https://www.recordedfuture.com/privacy-policy/ |
| Categories | AI;Data |
Recorded Future V2
The Recorded Future integration allows real-time security intelligence to be integrated into popular Microsoft services like Sentinel, Defender ATP, and others. This empowers our clients to maximize their existing security investments, ensuring they have real-time intelligence to secure their cloud environments and reduce risk to the organization. The Recorded Future connector for Microsoft Azure enables access to dedicated actions for pulling Recorded Future indicators (IP, Domain, URL, Hash, Vulnerabilities), associated context (Risk Score, Risk Rules, High Confidence Links, and an Intelligence Card Link), Recorded Future Alerts, Playbooks Alerts, Threat Map, Threat Indicators and Detection Rules.
Publisher: Recorded Future
Whats new?
- Recorded Future's Threat Actor Threat Map
- Recorded Future's Malware Threat Map
- Recorded Future's Threat Indicators for Actors
- Recorded Future's Threat Indicators for Malware
Prerequisites
To enable the Recorded Future for Microsoft Azure integration, users must be provisioned a Recorded Future API token. Please reach to your account manager to obtain the necessary API token.
How to get credentials
Recorded Future requires API keys to communicate with our API. To obtain API keys: Start a 30-day free trial of Recorded Future for Microsoft Sentinel or visit Recorded Future Requesting API Tokens (Require Recorded Future Login) and request API token for Recorded Future for Microsoft Sentinel or/and Recorded Future Sandbox for Microsoft Sentinel.
Supported Operations
This connector is used to pull Recorded Future indicators, alerts, playbook alerts, threat map, threat indicators and detection rules:
- Recorded Future RiskLists and SCF Download - Download Recorded Future Risk Lists and Security Control Feeds
- IP Enrichment - Enrich an IP with Recorded Future data.
- Domain Enrichment - Enrich a domain with Recorded Future data.
- URL Enrichment - Enrich a URL with Recorded Future data.
- Hash Enrichment - Enrich a hash with Recorded Future data.
- Vulnerability Enrichment - Enrich a vulnerability with Recorded Future data.
- SOAR API - Multi-Entitiy Enrichment - Enrich multiple entities at once (Specific Access is Required)
- Search Triggered Alerts - List Alert Notifications by a set of search parameters.
- Get Triggered Alerts by ID - Get the alert details of a triggered alert
- Search Alert Rules - List alert rules by name
- Search Alert Notification (Deprecated) - Deprecated
- Get Alert Notification by ID (Deprecated) - Deprecated
- Search Playbook Alerts - List playbook alerts based on a set of search parameters
- Get Playbook Alert by ID - Get the alert details of a playbook alert
- Fetch Threat Map actors - Fetch Threat Map data for the enterprise's primary organization with filters.
- Fetch Threat Map malware - Fetch Threat Map data for the enterprise's primary organization with filters.
- Fetch Threat indicators for Actors in STIX format - Fetch Threat Indicators for Actors in STIX format.
- Fetch Threat Indicators for Malware in STIX format - Fetch Threat Indicators for Malware in STIX format.
- Search Detection Rules (Preview) - Get detection rules matching a search filter
Examples of Solutions for Microsoft Sentinel
Install guide of solutions using this connector: Recorded Future Solutions for Microsoft Sentinel
Known issues and limitations
N/A
Creating a connection
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| API Key | securestring | The API Key for this api | True |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
| Domain Enrichment |
Enrich a domain with Recorded Future data |
| Fetch Threat Indicators for Actors in STIX format |
Fetch Threat Indicators for Actors in STIX format. |
| Fetch Threat Indicators for Malware in STIX format |
Fetch Threat Indicators for Malware in STIX format. |
| Fetch Threat Map actors |
Fetch Threat Map data for the enterprise's primary organization with filters. |
| Fetch Threat Map malware |
Fetch Threat Map data for the enterprise's primary organization with filters. |
| Get Alert Notification by ID (Deprecated) |
Deprecated, use /v2/alerts/{id} instead. Get the alert details of a triggered alert |
| Get Playbook Alert by ID |
Get the alert details of a playbook alert |
| Get Triggered Alerts by ID |
Get the alert details of a triggered alert |
| Hash Enrichment |
Enrich a hash with Recorded Future data |
| IP Enrichment |
Enrich an IP with Recorded Future data |
|
Recorded Future Risk |
Download Recorded Future Risk Lists and Security Control Feeds |
| Search Alert Notifications (Deprecated) |
Deprecated, use /v2/alerts instead. List Alert Notifications by a set of search parameters |
| Search Alert Rules |
List alert rules by name |
| Search Detection Rules |
Get detection rules matching a search filter |
| Search Playbook Alerts |
List playbook alerts based on a set of search parameters |
| Search Triggered Alerts |
List Alert Notifications by a set of search parameters |
| SOAR API - Multi-Entitiy Enrichment |
Enrich multiple entities at once (Specific Access is Required) |
| URL Enrichment |
Enrich a URL with Recorded Future data |
| Vulnerability Enrichment |
Enrich a vulnerability with Recorded Future data |
Domain Enrichment
Enrich a domain with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Domain input
|
domain | True | string |
The domain to lookup. Must be a single domain |
|
Fields
|
fields | True | string |
Comma-separated list of fields to return in the response |
|
IntelligenceCloud
|
IntelligenceCloud | boolean |
Share correlations and enrichments data with the Recorded Future Intelligence Cloud. Default value: true |
|
|
HTML response
|
htmlresponse | boolean |
Include a HTML template in the response |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
|
html_response
|
data.html_response | string |
Fetch Threat Indicators for Actors in STIX format
Fetch Threat Indicators for Actors in STIX format.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
actors
|
actors | array of string | ||
|
categories
|
categories | array of string | ||
|
watchlists
|
watchlists | array of string | ||
|
trigger_score_ip
|
trigger_score_ip | integer | ||
|
trigger_score_url
|
trigger_score_url | integer | ||
|
trigger_score_domain
|
trigger_score_domain | integer | ||
|
trigger_score_hash
|
trigger_score_hash | integer | ||
|
valid_until_delta_hours
|
valid_until_delta_hours | integer | ||
|
threat_hunt_description
|
threat_hunt_description | string |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | ThreatHuntActors |
Fetch Threat Indicators for Malware in STIX format
Fetch Threat Indicators for Malware in STIX format.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
malware
|
malware | array of string | ||
|
categories
|
categories | array of string | ||
|
watchlists
|
watchlists | array of string | ||
|
trigger_score_ip
|
trigger_score_ip | integer | ||
|
trigger_score_url
|
trigger_score_url | integer | ||
|
trigger_score_domain
|
trigger_score_domain | integer | ||
|
trigger_score_hash
|
trigger_score_hash | integer | ||
|
valid_until_delta_hours
|
valid_until_delta_hours | integer | ||
|
threat_hunt_description
|
threat_hunt_description | string |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | ThreatHuntMalware |
Fetch Threat Map actors
Fetch Threat Map data for the enterprise's primary organization with filters.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
actors
|
actors | True | array of string |
List of actors |
|
categories
|
categories | True | array of string |
List of categories |
|
watchlists
|
watchlists | True | array of string |
List of watchlists |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | ThreatMapActors |
Fetch Threat Map malware
Fetch Threat Map data for the enterprise's primary organization with filters.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
malware
|
malware | True | array of string |
List of malware |
|
categories
|
categories | True | array of string |
List of categories |
|
watchlists
|
watchlists | True | array of string |
List of watchlists |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | ThreatMapMalware |
Get Alert Notification by ID (Deprecated)
Deprecated, use /v2/alerts/{id} instead. Get the alert details of a triggered alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Alert Notification ID
|
id | True | string |
Alert Notification ID |
Returns
- Body
- AlertLookup
Get Playbook Alert by ID
Get the alert details of a playbook alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Playbook Alert ID
|
id | True | string |
The Playbook Alert ID |
Returns
- Body
- PlaybookAlertLookup
Get Triggered Alerts by ID
Get the alert details of a triggered alert
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Alert Notification ID
|
id | True | string |
Alert Notification ID |
|
Fields to include
|
fields | string |
Field(s) to include, e.g. "id, hits". Returns all if not specified. |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | AlertSearchV2 |
Hash Enrichment
Enrich a hash with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
HASH input
|
hash | True | string |
The HASH to lookup. Must be a single HASH |
|
Fields
|
fields | True | string |
Comma-separated list of fields to return in the response |
|
IntelligenceCloud
|
IntelligenceCloud | boolean |
Share correlations and enrichments data with the Recorded Future Intelligence Cloud. Default value: true |
|
|
HTML response
|
htmlresponse | boolean |
Include a HTML template in the response |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
|
html_response
|
data.html_response | string |
IP Enrichment
Enrich an IP with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
IP input
|
ip | True | string |
The IP address to lookup. Must be a single IP address |
|
Fields
|
fields | True | string |
Comma-separated list of fields to return in the response |
|
IntelligenceCloud
|
IntelligenceCloud | boolean |
Share correlations and enrichments data with the Recorded Future Intelligence Cloud. Default value: true |
|
|
HTML response
|
htmlresponse | boolean |
Include a HTML template in the response |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
|
html_response
|
data.html_response | string |
Recorded Future RiskLists and SCF Download
Download Recorded Future Risk Lists and Security Control Feeds
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Path to file
|
path | True | string |
Path to file |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
|
array of object | ||
|
Name
|
Name | string | |
|
Risk
|
Risk | integer | |
|
RiskString
|
RiskString | string | |
|
EvidenceDetails
|
EvidenceDetails.EvidenceDetails | array of object | |
|
Rule
|
EvidenceDetails.EvidenceDetails.Rule | string | |
|
EvidenceString
|
EvidenceDetails.EvidenceDetails.EvidenceString | string | |
|
CriticalityLabel
|
EvidenceDetails.EvidenceDetails.CriticalityLabel | string | |
|
Timestamp
|
EvidenceDetails.EvidenceDetails.Timestamp | integer | |
|
MitigationString
|
EvidenceDetails.EvidenceDetails.MitigationString | string | |
|
Criticality
|
EvidenceDetails.EvidenceDetails.Criticality | integer |
Search Alert Notifications (Deprecated)
Deprecated, use /v2/alerts instead. List Alert Notifications by a set of search parameters
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Triggered
|
triggered | string |
All Elasticsearch compatible date formats are valid. |
|
|
Alert Rule ID
|
alertRule | True | string |
Alert Rule ID |
|
Maximum number of records
|
limit | integer |
Maximum number of records |
|
|
Records from offset
|
from | integer |
Records from offset |
Returns
- Body
- AlertSearch
Search Alert Rules
List alert rules by name
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Freetext search
|
freetext | string |
Freetext search for Alert Rule Name |
|
|
Maximum number of records
|
limit | integer |
Maximum number of records |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
results
|
data.results | array of object |
Results |
|
Alert Rule Title
|
data.results.title | string |
Title |
|
Alert Rule ID
|
data.results.id | string |
Id |
|
Returned Number of Alert Rules
|
counts.returned | integer |
Returned |
|
Total Number of Alert Rules
|
counts.total | integer |
Total |
Search Detection Rules
Get detection rules matching a search filter
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
types
|
types | array of string |
List of detection rule types to include in the response |
|
|
entities
|
entities | array of string |
List of entities that the detection rules must be related to |
|
|
before
|
before | date-time |
Limit the response to detection rules created before this date. Example: 2023-06-01T18:00:00Z |
|
|
after
|
after | date-time |
Limit the response to detection rules created after this date |
|
|
Limit
|
limit | integer |
Limit the number of returned detection rules |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
Detection Rule Count
|
count | integer |
Count |
|
Detection Rules
|
result | array of object |
Detection Rules |
|
id
|
result.id | string | |
|
type
|
result.type | string | |
|
title
|
result.title | string | |
|
description
|
result.description | string | |
|
rules
|
result.rules | array of object | |
|
name
|
result.rules.name | string | |
|
description
|
result.rules.description | string | |
|
file_name
|
result.rules.file_name | string | |
|
entities
|
result.rules.entities | array of object | |
|
id
|
result.rules.entities.id | string | |
|
type
|
result.rules.entities.type | string | |
|
name
|
result.rules.entities.name | string | |
|
display_name
|
result.rules.entities.display_name | string | |
|
content
|
result.rules.content | string | |
|
created
|
result.created | string | |
|
updated
|
result.updated | string |
Search Playbook Alerts
List playbook alerts based on a set of search parameters
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Limit
|
limit | string |
Limit the number of playbook alerts returned |
|
|
entities
|
entities | array of string |
A list of entities |
|
|
statuses
|
statuses | array of string |
A list of alert statuses |
|
|
priorities
|
priorities | array of string |
A list of alert priorities |
|
|
categories
|
categories | array of string |
A list of alert categories |
|
|
Relative created from
|
created_from_relative | string |
Limit the response to playbook alerts created at most this many minutes, hours or days ago. Defaults to all time. |
|
|
Relative created until
|
created_until_relative | string |
Limit the response to playbook alerts created at the latest this many minutes, hours or days ago. Defaults to '-0' (now). |
|
|
Relative updated from
|
updated_from_relative | string |
Limit the response to playbook alerts updated at most this many minutes, hours or days in the past. Defaults to '-1d' (one day back). |
|
|
Relative updated until
|
updated_until_relative | string |
Limit the response to playbook alerts updated at the latest this many minutes, hours or days in the past. Defaults to '-0' (now). |
Returns
Playbook Alerts matching the search criteria
- Items
- PlaybookAlertSearch
Search Triggered Alerts
List Alert Notifications by a set of search parameters
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Triggered
|
triggered | string |
The timeframe for which to include triggered alerts. E.g. -24h or -2d |
|
|
Alert Rule ID
|
alertRule | string |
Only return alerts triggered for the specified alert rule id. |
|
|
Maximum number of records
|
limit | integer |
Limits the number of returned alerts. |
|
|
Records from offset
|
from | integer |
Records from offset |
|
|
Fields to include
|
fields | string |
Field(s) to include, e.g. "id, hits". Returns all if not specified. |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
data
|
data | array of AlertSearchV2 | |
|
returned
|
counts.returned | integer | |
|
total
|
counts.total | integer |
SOAR API - Multi-Entitiy Enrichment
Enrich multiple entities at once (Specific Access is Required)
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
ip
|
ip | array of string |
Ip |
|
|
url
|
url | array of string |
Url |
|
|
domain
|
domain | array of string |
Domain |
|
|
hash
|
hash | array of string |
Hash |
|
|
vulnerability
|
vulnerability | array of string |
Vulnerability |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
returned
|
counts.returned | integer | |
|
total
|
counts.total | integer | |
|
results
|
data.results | array of object | |
|
id
|
data.results.entity.id | string | |
|
name
|
data.results.entity.name | string | |
|
type
|
data.results.entity.type | string | |
|
context
|
data.results.risk.context | object | |
|
level
|
data.results.risk.level | number | |
|
rule
|
data.results.risk.rule | object | |
|
score
|
data.results.risk.score | number |
URL Enrichment
Enrich a URL with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
URL input
|
url | True | string |
The URL to lookup. Must be a single URL |
|
Fields
|
fields | True | string |
Comma-separated list of fields to return in the response |
|
IntelligenceCloud
|
IntelligenceCloud | boolean |
Share correlations and enrichments data with the Recorded Future Intelligence Cloud. Default value: true |
|
|
HTML response
|
htmlresponse | boolean |
Include a HTML template in the response |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Indicator Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Indicator Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Indicator Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
|
html_response
|
data.html_response | string |
Vulnerability Enrichment
Enrich a vulnerability with Recorded Future data
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
Vulnerability ID (CVE, name) input
|
id | True | string |
The Vulnerability ID (CVE, name) to lookup. Must be a single Vulnerability ID (CVE, name) |
|
Fields
|
fields | True | string |
Comma-separated list of fields to return in the response |
|
IntelligenceCloud
|
IntelligenceCloud | boolean |
Share correlations and enrichments data with the Recorded Future Intelligence Cloud. Default value: true |
|
|
HTML response
|
htmlresponse | boolean |
Include a HTML template in the response |
Returns
| Name | Path | Type | Description |
|---|---|---|---|
|
intelCard
|
data.intelCard | string |
Recorded Future Intelligence Card Link |
|
criticalityLabel
|
data.risk.criticalityLabel | string |
Recorded Future Vulnerability Criticality Level |
|
score
|
data.risk.score | integer |
Recorded Future Vulnerability Risk Score |
|
evidenceDetails
|
data.risk.evidenceDetails | array of object |
Evidence details |
|
evidenceString
|
data.risk.evidenceDetails.evidenceString | string |
Recorded Future Risk Rules Evidence Details |
|
rule
|
data.risk.evidenceDetails.rule | string |
Recorded Future Vulnerability Risk Rules |
|
riskSummary
|
data.risk.riskSummary | string |
Recorded Future Risk Rules Summary |
|
links
|
data.links | Links |
High Confidence Evidence Based Links |
|
html_response
|
data.html_response | string |
Definitions
Links
High Confidence Evidence Based Links
| Name | Path | Type | Description |
|---|---|---|---|
|
startDate
|
technical.start_date | string |
Link start date |
|
stopDate
|
technical.stop_date | string |
Link stop date |
|
entities
|
technical.entities | array of LinkEntities |
Related entities |
|
startDate
|
research.start_date | string |
Link start date |
|
stopDate
|
research.stop_date | string |
Link stop date |
|
entities
|
research.entities | array of LinkEntities |
Related entities |
LinkEntities
| Name | Path | Type | Description |
|---|---|---|---|
|
type
|
type | string |
Enitity type |
|
name
|
name | string |
Entity name |
|
score
|
score | integer |
Risk score |
|
category
|
category | string |
Entity category |
AlertSearchV2
| Name | Path | Type | Description |
|---|---|---|---|
|
review
|
review | AlertReviewV2 | |
|
owner_organisation_details
|
owner_organisation_details | AlertOwnerV2 | |
|
url
|
url | AlertURLV2 | |
|
rule
|
rule | AlertRuleV2 | |
|
alert_id
|
id | AlertID | |
|
hits
|
hits | AlertHitsV2 | |
|
log
|
log | AlertLogV2 | |
|
title
|
title | AlertTitle | |
|
type
|
type | AlertType | |
|
ai_insights
|
ai_insights | AlertAiV2 |
AlertAiV2
| Name | Path | Type | Description |
|---|---|---|---|
|
comment
|
comment | string | |
|
text
|
text | string |
AlertHitsV2
| Name | Path | Type | Description |
|---|---|---|---|
|
entities
|
entities | array of object | |
|
id
|
entities.id | string | |
|
name
|
entities.name | string | |
|
type
|
entities.type | string | |
|
source_id
|
document.source.id | string | |
|
name
|
document.source.name | string | |
|
type
|
document.source.type | string | |
|
title
|
document.title | string | |
|
url
|
document.url | string | |
|
authors
|
document.authors | array of object | |
|
id
|
document.authors.id | string | |
|
name
|
document.authors.name | string | |
|
type
|
document.authors.type | string | |
|
fragment
|
fragment | string | |
|
id
|
id | string | |
|
language
|
language | string | |
|
id
|
primary_entity.id | string | |
|
name
|
primary_entity.name | string | |
|
type
|
primary_entity.type | string | |
|
analyst_note
|
analyst_note | string |
AlertSearch
| Name | Path | Type | Description |
|---|---|---|---|
|
results
|
data.results | array of object | |
|
review
|
data.results.review | AlertReview | |
|
url
|
data.results.url | AlertURL | |
|
rule
|
data.results.rule | AlertRule | |
|
triggered
|
data.results.triggered | AlertTriggered | |
|
alert_id
|
data.results.id | AlertID | |
|
title
|
data.results.title | AlertTitle | |
|
type
|
data.results.type | AlertType | |
|
returned
|
counts.returned | integer | |
|
total
|
counts.total | integer |
AlertLookup
| Name | Path | Type | Description |
|---|---|---|---|
|
review
|
data.review | AlertReview | |
|
entities
|
data.entities | AlertEntities | |
|
url
|
data.url | AlertURL | |
|
rule
|
data.rule | AlertRule | |
|
triggered
|
data.triggered | AlertTriggered | |
|
alert_id
|
data.id | AlertID | |
|
references
|
data.counts.references | integer | |
|
entities
|
data.counts.entities | integer | |
|
documents
|
data.counts.documents | integer | |
|
title
|
data.title | AlertTitle | |
|
type
|
data.type | AlertType |
AlertLogV2
| Name | Path | Type | Description |
|---|---|---|---|
|
note_author
|
note_author | string | |
|
note_date
|
note_date | date-time | |
|
status_date
|
status_date | string | |
|
triggered
|
triggered | string | |
|
status_change_by
|
status_change_by | string |
AlertOwnerV2
| Name | Path | Type | Description |
|---|---|---|---|
|
organisations
|
organisations | array of object | |
|
organisation_id
|
organisations.organisation_id | string | |
|
organisation_name
|
organisations.organisation_name | string | |
|
enterprise_id
|
enterprise_id | string | |
|
enterprise_name
|
enterprise_name | string |
AlertReviewV2
| Name | Path | Type | Description |
|---|---|---|---|
|
assignee
|
assignee | string | |
|
status
|
status | string | |
|
status_in_portal
|
status_in_portal | string | |
|
note
|
note | string |
AlertReview
| Name | Path | Type | Description |
|---|---|---|---|
|
assignee
|
assignee | string | |
|
status
|
status | string | |
|
noteDate
|
noteDate | string | |
|
noteAuthor
|
noteAuthor | string | |
|
note
|
note | string |
AlertEntities
| Name | Path | Type | Description |
|---|---|---|---|
|
trend
|
trend | object | |
|
documents
|
documents | array of object | |
|
references
|
documents.references | array of object | |
|
fragment
|
documents.references.fragment | string | |
|
entities
|
documents.references.entities | array of object | |
|
id
|
documents.references.entities.id | string | |
|
name
|
documents.references.entities.name | string | |
|
type
|
documents.references.entities.type | string | |
|
language
|
documents.references.language | string | |
|
id
|
documents.source.id | string | |
|
name
|
documents.source.name | string | |
|
type
|
documents.source.type | string | |
|
title
|
documents.title | string | |
|
url
|
documents.url | string | |
|
risk
|
risk | object | |
|
id
|
entity.id | string | |
|
name
|
entity.name | string | |
|
type
|
entity.type | string |
AlertURL
AlertRule
| Name | Path | Type | Description |
|---|---|---|---|
|
name
|
name | string | |
|
id
|
id | string | |
|
url
|
url | string |
AlertURLV2
| Name | Path | Type | Description |
|---|---|---|---|
|
api
|
api | string | |
|
portal
|
portal | string |
AlertRuleV2
| Name | Path | Type | Description |
|---|---|---|---|
|
name
|
name | string | |
|
rule_id
|
id | string | |
|
portal
|
url.portal | string |
AlertTriggered
AlertID
- alert_id
- string
AlertTitle
AlertType
PlaybookAlertSearch
Playbook Alerts matching the search criteria
| Name | Path | Type | Description |
|---|---|---|---|
|
playbook_alert_id
|
playbook_alert_id | string | |
|
created
|
created | string | |
|
updated
|
updated | string | |
|
status
|
status | string | |
|
category
|
category | string | |
|
priority
|
priority | string | |
|
title
|
title | string | |
|
owner_id
|
owner_id | string | |
|
owner_name
|
owner_name | string | |
|
organisation_id
|
organisation_id | string | |
|
organistaion_name
|
organistaion_name | string | |
|
organisations
|
owner_organisation_details.organisations | array of object | |
|
organisation_id
|
owner_organisation_details.organisations.organisation_id | string | |
|
organisation_name
|
owner_organisation_details.organisations.organisation_name | string | |
|
enterprise_id
|
owner_organisation_details.enterprise_id | string | |
|
enterprise_name
|
owner_organisation_details.enterprise_name | string |
PlaybookAlertLookup
| Name | Path | Type | Description |
|---|---|---|---|
|
title
|
title | string | |
|
id
|
id | string | |
|
category
|
category | string | |
|
rule_label
|
rule_label | string | |
|
status
|
status | string | |
|
priority
|
priority | string | |
|
targets
|
targets | string | |
|
created_date
|
created_date | string | |
|
updated_date
|
updated_date | string | |
|
evidence_summary
|
evidence_summary | string | |
|
link
|
link | string | |
|
json_alert
|
json_alert | string |
ThreatMapActors
| Name | Path | Type | Description |
|---|---|---|---|
|
threat_map
|
data.threat_map | array of object | |
|
id
|
data.threat_map.id | string | |
|
name
|
data.threat_map.name | string | |
|
alias
|
data.threat_map.alias | array of string | |
|
categories
|
data.threat_map.categories | array of object | |
|
id
|
data.threat_map.categories.id | string | |
|
name
|
data.threat_map.categories.name | string | |
|
intent
|
data.threat_map.intent | integer | |
|
opportunity
|
data.threat_map.opportunity | integer | |
|
log_entries
|
data.threat_map.log_entries | array of object | |
|
id
|
data.threat_map.log_entries.watchlist.id | string | |
|
name
|
data.threat_map.log_entries.watchlist.name | string | |
|
id
|
data.threat_map.log_entries.entity.id | string | |
|
name
|
data.threat_map.log_entries.entity.name | string | |
|
severity
|
data.threat_map.log_entries.severity | integer | |
|
axis
|
data.threat_map.log_entries.axis | string | |
|
date
|
data.threat_map.log_entries.date | date-time | |
|
date
|
data.date | date-time |
ThreatHuntActors
| Name | Path | Type | Description |
|---|---|---|---|
|
confidence
|
confidence | integer | |
|
description
|
description | string | |
|
id
|
id | string | |
|
indicator_types
|
indicator_types | array of string | |
|
labels
|
labels | array of string | |
|
name
|
name | string | |
|
pattern
|
pattern | string | |
|
pattern_type
|
pattern_type | string | |
|
spec_version
|
spec_version | string | |
|
type
|
type | string | |
|
created
|
created | string | |
|
modified
|
modified | string | |
|
valid_from
|
valid_from | string | |
|
valid_until
|
valid_until | string | |
|
external_references
|
external_references | array of object | |
|
source_name
|
external_references.source_name | string | |
|
description
|
external_references.description | string | |
|
external_id
|
external_references.external_id | string | |
|
url
|
external_references.url | string |
ThreatMapMalware
| Name | Path | Type | Description |
|---|---|---|---|
|
threat_map
|
data.threat_map | array of object | |
|
id
|
data.threat_map.id | string | |
|
name
|
data.threat_map.name | string | |
|
alias
|
data.threat_map.alias | array of string | |
|
categories
|
data.threat_map.categories | array of object | |
|
id
|
data.threat_map.categories.id | string | |
|
name
|
data.threat_map.categories.name | string | |
|
intent
|
data.threat_map.intent | integer | |
|
opportunity
|
data.threat_map.opportunity | integer | |
|
log_entries
|
data.threat_map.log_entries | array of object | |
|
id
|
data.threat_map.log_entries.watchlist.id | string | |
|
name
|
data.threat_map.log_entries.watchlist.name | string | |
|
id
|
data.threat_map.log_entries.entity.id | string | |
|
name
|
data.threat_map.log_entries.entity.name | string | |
|
severity
|
data.threat_map.log_entries.severity | integer | |
|
axis
|
data.threat_map.log_entries.axis | string | |
|
date
|
data.threat_map.log_entries.date | date-time | |
|
date
|
data.date | date-time |
ThreatHuntMalware
| Name | Path | Type | Description |
|---|---|---|---|
|
confidence
|
confidence | integer | |
|
description
|
description | string | |
|
id
|
id | string | |
|
indicator_types
|
indicator_types | array of string | |
|
labels
|
labels | array of string | |
|
name
|
name | string | |
|
pattern
|
pattern | string | |
|
pattern_type
|
pattern_type | string | |
|
spec_version
|
spec_version | string | |
|
type
|
type | string | |
|
created
|
created | string | |
|
modified
|
modified | string | |
|
valid_from
|
valid_from | string | |
|
valid_until
|
valid_until | string | |
|
external_references
|
external_references | array of object | |
|
source_name
|
external_references.source_name | string | |
|
description
|
external_references.description | string | |
|
external_id
|
external_references.external_id | string | |
|
url
|
external_references.url | string |