diff --git a/.github/workflows/generate-doc.yml b/.github/workflows/generate-doc.yml
index 7a3ba90..9284f9d 100644
--- a/.github/workflows/generate-doc.yml
+++ b/.github/workflows/generate-doc.yml
@@ -5,6 +5,7 @@ on:
paths:
- '*.json'
- 'readme.html'
+ - 'manual_readme_content.md'
tags-ignore:
- '**'
branches-ignore:
diff --git a/README.md b/README.md
index 88b731f..0bd086f 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
# Recorded Future For Splunk SOAR
Publisher: Recorded Future, Inc
-Connector Version: 4.2.0
+Connector Version: 4.3.0
Product Vendor: Recorded Future, Inc
Product Name: Recorded Future App for Phantom
Product Version Supported (regex): ".\*"
@@ -67,7 +67,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
**on_poll_alert_ruleids** | optional | string | Comma-separated list of alert rule IDs
**on_poll_alert_severity** | optional | string | Severity to apply to the alert event
**on_poll_playbook_alert_priority** | optional | string | Comma separated On Poll Playbook Alerts priority threshold (High,Moderate,Informational)
-**on_poll_playbook_alert_type** | optional | string | Comma-separated list of Playbook alert types. (domain_abuse, cyber_vulnerability are now supported)
+**on_poll_playbook_alert_type** | optional | string | Comma-separated list of Playbook alert types. (domain_abuse, cyber_vulnerability, code_repo_leakage are now supported)
**on_poll_playbook_alert_start_time** | optional | string | Poll playbook alerts created after (date in ISO format: 2022-12-01T11:00:00+00)
**max_count** | optional | numeric | Max events to ingest for scheduled polling
**first_max_count** | optional | numeric | Max events to ingest for scheduled polling first time
@@ -101,6 +101,11 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
[playbook alert update](#action-playbook-alert-update) - Update Playbook alert
[playbook alert details](#action-playbook-alert-details) - Get Playbook alert details
[entity search](#action-entity-search) - Find entities based on a query
+[links search](#action-links-search) - Search for links data
+[detection rule search](#action-detection-rule-search) - Search for detection rule
+[threat actor intelligence](#action-threat-actor-intelligence) - Get threat actor intelligence
+[threat map](#action-threat-map) - Get threat map
+[collective insights submit](#action-collective-insights-submit) - Enables contribute data, `collective insights`, into the Recorded Future Intelligence Cloud
[on poll](#action-on-poll) - Ingest alerts from Recorded Future
## action: 'test connectivity'
@@ -460,6 +465,7 @@ action_result.data.\*.risk.rules | numeric | `recordedfuture risk rules` |
action_result.data.\*.risk.score | numeric | `recordedfuture risk score` |
action_result.data.\*.timestamps.firstSeen | string | `recordedfuture evidence firstseen` |
action_result.data.\*.timestamps.lastSeen | string | `recordedfuture evidence lastseen` |
+action_result.data.\*.ai_insights | string | `recorded future AI Insights` | Here is some AI generated text related to this entity
action_result.summary.criticalityLabel | string | `recordedfuture risk criticality label` | Very Malicious Malicious Suspicious Unusual
action_result.summary.lastSeen | string | `recordedfuture evidence lastseen` |
action_result.summary.riskSummary | string | `recordedfuture risk summary` |
@@ -573,6 +579,7 @@ action_result.data.\*.risk.rules | numeric | `recordedfuture risk rules` |
action_result.data.\*.risk.score | numeric | `recordedfuture risk score` |
action_result.data.\*.timestamps.firstSeen | string | `recordedfuture evidence firstseen` |
action_result.data.\*.timestamps.lastSeen | string | `recordedfuture evidence lastseen` |
+action_result.data.\*.ai_insights | string | `recorded future AI Insights` | Here is some AI generated text related to this entity
action_result.summary.criticalityLabel | string | `recordedfuture risk criticality label` |
action_result.summary.lastSeen | string | `recordedfuture evidence lastseen` |
action_result.summary.riskSummary | string | `recordedfuture risk summary` |
@@ -677,6 +684,7 @@ action_result.data.\*.risk.rules | numeric | `recordedfuture risk rules` |
action_result.data.\*.risk.score | numeric | `recordedfuture risk score` |
action_result.data.\*.timestamps.firstSeen | string | `recordedfuture evidence firstseen` |
action_result.data.\*.timestamps.lastSeen | string | `recordedfuture evidence lastseen` |
+action_result.data.\*.ai_insights | string | `recorded future AI Insights` | Here is some AI generated text related to this entity
action_result.summary.criticalityLabel | string | `recordedfuture risk criticality label` | Malicious
action_result.summary.lastSeen | string | `recordedfuture evidence lastseen` |
action_result.summary.riskSummary | string | `recordedfuture risk summary` |
@@ -782,6 +790,7 @@ action_result.data.\*.threatLists.\*.name | string | `recordedfuture threatlist
action_result.data.\*.threatLists.\*.type | string | `recordedfuture threatlist type` |
action_result.data.\*.timestamps.firstSeen | string | `recordedfuture evidence firstseen` |
action_result.data.\*.timestamps.lastSeen | string | `recordedfuture evidence lastseen` |
+action_result.data.\*.ai_insights | string | `recorded future AI Insights` | Here is some AI generated text related to this entity
action_result.summary.criticalityLabel | string | `recordedfuture risk criticality label` | Very Malicious
action_result.summary.lastSeen | string | `recordedfuture evidence lastseen` |
action_result.summary.riskSummary | string | `recordedfuture risk summary` |
@@ -892,6 +901,7 @@ action_result.data.\*.risk.rules | numeric | `recordedfuture risk rules` |
action_result.data.\*.risk.score | numeric | `recordedfuture risk score` |
action_result.data.\*.timestamps.firstSeen | string | `recordedfuture evidence firstseen` |
action_result.data.\*.timestamps.lastSeen | string | `recordedfuture evidence lastseen` |
+action_result.data.\*.ai_insights | string | `recorded future AI Insights` | Here is some AI generated text related to this entity
action_result.summary.criticalityLabel | string | `recordedfuture risk criticality label` | Very Malicious
action_result.summary.lastSeen | string | `recordedfuture evidence lastseen` |
action_result.summary.riskSummary | string | `recordedfuture risk summary` |
@@ -1204,7 +1214,7 @@ Read only: **True**
#### Action Parameters
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
--------- | -------- | ----------- | ---- | --------
-**category** | optional | Playbook alert category (cyber_vulnerability, domain_abuse) | string |
+**category** | optional | Playbook alert category (cyber_vulnerability, domain_abuse, code_repo_leakage) | string |
**status** | optional | Playbook alert status | string |
**priority** | optional | Playbook alert priority | string |
**from_date** | optional | Created after (date in ISO format: 2022-12-01T11:00:00+00) | string |
@@ -1366,6 +1376,434 @@ action_result.message | string | `recordedfuture result message` |
summary.total_objects | numeric | `recordedfuture total objects` | 1
summary.total_objects_successful | numeric | `recordedfuture total objects successful` | 1
+## action: 'links search'
+Search for links data
+
+Type: **investigate**
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**entity_id** | optional | Entity ID (Do not specify ID when use 'name'+'type') | string |
+**entity_name** | optional | Entity name (can be used only with selected type) | string |
+**entity_type** | optional | Entity type | string |
+**source_type** | optional | Sources are grouped into two types, technical analysis and Insikt Group research. Specify either technical or insikt for the type | string |
+**timeframe** | optional | Time range for when rules were triggered | string |
+**technical_type** | optional | Technical link sources may be further filtered by specifying an event type (type:MalwareAnalysis) | string |
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string | `recordedfuture result status` | success failed
+action_result.parameter.entity_id | string | |
+action_result.parameter.entity_name | string | |
+action_result.parameter.entity_type | string | |
+action_result.parameter.source_type | string | |
+action_result.parameter.timeframe | string | |
+action_result.parameter.technical_type | string | |
+action_result.data.\*.entity.type | string | `recordedfuture entity type` | type:IpAddress
+action_result.data.\*.entity.id | string | `recordedfuture entity id` | ip:8.8.8.8
+action_result.data.\*.entity.name | string | `recordedfuture entity name` | 8.8.8.8
+action_result.data.\*.links.IpAddress.\*.type | string | `recordedfuture link type` | type:IpAddress
+action_result.data.\*.links.IpAddress.\*.id | string | `recordedfuture link id` | ip:8.8.8.8
+action_result.data.\*.links.IpAddress.\*.name | string | `recordedfuture link name` | 8.8.8.8
+action_result.data.\*.links.IpAddress.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.IpAddress.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.IpAddress.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.IpAddress.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.IpAddress.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.URL.\*.type | string | `recordedfuture link type` | type:URL
+action_result.data.\*.links.URL.\*.id | string | `recordedfuture link id` | url:https:google.com
+action_result.data.\*.links.URL.\*.name | string | `recordedfuture link name` | https:google.com
+action_result.data.\*.links.URL.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.URL.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.URL.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.URL.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.URL.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.InternetDomainName.\*.type | string | `recordedfuture link type` | type:InternetDomainName
+action_result.data.\*.links.InternetDomainName.\*.id | string | `recordedfuture link id` | idn:avsvmcloud.com
+action_result.data.\*.links.InternetDomainName.\*.name | string | `recordedfuture link name` | avsvmcloud.com
+action_result.data.\*.links.InternetDomainName.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.InternetDomainName.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.InternetDomainName.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.InternetDomainName.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.InternetDomainName.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Hash.\*.type | string | `recordedfuture link type` | type:Hash
+action_result.data.\*.links.Hash.\*.id | string | `recordedfuture link id` | hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.Hash.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.Hash.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Hash.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Hash.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Hash.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Hash.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.CyberVulnerability.\*.type | string | `recordedfuture link type` | type:CyberVulnerability
+action_result.data.\*.links.CyberVulnerability.\*.id | string | `recordedfuture link id` | FH4y7
+action_result.data.\*.links.CyberVulnerability.\*.name | string | `recordedfuture link name` | CVE-2021-38647
+action_result.data.\*.links.CyberVulnerability.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.CyberVulnerability.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.CyberVulnerability.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.CyberVulnerability.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.CyberVulnerability.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.CyberThreatActorCategory.\*.type | string | `recordedfuture link type` | type:CyberThreatActorCategory
+action_result.data.\*.links.CyberThreatActorCategory.\*.id | string | `recordedfuture link id` |
+action_result.data.\*.links.CyberThreatActorCategory.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.CyberThreatActorCategory.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.CyberThreatActorCategory.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.CyberThreatActorCategory.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.CyberThreatActorCategory.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.CyberThreatActorCategory.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.AttackVector.\*.type | string | `recordedfuture link type` | type:AttackVector
+action_result.data.\*.links.AttackVector.\*.id | string | `recordedfuture link id` | Jsdy3
+action_result.data.\*.links.AttackVector.\*.name | string | `recordedfuture link name` | Malicious code
+action_result.data.\*.links.AttackVector.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.AttackVector.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.AttackVector.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.AttackVector.\*.risk_score | string | `recordedfuture link risk score` | 75
+action_result.data.\*.links.AttackVector.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Company.\*.type | string | `recordedfuture link type` | type:Company
+action_result.data.\*.links.Company.\*.id | string | `recordedfuture link id` | jf7ff
+action_result.data.\*.links.AttackVector.\*.name | string | `recordedfuture link name` | Google
+action_result.data.\*.links.Company.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Company.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Company.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Company.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Company.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.FileContent.\*.type | string | `recordedfuture link type` | type:FileContent
+action_result.data.\*.links.FileContent.\*.id | string | `recordedfuture link id` | d37hhj
+action_result.data.\*.links.FileContent.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.FileContent.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.FileContent.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.FileContent.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.FileContent.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.FileContent.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Malware.\*.type | string | `recordedfuture link type` | type:Hash
+action_result.data.\*.links.Malware.\*.id | string | `recordedfuture link id` | JLHNoH
+action_result.data.\*.links.Malware.\*.name | string | `recordedfuture link name` | Cobalt Strike
+action_result.data.\*.links.Malware.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Malware.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Malware.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Malware.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Malware.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.MalwareCategory.\*.type | string | `recordedfuture link type` | type:Hash
+action_result.data.\*.links.MalwareCategory.\*.id | string | `recordedfuture link id` | hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.MalwareCategory.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.MalwareCategory.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.MalwareCategory.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.MalwareCategory.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.MalwareCategory.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.MalwareCategory.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.MalwareSignature.\*.type | string | `recordedfuture link type` | type:Hash
+action_result.data.\*.links.MalwareSignature.\*.id | string | `recordedfuture link id` | hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.MalwareSignature.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.MalwareSignature.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.MalwareSignature.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.MalwareSignature.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.MalwareSignature.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.MalwareSignature.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.MitreAttackIdentifier.\*.type | string | `recordedfuture link type` | type:MitreAttackIdentifier
+action_result.data.\*.links.MitreAttackIdentifier.\*.id | string | `recordedfuture link id` | mitre:T1059.001
+action_result.data.\*.links.MitreAttackIdentifier.\*.name | string | `recordedfuture link name` | T1059.001
+action_result.data.\*.links.MitreAttackIdentifier.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.MitreAttackIdentifier.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.MitreAttackIdentifier.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.MitreAttackIdentifier.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.MitreAttackIdentifier.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Organization.\*.type | string | `recordedfuture link type` | type:Organization
+action_result.data.\*.links.Organization.\*.id | string | `recordedfuture link id` | FJD7IK
+action_result.data.\*.links.Organization.\*.name | string | `recordedfuture link name` | Sichuan University
+action_result.data.\*.links.Organization.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Organization.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Organization.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Organization.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Organization.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Person.\*.type | string | `recordedfuture link type` | type:Person
+action_result.data.\*.links.Person.\*.id | string | `recordedfuture link id` | F7FJ
+action_result.data.\*.links.Person.\*.name | string | `recordedfuture link name` | Some Person
+action_result.data.\*.links.Person.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Person.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Person.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Person.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Person.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Username.\*.type | string | `recordedfuture link type` | type:Username
+action_result.data.\*.links.Username.\*.id | string | `recordedfuture link id` | KDJ8l
+action_result.data.\*.links.Username.\*.name | string | `recordedfuture link name` | noname
+action_result.data.\*.links.Username.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Username.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Username.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Username.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Username.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.summary | string | |
+action_result.message | string | `recordedfuture result message` |
+summary.total_objects | numeric | `recordedfuture total objects` | 1
+summary.total_objects_successful | numeric | `recordedfuture total objects successful` | 1
+
+## action: 'detection rule search'
+Search for detection rule
+
+Type: **investigate**
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**entity_id** | optional | Entity ID (Do not specify ID when use 'name'+'type') | string |
+**entity_name** | optional | Entity name (can be used only with selected type) | string |
+**entity_type** | optional | Entity type | string |
+**rule_types** | optional | This is a comma separated list of the following values: 'yara', 'sigma', and 'snort'. Values in this filter are applied as a logical 'OR' | string |
+**title** | optional | Free text search for Insikt notes associated with detection rules | string |
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string | `recordedfuture result status` | success failed
+action_result.parameter.entity_id | string | |
+action_result.parameter.entity_name | string | |
+action_result.parameter.entity_type | string | |
+action_result.parameter.rule_types | string | |
+action_result.parameter.title | string | |
+action_result.data.\*.type | string | `recordedfuture detection rule type` | sigma
+action_result.data.\*.id | string | `recordedfuture detection rule id` | doc:nhChac
+action_result.data.\*.title | string | `recordedfuture detection rule title` | Insikt Validated TTP: Hunting Brute Ratel C4
+action_result.data.\*.created | string | `recordedfuture detection rule created date` | 2022-08-05T14:25:31.063Z
+action_result.data.\*.updated | string | `recordedfuture detection rule updated date` | 2022-08-05T14:25:31.063Z
+action_result.data.\*.description | string | `recordedfuture detection rule description` | Brute Ratel C4 (BRc4) is a red team tool authored by security researcher....
+action_result.data.\*.rules.\*.content | string | `recordedfuture detection file content` | title: MAL_Brute_Ratel_C4_DLL_Sideloading id:....
+action_result.data.\*.rules.\*.file_name | string | `recordedfuture detection file name` | mal_brute_ratel_c4_dll_sideloading.yml
+action_result.data.\*.rules.\*.entities.type | string | `recordedfuture entity type` | type:IpAddress
+action_result.data.\*.rules.\*.entities.id | string | `recordedfuture entity id` | ip:8.8.8.8
+action_result.data.\*.rules.\*.entities.name | string | `recordedfuture entity name` | 8.8.8.8
+action_result.summary | string | |
+action_result.message | string | `recordedfuture result message` |
+summary.total_objects | numeric | `recordedfuture total objects` | 1
+summary.total_objects_successful | numeric | `recordedfuture total objects successful` | 1
+
+## action: 'threat actor intelligence'
+Get threat actor intelligence
+
+Type: **investigate**
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**threat_actor** | required | Threat actor name to look up | string |
+**links** | required | Add links data to a threat actor map data | boolean |
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string | `recordedfuture result status` | success failed
+action_result.parameter.threat_actor | string | |
+action_result.parameter.links | boolean | |
+action_result.data.\*.id | string | `recordedfuture entity id` | L37nw-
+action_result.data.\*.name | string | `recordedfuture entity name` | APT28
+action_result.data.\*.alias.\* | string | `recordedfuture alias for entity` | Pawn Storm
+action_result.data.\*.intent | numeric | `recorded future threat actor intent score` | 5
+action_result.data.\*.opportunity | numeric | `recorded future threat actor opportunity score` | 95
+action_result.data.\*.severity | string | `recorded future threat actor severity` | High
+action_result.data.\*.intelCard | string | `recorded future threat actor intel card link` | https://app.recordedfuture.com/live/sc/entity/L37nw-
+action_result.data.\*.links.IpAddress.\*.type | string | `recordedfuture link type` | type:IpAddress
+action_result.data.\*.links.IpAddress.\*.id | string | `recordedfuture link id` | ip:8.8.8.8
+action_result.data.\*.links.IpAddress.\*.name | string | `recordedfuture link name` | 8.8.8.8
+action_result.data.\*.links.IpAddress.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.IpAddress.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.IpAddress.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.IpAddress.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.IpAddress.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.URL.\*.type | string | `recordedfuture link type` | type:URL
+action_result.data.\*.links.URL.\*.id | string | `recordedfuture link id` | url:https:google.com
+action_result.data.\*.links.URL.\*.name | string | `recordedfuture link name` | https:google.com
+action_result.data.\*.links.URL.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.URL.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.URL.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.URL.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.URL.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.InternetDomainName.\*.type | string | `recordedfuture link type` | type:InternetDomainName
+action_result.data.\*.links.InternetDomainName.\*.id | string | `recordedfuture link id` | idn:avsvmcloud.com
+action_result.data.\*.links.InternetDomainName.\*.name | string | `recordedfuture link name` | avsvmcloud.com
+action_result.data.\*.links.InternetDomainName.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.InternetDomainName.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.InternetDomainName.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.InternetDomainName.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.InternetDomainName.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Hash.\*.type | string | `recordedfuture link type` | type:Hash
+action_result.data.\*.links.Hash.\*.id | string | `recordedfuture link id` | hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.Hash.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.Hash.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Hash.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Hash.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Hash.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Hash.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.CyberVulnerability.\*.type | string | `recordedfuture link type` | type:CyberVulnerability
+action_result.data.\*.links.CyberVulnerability.\*.id | string | `recordedfuture link id` | FH4y7
+action_result.data.\*.links.CyberVulnerability.\*.name | string | `recordedfuture link name` | CVE-2021-38647
+action_result.data.\*.links.CyberVulnerability.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.CyberVulnerability.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.CyberVulnerability.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.CyberVulnerability.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.CyberVulnerability.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.CyberThreatActorCategory.\*.type | string | `recordedfuture link type` | type:CyberThreatActorCategory
+action_result.data.\*.links.CyberThreatActorCategory.\*.id | string | `recordedfuture link id` |
+action_result.data.\*.links.CyberThreatActorCategory.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.CyberThreatActorCategory.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.CyberThreatActorCategory.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.CyberThreatActorCategory.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.CyberThreatActorCategory.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.CyberThreatActorCategory.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.AttackVector.\*.type | string | `recordedfuture link type` | type:AttackVector
+action_result.data.\*.links.AttackVector.\*.id | string | `recordedfuture link id` | Jsdy3
+action_result.data.\*.links.AttackVector.\*.name | string | `recordedfuture link name` | Malicious code
+action_result.data.\*.links.AttackVector.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.AttackVector.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.AttackVector.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.AttackVector.\*.risk_score | string | `recordedfuture link risk score` | 75
+action_result.data.\*.links.AttackVector.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Company.\*.type | string | `recordedfuture link type` | type:Company
+action_result.data.\*.links.Company.\*.id | string | `recordedfuture link id` | jf7ff
+action_result.data.\*.links.AttackVector.\*.name | string | `recordedfuture link name` | Google
+action_result.data.\*.links.Company.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Company.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Company.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Company.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Company.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.FileContent.\*.type | string | `recordedfuture link type` | type:FileContent
+action_result.data.\*.links.FileContent.\*.id | string | `recordedfuture link id` | d37hhj
+action_result.data.\*.links.FileContent.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.FileContent.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.FileContent.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.FileContent.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.FileContent.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.FileContent.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Malware.\*.type | string | `recordedfuture link type` | type:Hash
+action_result.data.\*.links.Malware.\*.id | string | `recordedfuture link id` | JLHNoH
+action_result.data.\*.links.Malware.\*.name | string | `recordedfuture link name` | Cobalt Strike
+action_result.data.\*.links.Malware.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Malware.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Malware.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Malware.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Malware.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.MalwareCategory.\*.type | string | `recordedfuture link type` | type:Hash
+action_result.data.\*.links.MalwareCategory.\*.id | string | `recordedfuture link id` | hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.MalwareCategory.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.MalwareCategory.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.MalwareCategory.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.MalwareCategory.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.MalwareCategory.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.MalwareCategory.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.MalwareSignature.\*.type | string | `recordedfuture link type` | type:Hash
+action_result.data.\*.links.MalwareSignature.\*.id | string | `recordedfuture link id` | hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.MalwareSignature.\*.name | string | `recordedfuture link name` | 8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d
+action_result.data.\*.links.MalwareSignature.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.MalwareSignature.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.MalwareSignature.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.MalwareSignature.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.MalwareSignature.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.MitreAttackIdentifier.\*.type | string | `recordedfuture link type` | type:MitreAttackIdentifier
+action_result.data.\*.links.MitreAttackIdentifier.\*.id | string | `recordedfuture link id` | mitre:T1059.001
+action_result.data.\*.links.MitreAttackIdentifier.\*.name | string | `recordedfuture link name` | T1059.001
+action_result.data.\*.links.MitreAttackIdentifier.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.MitreAttackIdentifier.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.MitreAttackIdentifier.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.MitreAttackIdentifier.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.MitreAttackIdentifier.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Organization.\*.type | string | `recordedfuture link type` | type:Organization
+action_result.data.\*.links.Organization.\*.id | string | `recordedfuture link id` | FJD7IK
+action_result.data.\*.links.Organization.\*.name | string | `recordedfuture link name` | Sichuan University
+action_result.data.\*.links.Organization.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Organization.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Organization.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Organization.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Organization.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Person.\*.type | string | `recordedfuture link type` | type:Person
+action_result.data.\*.links.Person.\*.id | string | `recordedfuture link id` | F7FJ
+action_result.data.\*.links.Person.\*.name | string | `recordedfuture link name` | Some Person
+action_result.data.\*.links.Person.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Person.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Person.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Person.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Person.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.links.Username.\*.type | string | `recordedfuture link type` | type:Username
+action_result.data.\*.links.Username.\*.id | string | `recordedfuture link id` | KDJ8l
+action_result.data.\*.links.Username.\*.name | string | `recordedfuture link name` | noname
+action_result.data.\*.links.Username.\*.source | string | `recordedfuture link source` | technical
+action_result.data.\*.links.Username.\*.section | string | `recordedfuture link section` | iU_ZsG
+action_result.data.\*.links.Username.\*.risk_level | numeric | `recordedfuture link risk level` | 1
+action_result.data.\*.links.Username.\*.risk_score | numeric | `recordedfuture link risk score` | 75
+action_result.data.\*.links.Username.\*.criticality | string | `recordedfuture link criticality` | Unusual
+action_result.data.\*.location.country | string | `country location for the threat actor` | Ukraine
+action_result.data.\*.ai_insights | string | `recorded future AI Insights` | Here is some AI generated text related to this entity
+action_result.summary | string | |
+action_result.message | string | `recordedfuture result message` |
+summary.total_objects | numeric | `recordedfuture total objects` | 1
+summary.total_objects_successful | numeric | `recordedfuture total objects successful` | 1
+
+## action: 'threat map'
+Get threat map
+
+Type: **investigate**
+Read only: **True**
+
+#### Action Parameters
+No parameters are required for this action
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string | `recordedfuture result status` | success failed
+action_result.data.\*.threatActor.\*.id | string | `recorded future threat actor id` | ny_8g4
+action_result.data.\*.threatActor.\*.name | string | `recorded future threat actor name` | BianLian Ransomware Group
+action_result.data.\*.threatActor.\*.alias.\* | string | `recorded future threat actor alias name` | Pawn Storm
+action_result.data.\*.threatActor.\*.intent | numeric | `recorded future threat actor intent score` | 5
+action_result.data.\*.threatActor.\*.opportunity | numeric | `recorded future threat actor opportunity score` | 95
+action_result.data.\*.threatActor.\*.severity | string | `recorded future threat actor severity` | High
+action_result.data.\*.threatActor.\*.intelCard | string | `recorded future threat actor intel card link` | https://app.recordedfuture.com/live/sc/entity/L37nw-
+action_result.summary | string | |
+action_result.message | string | `recordedfuture result message` |
+summary.total_objects | numeric | `recordedfuture total objects` | 1
+summary.total_objects_successful | numeric | `recordedfuture total objects successful` | 1
+
+## action: 'collective insights submit'
+Enables contribute data, `collective insights`, into the Recorded Future Intelligence Cloud
+
+Type: **investigate**
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**entity_name** | required | Entity value of the IOC itself | string |
+**entity_type** | required | Entity Type value that can contain one of the enumerated list of values: ip, hash, domain, vulnerability, url | string |
+**entity_field** | optional | Entity field used to describe characteristics about the IOC. Example: dstip | string |
+**entity_source_type** | optional | Used to describe what log source the IOC came from. Example: netscreen:firewall | string |
+**event_id** | optional | Event unique id. Example: 31 | string |
+**event_name** | optional | Title of the event related to the IOC. Example: Recorded Future Domain Abuse Alert | string |
+**event_type** | optional | Attack vector associated with the incident. Example: C2, Phishing, splunk-detection-rule, ... etc) | string |
+**mitre_codes** | optional | Comma-separated list of MITRE codes associated with the IOC. Example: T1055, T1064 | string |
+**malware** | optional | Comma separated Malware associated with the IOCs. Example: Stuxnet, DUQU | string |
+**timestamp** | optional | Timestamp in ISO format. Example: 2023-07-19T04:29:40 | string |
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string | `recordedfuture result status` | success failed
+action_result.parameter.entity_name | string | |
+action_result.parameter.entity_type | string | |
+action_result.parameter.entity_field | string | |
+action_result.parameter.entity_source_type | string | |
+action_result.parameter.event_id | string | |
+action_result.parameter.entity_field | string | |
+action_result.parameter.event_name | string | |
+action_result.parameter.event_type | string | |
+action_result.parameter.mitre_codes | string | |
+action_result.parameter.malware | string | |
+action_result.parameter.timestamp | string | |
+action_result.data | string | |
+action_result.summary | string | |
+action_result.message | string | `recordedfuture result message` |
+summary.total_objects | numeric | `recordedfuture total objects` | 1
+summary.total_objects_successful | numeric | `recordedfuture total objects successful` | 1
+
## action: 'on poll'
Ingest alerts from Recorded Future
diff --git a/alert_lookup_results.html b/alert_lookup_results.html
index abc412d..c9aa785 100644
--- a/alert_lookup_results.html
+++ b/alert_lookup_results.html
@@ -35,164 +35,6 @@
Style elements are defined in a separate file, named below,
and will be merged during compilation:
recordedfuture_style.css -->
-
@@ -243,6 +85,12 @@
No data found
{{ alert.review.note }}
+
+
+ AI Summary
+ {{ alert.ai_insights }}
+ |
+
diff --git a/collective_insights_submission_results.html b/collective_insights_submission_results.html
new file mode 100644
index 0000000..7041ace
--- /dev/null
+++ b/collective_insights_submission_results.html
@@ -0,0 +1,46 @@
+{% extends 'widgets/widget_template.html' %}
+{% load custom_template %}
+
+{% block custom_title_prop %}{% if title_logo %}style="background-size: auto 60%; background-position: 50%; background-repeat: no-repeat; background-image: url('/app_resource/{{ title_logo }}');"{% endif %}{% endblock %}
+{% block title1 %}{{ title1 }}{% endblock %}
+{% block title2 %}{{ title2 }}{% endblock %}
+{% block custom_tools %}
+{% endblock %}
+
+{% block widget_content %}
+
+
+
+
+
+
+
+
+
+
Collective insights data successfully submitted.
+
+
+{% endblock %}
diff --git a/detection_rule_search_results.html b/detection_rule_search_results.html
new file mode 100644
index 0000000..0d8b108
--- /dev/null
+++ b/detection_rule_search_results.html
@@ -0,0 +1,57 @@
+{% extends 'widgets/widget_template.html' %}
+{% load custom_template %}
+
+{% block custom_title_prop %}{% if title_logo %}style="background-size: auto 60%; background-position: 50%; background-repeat: no-repeat; background-image: url('/app_resource/{{ title_logo }}');"{% endif %}{% endblock %}
+{% block title1 %}{{ title1 }}{% endblock %}
+{% block title2 %}{{ title2 }}{% endblock %}
+{% block custom_tools %}
+{% endblock %}
+
+{% block widget_content %}
+
+
+
+
+
+
+
+
+
+{% endblock %}
diff --git a/img/recorded_future_asset_ingest.png b/img/recorded_future_asset_ingest.png
index ae7097a..be2c585 100644
Binary files a/img/recorded_future_asset_ingest.png and b/img/recorded_future_asset_ingest.png differ
diff --git a/img/recorded_future_asset_settings.png b/img/recorded_future_asset_settings.png
index 57cee9f..17755c5 100644
Binary files a/img/recorded_future_asset_settings.png and b/img/recorded_future_asset_settings.png differ
diff --git a/intelligence_results.html b/intelligence_results.html
index 9d1a2ae..7f1cedd 100644
--- a/intelligence_results.html
+++ b/intelligence_results.html
@@ -35,164 +35,6 @@
Style elements are defined in a separate file, named below,
and will be merged during compilation:
recordedfuture_style.css -->
-
@@ -271,6 +113,14 @@
{% endif %}
+ {% if result.data.ai_insights %}
+
+
+ AI Summary
+ {{ result.data.ai_insights }}
+ |
+
+ {% endif %}
diff --git a/links_search_results.html b/links_search_results.html
new file mode 100644
index 0000000..a5692ae
--- /dev/null
+++ b/links_search_results.html
@@ -0,0 +1,94 @@
+{% extends 'widgets/widget_template.html' %}
+{% load custom_template %}
+
+{% block custom_title_prop %}{% if title_logo %}style="background-size: auto 60%; background-position: 50%; background-repeat: no-repeat; background-image: url('/app_resource/{{ title_logo }}');"{% endif %}{% endblock %}
+{% block title1 %}{{ title1 }}{% endblock %}
+{% block title2 %}{{ title2 }}{% endblock %}
+{% block custom_tools %}
+{% endblock %}
+
+{% block widget_content %}
+
+
+
+
+
+
+
+
+
+{% endblock %}
diff --git a/manual_readme_content.md b/manual_readme_content.md
new file mode 100644
index 0000000..be6ab7b
--- /dev/null
+++ b/manual_readme_content.md
@@ -0,0 +1,40 @@
+[comment]: # " File: README.md"
+[comment]: # ""
+[comment]: # "Copyright (c) Recorded Future, Inc, 2019-2023"
+[comment]: # ""
+[comment]: # "This unpublished material is proprietary to Recorded Future. All"
+[comment]: # "rights reserved. The methods and techniques described herein are"
+[comment]: # "considered trade secrets and/or confidential. Reproduction or"
+[comment]: # "distribution, in whole or in part, is forbidden except by express"
+[comment]: # "written permission of Recorded Future."
+[comment]: # ""
+[comment]: # "Licensed under the Apache License, Version 2.0 (the 'License');"
+[comment]: # "you may not use this file except in compliance with the License."
+[comment]: # "You may obtain a copy of the License at"
+[comment]: # ""
+[comment]: # " http://www.apache.org/licenses/LICENSE-2.0"
+[comment]: # ""
+[comment]: # "Unless required by applicable law or agreed to in writing, software distributed under"
+[comment]: # "the License is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,"
+[comment]: # "either express or implied. See the License for the specific language governing permissions"
+[comment]: # "and limitations under the License."
+[comment]: # ""
+Recorded Future App for Phantom allows clients to work smarter, respond faster, and strengthen their
+defenses through automation and orchestration. The Recorded Future App provides a number of actions
+that enable the creation of Playbooks to do automated enrichment, correlation, threat hunting, and
+alert handling.
+
+# Ingest alerts into events
+
+With alerting rules set up in your Recorded Future enterprise, triggered alerts can now be ingested
+in Splunk SOAR as events.The ingestion configuration is set per asset under the tabs "Asset
+Settings" and "Ingest Settings".
+
+"Asset Settings" defines a list of rule IDs, what severity to apply to the new events and set the
+limits for the number of events created by the ingestion.
+
+
+
+The scheduling of the ingestion is set under "Ingest Settings"
+
+
diff --git a/playbook_alert_details_results.html b/playbook_alert_details_results.html
index 9d21253..05df629 100644
--- a/playbook_alert_details_results.html
+++ b/playbook_alert_details_results.html
@@ -35,164 +35,6 @@
Style elements are defined in a separate file, named below,
and will be merged during compilation:
recordedfuture_style.css -->
-
@@ -355,7 +197,7 @@ {{ contact.value.type }}
{% endif %}
{% endfor %}
- {% else %}
+ {% elif result.data.category == "cyber_vulnerability" %}
Vulnerability
@@ -422,6 +264,59 @@
{{ insikt_note.title }}
{{ insikt_note.fragment }}
{% endfor %}
+ {% elif result.data.category == "code_repo_leakage" %}
+
Code repo leakage
+
+
+
Subject
+
+
{{ result.data.panel_status.entity_name }}
+
+
{{ result.data.panel_status.risk_score }}
+
+
+
+
Targets
+
+ {% for target in result.data.panel_status.targets %}
+
{{ target.name }}
+ {% endfor %}
+
+
+
+
Status
+
{{ result.data.panel_status.status }}
+
+
+
Priority
+
+
+
{{ result.data.panel_status.priority }}
+
+
+
+
Created
+
{{ result.data.panel_status.created }}
+
+
+
Evidence summary
+
+
{{ result.data.panel_evidence_summary.repository.id }}
+ {% for evidence_data in result.data.panel_evidence_summary.evidence %}
+
+ {% for data in evidence_data.assessments %}
+
+
{{ data.title }}
+
{{ data.value }}
+
+ {% endfor %}
+
URL
+
{{ evidence_data.url }}
+
Content
+
{{ evidence_data.content }}
+
+ {% endfor %}
+
{% endif %}
{% endfor %}
diff --git a/readme.html b/readme.html
deleted file mode 100644
index bfdd3bd..0000000
--- a/readme.html
+++ /dev/null
@@ -1,45 +0,0 @@
-
-
-
-
-
-
- Recorded Future App for Phantom allows clients to work smarter,
- respond faster, and strengthen their defenses through automation and
- orchestration. The Recorded Future App provides a number of actions that
- enable the creation of Playbooks to do automated enrichment,
- correlation, threat hunting, and alert handling.
-
- Ingest alerts into events
- With alerting rules set up in your Recorded Future enterprise, triggered alerts
- can now be ingested in Splunk SOAR as events.The ingestion configuration is set
- per asset under the tabs "Asset Settings" and "Ingest Settings".
- "Asset Settings" defines a list of rule IDs, what severity to apply
- to the new events and set the limits for the number of events created by the ingestion.
-
- 
- The scheduling of the ingestion is set under "Ingest Settings"
- 
-
-
diff --git a/recordedfuture.json b/recordedfuture.json
index cac8958..26d3f54 100644
--- a/recordedfuture.json
+++ b/recordedfuture.json
@@ -5,7 +5,7 @@
"publisher": "Recorded Future, Inc",
"type": "reputation",
"main_module": "recordedfuture_connector.py",
- "app_version": "4.2.0",
+ "app_version": "4.3.0",
"utctime_updated": "2022-05-30T07:33:58.826014Z",
"package_name": "phantom_recordedfuture",
"product_name": "Recorded Future App for Phantom",
@@ -87,7 +87,7 @@
"on_poll_playbook_alert_type": {
"data_type": "string",
"order": 11,
- "description": "Comma-separated list of Playbook alert types. (domain_abuse, cyber_vulnerability are now supported)"
+ "description": "Comma-separated list of Playbook alert types. (domain_abuse, cyber_vulnerability, code_repo_leakage are now supported)"
},
"on_poll_playbook_alert_start_time": {
"data_type": "string",
@@ -1706,6 +1706,16 @@
"recordedfuture evidence lastseen"
]
},
+ {
+ "data_path": "action_result.data.*.ai_insights",
+ "data_type": "string",
+ "contains": [
+ "recorded future AI Insights"
+ ],
+ "example_values": [
+ "Here is some AI generated text related to this entity"
+ ]
+ },
{
"data_path": "action_result.summary.criticalityLabel",
"data_type": "string",
@@ -2383,6 +2393,16 @@
"recordedfuture evidence lastseen"
]
},
+ {
+ "data_path": "action_result.data.*.ai_insights",
+ "data_type": "string",
+ "contains": [
+ "recorded future AI Insights"
+ ],
+ "example_values": [
+ "Here is some AI generated text related to this entity"
+ ]
+ },
{
"data_path": "action_result.summary.criticalityLabel",
"data_type": "string",
@@ -3018,6 +3038,16 @@
"recordedfuture evidence lastseen"
]
},
+ {
+ "data_path": "action_result.data.*.ai_insights",
+ "data_type": "string",
+ "contains": [
+ "recorded future AI Insights"
+ ],
+ "example_values": [
+ "Here is some AI generated text related to this entity"
+ ]
+ },
{
"data_path": "action_result.summary.criticalityLabel",
"data_type": "string",
@@ -3664,6 +3694,16 @@
"recordedfuture evidence lastseen"
]
},
+ {
+ "data_path": "action_result.data.*.ai_insights",
+ "data_type": "string",
+ "contains": [
+ "recorded future AI Insights"
+ ],
+ "example_values": [
+ "Here is some AI generated text related to this entity"
+ ]
+ },
{
"data_path": "action_result.summary.criticalityLabel",
"data_type": "string",
@@ -4326,6 +4366,16 @@
"recordedfuture evidence lastseen"
]
},
+ {
+ "data_path": "action_result.data.*.ai_insights",
+ "data_type": "string",
+ "contains": [
+ "recorded future AI Insights"
+ ],
+ "example_values": [
+ "Here is some AI generated text related to this entity"
+ ]
+ },
{
"data_path": "action_result.summary.criticalityLabel",
"data_type": "string",
@@ -5747,7 +5797,7 @@
"read_only": true,
"parameters": {
"category": {
- "description": "Playbook alert category (cyber_vulnerability, domain_abuse)",
+ "description": "Playbook alert category (cyber_vulnerability, domain_abuse, code_repo_leakage)",
"data_type": "string",
"order": 0
},
@@ -6408,107 +6458,3507 @@
"versions": "EQ(*)"
},
{
- "action": "on poll",
- "description": "Ingest alerts from Recorded Future",
- "verbose": "This action will fetch alerts / Playbook Alerts for the specified rule IDs and within the specified timeframe. When limiting the number of events to ingest, it will ingest the most recent events.
",
- "type": "ingest",
- "identifier": "on_poll",
+ "action": "links search",
+ "identifier": "links_search",
+ "description": "Search for links data",
+ "type": "investigate",
"read_only": true,
"parameters": {
- "start_time": {
- "data_type": "numeric",
- "description": "Parameter ignored for this app",
+ "entity_id": {
+ "description": "Entity ID (Do not specify ID when use 'name'+'type')",
+ "data_type": "string",
+ "primary": true,
"order": 0
},
- "end_time": {
- "data_type": "numeric",
- "description": "Parameter ignored for this app",
+ "entity_name": {
+ "description": "Entity name (can be used only with selected type)",
+ "data_type": "string",
+ "primary": true,
"order": 1
},
- "container_count": {
- "description": "Maximum number of events to query for",
- "data_type": "numeric",
- "default": 100,
+ "entity_type": {
+ "description": "Entity type",
+ "data_type": "string",
+ "value_list": [
+ "IpAddress",
+ "InternetDomainName",
+ "Hash",
+ "CyberVulnerability",
+ "CyberThreatActorCategory",
+ "AttackVector",
+ "Company",
+ "FileContent",
+ "Malware",
+ "MalwareCategory",
+ "MalwareSignature",
+ "MitreAttackIdentifier",
+ "Organization",
+ "Person",
+ "Username"
+ ],
"order": 2
},
- "artifact_count": {
- "description": "Parameter ignored in this app",
- "data_type": "numeric",
+ "source_type": {
+ "data_type": "string",
+ "description": "Sources are grouped into two types, technical analysis and Insikt Group research. Specify either technical or insikt for the type",
+ "value_list": [
+ "technical",
+ "insikt"
+ ],
"order": 3
+ },
+ "timeframe": {
+ "description": "Time range for when rules were triggered",
+ "data_type": "string",
+ "default": "-90d",
+ "value_list": [
+ "-90d",
+ "-30d",
+ "-7d",
+ "-24h"
+ ],
+ "order": 4
+ },
+ "technical_type": {
+ "data_type": "string",
+ "description": "Technical link sources may be further filtered by specifying an event type (type:MalwareAnalysis)",
+ "order": 5
}
},
- "output": [],
- "render": {
- "type": "custom",
- "width": 15,
- "height": 8,
- "view": "recordedfuture_view.contexts_results",
- "title": "List of available contexts"
- },
- "versions": "EQ(*)"
- }
- ],
- "pip_dependencies": {
- "wheel": [
- {
- "module": "beautifulsoup4",
- "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl"
- },
- {
- "module": "certifi",
- "input_file": "wheels/py3/certifi-2022.12.7-py3-none-any.whl"
- },
- {
- "module": "chardet",
- "input_file": "wheels/shared/chardet-3.0.4-py2.py3-none-any.whl"
- },
- {
- "module": "idna",
- "input_file": "wheels/shared/idna-2.10-py2.py3-none-any.whl"
- },
- {
- "module": "requests",
- "input_file": "wheels/shared/requests-2.25.0-py2.py3-none-any.whl"
- },
- {
- "module": "soupsieve",
- "input_file": "wheels/py3/soupsieve-2.3.2.post1-py3-none-any.whl"
- },
- {
- "module": "urllib3",
- "input_file": "wheels/shared/urllib3-1.26.14-py2.py3-none-any.whl"
- }
- ]
- },
- "pip39_dependencies": {
- "wheel": [
- {
- "module": "beautifulsoup4",
- "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl"
- },
- {
- "module": "certifi",
- "input_file": "wheels/py3/certifi-2022.12.7-py3-none-any.whl"
- },
- {
- "module": "chardet",
- "input_file": "wheels/shared/chardet-3.0.4-py2.py3-none-any.whl"
- },
- {
- "module": "idna",
- "input_file": "wheels/shared/idna-2.10-py2.py3-none-any.whl"
- },
- {
- "module": "requests",
- "input_file": "wheels/shared/requests-2.25.0-py2.py3-none-any.whl"
- },
- {
- "module": "soupsieve",
- "input_file": "wheels/py3/soupsieve-2.4-py3-none-any.whl"
- },
- {
- "module": "urllib3",
- "input_file": "wheels/shared/urllib3-1.26.14-py2.py3-none-any.whl"
+ "output": [
+ {
+ "data_path": "action_result.status",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result status"
+ ],
+ "example_values": [
+ "success",
+ "failed"
+ ]
+ },
+ {
+ "data_path": "action_result.parameter.entity_id",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.entity_name",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.entity_type",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.source_type",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.timeframe",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.technical_type",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.data.*.entity.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture entity type"
+ ],
+ "example_values": [
+ "type:IpAddress"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.entity.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture entity id"
+ ],
+ "example_values": [
+ "ip:8.8.8.8"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.entity.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture entity name"
+ ],
+ "example_values": [
+ "8.8.8.8"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:IpAddress"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "ip:8.8.8.8"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8.8.8.8"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:URL"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "url:https:google.com"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "https:google.com"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:InternetDomainName"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "idn:avsvmcloud.com"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "avsvmcloud.com"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Hash"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:CyberVulnerability"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "FH4y7"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "CVE-2021-38647"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:CyberThreatActorCategory"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ ""
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:AttackVector"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "Jsdy3"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Malicious code"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.risk_score",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Company"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "jf7ff"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Google"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:FileContent"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "d37hhj"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Hash"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "JLHNoH"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Cobalt Strike"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Hash"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Hash"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:MitreAttackIdentifier"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "mitre:T1059.001"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "T1059.001"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Organization"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "FJD7IK"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Sichuan University"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Person"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "F7FJ"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Some Person"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Username"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "KDJ8l"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "noname"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.summary",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.message",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result message"
+ ]
+ },
+ {
+ "data_path": "summary.total_objects",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "summary.total_objects_successful",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects successful"
+ ],
+ "example_values": [
+ 1
+ ]
+ }
+ ],
+ "render": {
+ "type": "custom",
+ "width": 15,
+ "height": 8,
+ "view": "recordedfuture_view.links_search_results",
+ "title": "Results"
+ },
+ "versions": "EQ(*)"
+ },
+ {
+ "action": "detection rule search",
+ "identifier": "detection_rule_search",
+ "description": "Search for detection rule",
+ "type": "investigate",
+ "read_only": true,
+ "parameters": {
+ "entity_id": {
+ "description": "Entity ID (Do not specify ID when use 'name'+'type')",
+ "data_type": "string",
+ "primary": true,
+ "order": 0
+ },
+ "entity_name": {
+ "description": "Entity name (can be used only with selected type)",
+ "data_type": "string",
+ "primary": true,
+ "order": 1
+ },
+ "entity_type": {
+ "description": "Entity type",
+ "data_type": "string",
+ "value_list": [
+ "IpAddress",
+ "InternetDomainName",
+ "Hash",
+ "CyberVulnerability",
+ "CyberThreatActorCategory",
+ "AttackVector",
+ "Company",
+ "FileContent",
+ "Malware",
+ "MalwareCategory",
+ "MalwareSignature",
+ "MitreAttackIdentifier",
+ "Organization",
+ "Person",
+ "Username"
+ ],
+ "order": 2
+ },
+ "rule_types": {
+ "data_type": "string",
+ "description": "This is a comma separated list of the following values: 'yara', 'sigma', and 'snort'. Values in this filter are applied as a logical 'OR'",
+ "order": 3
+ },
+ "title": {
+ "data_type": "string",
+ "description": "Free text search for Insikt notes associated with detection rules",
+ "order": 4
+ }
+ },
+ "output": [
+ {
+ "data_path": "action_result.status",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result status"
+ ],
+ "example_values": [
+ "success",
+ "failed"
+ ]
+ },
+ {
+ "data_path": "action_result.parameter.entity_id",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.entity_name",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.entity_type",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.rule_types",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.title",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.data.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture detection rule type"
+ ],
+ "example_values": [
+ "sigma"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture detection rule id"
+ ],
+ "example_values": [
+ "doc:nhChac"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.title",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture detection rule title"
+ ],
+ "example_values": [
+ "Insikt Validated TTP: Hunting Brute Ratel C4"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.created",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture detection rule created date"
+ ],
+ "example_values": [
+ "2022-08-05T14:25:31.063Z"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.updated",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture detection rule updated date"
+ ],
+ "example_values": [
+ "2022-08-05T14:25:31.063Z"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.description",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture detection rule description"
+ ],
+ "example_values": [
+ "Brute Ratel C4 (BRc4) is a red team tool authored by security researcher...."
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.rules.*.content",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture detection file content"
+ ],
+ "example_values": [
+ "title: MAL_Brute_Ratel_C4_DLL_Sideloading id:...."
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.rules.*.file_name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture detection file name"
+ ],
+ "example_values": [
+ "mal_brute_ratel_c4_dll_sideloading.yml"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.rules.*.entities.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture entity type"
+ ],
+ "example_values": [
+ "type:IpAddress"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.rules.*.entities.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture entity id"
+ ],
+ "example_values": [
+ "ip:8.8.8.8"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.rules.*.entities.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture entity name"
+ ],
+ "example_values": [
+ "8.8.8.8"
+ ]
+ },
+ {
+ "data_path": "action_result.summary",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.message",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result message"
+ ]
+ },
+ {
+ "data_path": "summary.total_objects",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "summary.total_objects_successful",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects successful"
+ ],
+ "example_values": [
+ 1
+ ]
+ }
+ ],
+ "render": {
+ "type": "custom",
+ "width": 15,
+ "height": 8,
+ "view": "recordedfuture_view.detection_rule_search_results",
+ "title": "Results"
+ },
+ "versions": "EQ(*)"
+ },
+ {
+ "action": "threat actor intelligence",
+ "identifier": "threat_actor_intelligence",
+ "description": "Get threat actor intelligence",
+ "type": "investigate",
+ "read_only": true,
+ "parameters": {
+ "threat_actor": {
+ "description": "Threat actor name to look up",
+ "data_type": "string",
+ "primary": true,
+ "required": true,
+ "order": 0
+ },
+ "links": {
+ "description": "Add links data to a threat actor map data",
+ "data_type": "boolean",
+ "required": true,
+ "order": 1
+ }
+ },
+ "output": [
+ {
+ "data_path": "action_result.status",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result status"
+ ],
+ "example_values": [
+ "success",
+ "failed"
+ ]
+ },
+ {
+ "data_path": "action_result.parameter.threat_actor",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.links",
+ "data_type": "boolean"
+ },
+ {
+ "data_path": "action_result.data.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture entity id"
+ ],
+ "example_values": [
+ "L37nw-"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture entity name"
+ ],
+ "example_values": [
+ "APT28"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.alias.*",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture alias for entity"
+ ],
+ "example_values": [
+ "Pawn Storm"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.intent",
+ "data_type": "numeric",
+ "contains": [
+ "recorded future threat actor intent score"
+ ],
+ "example_values": [
+ 5
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.opportunity",
+ "data_type": "numeric",
+ "contains": [
+ "recorded future threat actor opportunity score"
+ ],
+ "example_values": [
+ 95
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.severity",
+ "data_type": "string",
+ "contains": [
+ "recorded future threat actor severity"
+ ],
+ "example_values": [
+ "High"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.intelCard",
+ "data_type": "string",
+ "contains": [
+ "recorded future threat actor intel card link"
+ ],
+ "example_values": [
+ "https://app.recordedfuture.com/live/sc/entity/L37nw-"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:IpAddress"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "ip:8.8.8.8"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8.8.8.8"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.IpAddress.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:URL"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "url:https:google.com"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "https:google.com"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.URL.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:InternetDomainName"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "idn:avsvmcloud.com"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "avsvmcloud.com"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.InternetDomainName.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Hash"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Hash.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:CyberVulnerability"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "FH4y7"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "CVE-2021-38647"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberVulnerability.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:CyberThreatActorCategory"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ ""
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.CyberThreatActorCategory.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:AttackVector"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "Jsdy3"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Malicious code"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.risk_score",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Company"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "jf7ff"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.AttackVector.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Google"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Company.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:FileContent"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "d37hhj"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.FileContent.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Hash"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "JLHNoH"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Cobalt Strike"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Malware.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Hash"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareCategory.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Hash"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "hash:8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "8c09f9146cd9f53a768baf1dea8718ae98d73d9f2528eb0a7e970f50411c318d"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MalwareSignature.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:MitreAttackIdentifier"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "mitre:T1059.001"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "T1059.001"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.MitreAttackIdentifier.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Organization"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "FJD7IK"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Sichuan University"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Organization.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Person"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "F7FJ"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "Some Person"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Person.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.type",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link type"
+ ],
+ "example_values": [
+ "type:Username"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.id",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link id"
+ ],
+ "example_values": [
+ "KDJ8l"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.name",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link name"
+ ],
+ "example_values": [
+ "noname"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.source",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link source"
+ ],
+ "example_values": [
+ "technical"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.section",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link section"
+ ],
+ "example_values": [
+ "iU_ZsG"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.risk_level",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk level"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.risk_score",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture link risk score"
+ ],
+ "example_values": [
+ 75
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.links.Username.*.criticality",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture link criticality"
+ ],
+ "example_values": [
+ "Unusual"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.location.country",
+ "data_type": "string",
+ "contains": [
+ "country location for the threat actor"
+ ],
+ "example_values": [
+ "Ukraine"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.ai_insights",
+ "data_type": "string",
+ "contains": [
+ "recorded future AI Insights"
+ ],
+ "example_values": [
+ "Here is some AI generated text related to this entity"
+ ]
+ },
+ {
+ "data_path": "action_result.summary",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.message",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result message"
+ ]
+ },
+ {
+ "data_path": "summary.total_objects",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "summary.total_objects_successful",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects successful"
+ ],
+ "example_values": [
+ 1
+ ]
+ }
+ ],
+ "render": {
+ "type": "custom",
+ "width": 15,
+ "height": 8,
+ "view": "recordedfuture_view.threat_actor_intelligence_results",
+ "title": "Results"
+ },
+ "versions": "EQ(*)"
+ },
+ {
+ "action": "threat map",
+ "identifier": "threat_map",
+ "description": "Get threat map",
+ "type": "investigate",
+ "read_only": true,
+ "parameters": {},
+ "output": [
+ {
+ "data_path": "action_result.status",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result status"
+ ],
+ "example_values": [
+ "success",
+ "failed"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.threatActor.*.id",
+ "data_type": "string",
+ "contains": [
+ "recorded future threat actor id"
+ ],
+ "example_values": [
+ "ny_8g4"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.threatActor.*.name",
+ "data_type": "string",
+ "contains": [
+ "recorded future threat actor name"
+ ],
+ "example_values": [
+ "BianLian Ransomware Group"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.threatActor.*.alias.*",
+ "data_type": "string",
+ "contains": [
+ "recorded future threat actor alias name"
+ ],
+ "example_values": [
+ "Pawn Storm"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.threatActor.*.intent",
+ "data_type": "numeric",
+ "contains": [
+ "recorded future threat actor intent score"
+ ],
+ "example_values": [
+ 5
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.threatActor.*.opportunity",
+ "data_type": "numeric",
+ "contains": [
+ "recorded future threat actor opportunity score"
+ ],
+ "example_values": [
+ 95
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.threatActor.*.severity",
+ "data_type": "string",
+ "contains": [
+ "recorded future threat actor severity"
+ ],
+ "example_values": [
+ "High"
+ ]
+ },
+ {
+ "data_path": "action_result.data.*.threatActor.*.intelCard",
+ "data_type": "string",
+ "contains": [
+ "recorded future threat actor intel card link"
+ ],
+ "example_values": [
+ "https://app.recordedfuture.com/live/sc/entity/L37nw-"
+ ]
+ },
+ {
+ "data_path": "action_result.summary",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.message",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result message"
+ ]
+ },
+ {
+ "data_path": "summary.total_objects",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "summary.total_objects_successful",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects successful"
+ ],
+ "example_values": [
+ 1
+ ]
+ }
+ ],
+ "render": {
+ "type": "custom",
+ "width": 15,
+ "height": 8,
+ "view": "recordedfuture_view.threat_map_results",
+ "title": "Results"
+ },
+ "versions": "EQ(*)"
+ },
+ {
+ "action": "collective insights submit",
+ "identifier": "collective_insights_submit",
+ "description": "Enables contribute data, `collective insights`, into the Recorded Future Intelligence Cloud",
+ "type": "investigate",
+ "read_only": true,
+ "parameters": {
+ "entity_name": {
+ "description": "Entity value of the IOC itself",
+ "data_type": "string",
+ "required": true,
+ "order": 0
+ },
+ "entity_type": {
+ "description": "Entity Type value that can contain one of the enumerated list of values: ip, hash, domain, vulnerability, url",
+ "data_type": "string",
+ "required": true,
+ "value_list": [
+ "ip",
+ "domain",
+ "vulnerability",
+ "hash",
+ "url"
+ ],
+ "order": 1
+ },
+ "entity_field": {
+ "description": "Entity field used to describe characteristics about the IOC. Example: dstip",
+ "data_type": "string",
+ "order": 2
+ },
+ "entity_source_type": {
+ "description": "Used to describe what log source the IOC came from. Example: netscreen:firewall",
+ "data_type": "string",
+ "order": 3
+ },
+ "event_id": {
+ "description": "Event unique id. Example: 31",
+ "data_type": "string",
+ "order": 4
+ },
+ "event_name": {
+ "description": "Title of the event related to the IOC. Example: Recorded Future Domain Abuse Alert",
+ "data_type": "string",
+ "order": 5
+ },
+ "event_type": {
+ "description": "Attack vector associated with the incident. Example: C2, Phishing, splunk-detection-rule, ... etc)",
+ "data_type": "string",
+ "order": 6
+ },
+ "mitre_codes": {
+ "description": "Comma-separated list of MITRE codes associated with the IOC. Example: T1055, T1064",
+ "data_type": "string",
+ "order": 7
+ },
+ "malware": {
+ "description": "Comma separated Malware associated with the IOCs. Example: Stuxnet, DUQU",
+ "data_type": "string",
+ "order": 8
+ },
+ "timestamp": {
+ "description": "Timestamp in ISO format. Example: 2023-07-19T04:29:40",
+ "data_type": "string",
+ "order": 9
+ }
+ },
+ "output": [
+ {
+ "data_path": "action_result.status",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result status"
+ ],
+ "example_values": [
+ "success",
+ "failed"
+ ]
+ },
+ {
+ "data_path": "action_result.parameter.entity_name",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.entity_type",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.entity_field",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.entity_source_type",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.event_id",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.entity_field",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.event_name",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.event_type",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.mitre_codes",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.malware",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.parameter.timestamp",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.data",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.summary",
+ "data_type": "string"
+ },
+ {
+ "data_path": "action_result.message",
+ "data_type": "string",
+ "contains": [
+ "recordedfuture result message"
+ ]
+ },
+ {
+ "data_path": "summary.total_objects",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects"
+ ],
+ "example_values": [
+ 1
+ ]
+ },
+ {
+ "data_path": "summary.total_objects_successful",
+ "data_type": "numeric",
+ "contains": [
+ "recordedfuture total objects successful"
+ ],
+ "example_values": [
+ 1
+ ]
+ }
+ ],
+ "render": {
+ "type": "custom",
+ "width": 15,
+ "height": 8,
+ "view": "recordedfuture_view.collective_insights_submission_results",
+ "title": "Collective insight"
+ },
+ "versions": "EQ(*)"
+ },
+ {
+ "action": "on poll",
+ "description": "Ingest alerts from Recorded Future",
+ "verbose": "This action will fetch alerts / Playbook Alerts for the specified rule IDs and within the specified timeframe. When limiting the number of events to ingest, it will ingest the most recent events.
",
+ "type": "ingest",
+ "identifier": "on_poll",
+ "read_only": true,
+ "parameters": {
+ "start_time": {
+ "data_type": "numeric",
+ "description": "Parameter ignored for this app",
+ "order": 0
+ },
+ "end_time": {
+ "data_type": "numeric",
+ "description": "Parameter ignored for this app",
+ "order": 1
+ },
+ "container_count": {
+ "description": "Maximum number of events to query for",
+ "data_type": "numeric",
+ "default": 100,
+ "order": 2
+ },
+ "artifact_count": {
+ "description": "Parameter ignored in this app",
+ "data_type": "numeric",
+ "order": 3
+ }
+ },
+ "output": [],
+ "render": {
+ "type": "custom",
+ "width": 15,
+ "height": 8,
+ "view": "recordedfuture_view.contexts_results",
+ "title": "List of available contexts"
+ },
+ "versions": "EQ(*)"
+ }
+ ],
+ "pip_dependencies": {
+ "wheel": [
+ {
+ "module": "beautifulsoup4",
+ "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl"
+ },
+ {
+ "module": "soupsieve",
+ "input_file": "wheels/py3/soupsieve-2.3.2.post1-py3-none-any.whl"
+ }
+ ]
+ },
+ "pip39_dependencies": {
+ "wheel": [
+ {
+ "module": "beautifulsoup4",
+ "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl"
+ },
+ {
+ "module": "soupsieve",
+ "input_file": "wheels/py3/soupsieve-2.4.1-py3-none-any.whl"
}
]
}
diff --git a/recordedfuture_connector.py b/recordedfuture_connector.py
index 9f5ff1c..1103400 100644
--- a/recordedfuture_connector.py
+++ b/recordedfuture_connector.py
@@ -405,6 +405,14 @@ def _make_rest_call(
),
None,
)
+ elif resp.status_code == 404:
+ return RetVal(
+ action_result.set_status(
+ phantom.APP_ERROR,
+ 'Error Connecting to server. Details: Error code: 404 Not Found.',
+ ),
+ resp,
+ )
else:
return RetVal(
action_result.set_status(
@@ -483,6 +491,13 @@ def _handle_intelligence(self, param, ioc, entity_type):
},
)
+ # Do not fail on 404. Give a message to user with success status.
+ if phantom.is_fail(my_ret_val) and response.status_code == 404:
+ action_result.set_status(
+ phantom.APP_SUCCESS,
+ status_message="Recorded Future does not have any information on this indicator."
+ )
+
if phantom.is_fail(my_ret_val):
return action_result.get_status()
@@ -841,28 +856,32 @@ def _handle_list_contexts(self, param):
# dictionary
return action_result.set_status(phantom.APP_SUCCESS)
- def _add_screenshots_to_container(self, container, screenshots):
- for screenshot in screenshots:
- file_name = f'{uuid.uuid4()}.png'
- file_path = os.path.join('/opt/splunk-soar/vault/tmp', file_name)
- with open(file_path, "wb") as screenshot_file:
- screenshot_file.write(base64.b64decode(screenshot))
-
- success, message, vault_id = vault.vault_add(
+ def _write_file_to_vault(self, container, file_data, file_name):
+ file_path = os.path.join('/opt/splunk-soar/vault/tmp', file_name)
+ with open(file_path, "wb") as file:
+ file.write(file_data)
+ _, message, _ = vault.vault_add(
container=container,
file_location=file_path,
file_name=file_name,
metadata=None,
trace=True,
)
- self.debug_print(f"Add screenshot - {message} - {container}")
+ self.debug_print(f"Add file - {message} - {container}")
+
+ def _add_screenshots_to_container(self, container, screenshots):
+ for screenshot in screenshots:
+ file_name = f'{uuid.uuid4()}.png'
+ file_data = base64.b64decode(screenshot)
+ self._write_file_to_vault(container, file_data, file_name)
def _on_poll_playbook_alerts(self, param, config, action_result):
"""Polling for triggered playbook alerts"""
+ params = {}
if self.is_poll_now():
param['max_count'] = param.get('container_count', MAX_CONTAINERS)
- from_date = None
+ params["from_date"] = None
else:
if not config.get("on_poll_playbook_alert_type"):
return []
@@ -872,10 +891,11 @@ def _on_poll_playbook_alerts(self, param, config, action_result):
self._state['first_run'] = False
param['max_count'] = config.get('first_max_count', MAX_CONTAINERS)
self.save_progress("First time Ingestion detected.")
- from_date = config.get("on_poll_playbook_alert_start_time")
+ params["from_date"] = config.get("on_poll_playbook_alert_start_time")
else:
param['max_count'] = config.get('max_count', MAX_CONTAINERS)
- from_date = self._state.get(
+ # For all the runs after tge first one we get alerts filtered by update_data instead of create_date.
+ params["last_updated_date"] = self._state.get(
"last_playbook_alerts_fetch_time"
) or config.get("on_poll_playbook_alert_start_time")
@@ -884,22 +904,17 @@ def _on_poll_playbook_alerts(self, param, config, action_result):
param['max_count'] = MAX_CONTAINERS
# Prepare the REST call to get all alerts within the timeframe and with status New
- params = {
- 'from_date': from_date,
- 'state': self._state,
- 'limit': param.get('max_count', 100),
- 'categories': [
- el.strip()
- for el in config.get("on_poll_playbook_alert_type", "").split(",")
- if el.strip()
- ],
- 'priorities': [
- el.strip()
- for el in config["on_poll_playbook_alert_priority"].split(",")
- ]
- if config.get("on_poll_playbook_alert_priority")
- else None,
- }
+ params['state'] = self._state
+ params['limit'] = param.get('max_count', 100)
+ params['categories'] = [
+ el.strip()
+ for el in config.get("on_poll_playbook_alert_type", "").split(",")
+ if el.strip()
+ ]
+ params['priorities'] = [
+ el.strip()
+ for el in config["on_poll_playbook_alert_priority"].split(",")
+ ] if config.get("on_poll_playbook_alert_priority") else None
# Make the rest call
my_ret_val, containers = self._make_rest_call(
@@ -1459,6 +1474,248 @@ def _handle_entities_search(self, param):
action_result.set_summary(summary)
return action_result.set_status(phantom.APP_SUCCESS)
+ def _handle_links_search(self, param):
+ self.save_progress(
+ "In action handler for: {0}".format(self.get_action_identifier())
+ )
+
+ # Add an action result object to self (BaseConnector) to represent
+ # the action for this param
+ action_result = self.add_action_result(ActionResult(param))
+ params = {
+ 'entity_id': UnicodeDammit(param['entity_id']).unicode_markup
+ if 'entity_id' in param
+ else None,
+ 'entity_name': UnicodeDammit(param['entity_name']).unicode_markup
+ if 'entity_name' in param
+ else None,
+ 'entity_type': UnicodeDammit(param['entity_type']).unicode_markup
+ if 'entity_type' in param
+ else None,
+ "timeframe": UnicodeDammit(param['timeframe']).unicode_markup
+ if 'timeframe' in param
+ else "-90d",
+ "technical_type": UnicodeDammit(param['technical_type']).unicode_markup
+ if 'technical_type' in param
+ else None,
+ 'source_type': UnicodeDammit(param['source_type']).unicode_markup
+ if 'source_type' in param
+ else None,
+ }
+ params = {key: value for key, value in params.items() if value}
+ # make rest call
+ my_ret_val, response = self._make_rest_call(
+ '/links/search', action_result, json=params, method="post"
+ )
+ # Handle failure
+ if phantom.is_fail(my_ret_val):
+ return action_result.get_status()
+
+ # Summary
+ summary = action_result.get_summary()
+ action_result.add_data(response)
+ action_result.set_summary(summary)
+ self.debug_print(
+ '_handle_links_search',
+ {
+ 'path_info': '/links/search',
+ 'action_result': action_result,
+ 'params': params,
+ 'my_ret_val': my_ret_val,
+ 'response': response,
+ },
+ )
+ return action_result.set_status(phantom.APP_SUCCESS)
+
+ def _handle_detection_rule_search(self, param):
+ self.save_progress(
+ "In action handler for: {0}".format(self.get_action_identifier())
+ )
+
+ # Add an action result object to self (BaseConnector) to represent
+ # the action for this param
+ action_result = self.add_action_result(ActionResult(param))
+ params = {
+ 'entity_id': UnicodeDammit(param['entity_id']).unicode_markup
+ if 'entity_id' in param
+ else None,
+ 'entity_name': UnicodeDammit(param['entity_name']).unicode_markup
+ if 'entity_name' in param
+ else None,
+ 'entity_type': UnicodeDammit(param['entity_type']).unicode_markup
+ if 'entity_type' in param
+ else None,
+ "rule_types": UnicodeDammit(param['rule_types']).unicode_markup
+ if 'rule_types' in param
+ else None,
+ "title": UnicodeDammit(param['title']).unicode_markup
+ if 'title' in param
+ else None,
+ }
+ params = {key: value for key, value in params.items() if value}
+ # make rest call
+ my_ret_val, response = self._make_rest_call(
+ '/detection_rule/search', action_result, json=params, method="post"
+ )
+ # Handle failure
+ if phantom.is_fail(my_ret_val):
+ return action_result.get_status()
+ container_id = self.get_container_id()
+ # Write rules to files.
+ for detection_rule in response:
+ for rule in detection_rule.get("rules"):
+ file_name = rule["file_name"]
+ file_content = rule["content"]
+ if file_name and file_content:
+ file_content = file_content.encode()
+ self._write_file_to_vault(container_id, file_content, file_name)
+ # Summary
+ summary = action_result.get_summary()
+ action_result.add_data(response)
+ action_result.set_summary(summary)
+ self.debug_print(
+ '_handle_detection_rule_search',
+ {
+ 'path_info': '/detection_rule/search',
+ 'action_result': action_result,
+ 'params': params,
+ 'my_ret_val': my_ret_val,
+ 'response': response,
+ },
+ )
+ return action_result.set_status(phantom.APP_SUCCESS)
+
+ def _handle_threat_actor_intelligence(self, param):
+ self.save_progress(
+ "In action handler for: {0}".format(self.get_action_identifier())
+ )
+
+ # Add an action result object to self (BaseConnector) to represent
+ # the action for this param
+ action_result = self.add_action_result(ActionResult(param))
+ params = {
+ 'threat_actor': UnicodeDammit(param['threat_actor']).unicode_markup,
+ 'links': param['links'],
+ }
+ # make rest call
+ my_ret_val, response = self._make_rest_call(
+ '/threat/map/actors', action_result, json=params, method="post"
+ )
+ # Handle failure
+ if phantom.is_fail(my_ret_val):
+ return action_result.get_status()
+
+ # Summary
+ summary = action_result.get_summary()
+ action_result.add_data(response)
+ action_result.set_summary(summary)
+ self.debug_print(
+ '_handle_threat_actor_intelligence',
+ {
+ 'path_info': '/threat/map/actors',
+ 'action_result': action_result,
+ 'params': params,
+ 'my_ret_val': my_ret_val,
+ 'response': response,
+ },
+ )
+ return action_result.set_status(phantom.APP_SUCCESS)
+
+ def _handle_threat_map(self, param):
+ self.save_progress(
+ "In action handler for: {0}".format(self.get_action_identifier())
+ )
+
+ # Add an action result object to self (BaseConnector) to represent
+ # the action for this param
+ action_result = self.add_action_result(ActionResult(param))
+ # make rest call
+ my_ret_val, response = self._make_rest_call(
+ '/threat/map', action_result, method="get"
+ )
+ # Handle failure
+ if phantom.is_fail(my_ret_val):
+ return action_result.get_status()
+
+ # Summary
+ summary = action_result.get_summary()
+ action_result.add_data(response)
+ action_result.set_summary(summary)
+ self.debug_print(
+ '_handle_threat_map',
+ {
+ 'path_info': '/threat/map',
+ 'action_result': action_result,
+ 'my_ret_val': my_ret_val,
+ 'response': response,
+ },
+ )
+ return action_result.set_status(phantom.APP_SUCCESS)
+
+ def _handle_collective_insights_submission(self, param):
+ self.save_progress(
+ "In action handler for: {0}".format(self.get_action_identifier())
+ )
+
+ # Add an action result object to self (BaseConnector) to represent
+ # the action for this param
+ action_result = self.add_action_result(ActionResult(param))
+ params = {
+ 'entity_name': UnicodeDammit(param['entity_name']).unicode_markup
+ if 'entity_name' in param
+ else None,
+ 'entity_type': UnicodeDammit(param['entity_type']).unicode_markup
+ if 'entity_type' in param
+ else None,
+ 'entity_field': UnicodeDammit(param['entity_field']).unicode_markup
+ if 'entity_field' in param
+ else None,
+ "entity_source_type": UnicodeDammit(param['entity_source_type']).unicode_markup
+ if 'entity_source_type' in param
+ else None,
+ "event_id": UnicodeDammit(param['event_id']).unicode_markup
+ if 'event_id' in param
+ else None,
+ "event_name": UnicodeDammit(param['event_name']).unicode_markup
+ if 'event_name' in param
+ else None,
+ "event_type": UnicodeDammit(param['event_type']).unicode_markup
+ if 'event_type' in param
+ else None,
+ "mitre_codes": UnicodeDammit(param['mitre_codes']).unicode_markup
+ if 'mitre_codes' in param
+ else None,
+ "malware": UnicodeDammit(param['malware']).unicode_markup
+ if 'malware' in param
+ else None,
+ "timestamp": UnicodeDammit(param['timestamp']).unicode_markup
+ if 'timestamp' in param
+ else None,
+ }
+ params = {key: value for key, value in params.items() if value}
+ # make rest call
+ my_ret_val, response = self._make_rest_call(
+ '/collective-insights/detections', action_result, json=params, method="post"
+ )
+ # Handle failure
+ if phantom.is_fail(my_ret_val):
+ return action_result.get_status()
+
+ # Summary
+ summary = action_result.get_summary()
+ action_result.add_data(response)
+ action_result.set_summary(summary)
+ self.debug_print(
+ '_handle_collective_insights_submission',
+ {
+ 'path_info': '/collective-insights/detections',
+ 'action_result': action_result,
+ 'my_ret_val': my_ret_val,
+ 'response': response,
+ },
+ )
+ return action_result.set_status(phantom.APP_SUCCESS)
+
def handle_action(self, param):
"""Handle a call to the app, switch depending on action."""
my_ret_val = phantom.APP_SUCCESS
@@ -1535,6 +1792,21 @@ def handle_action(self, param):
elif action_id == 'entity_search':
my_ret_val = self._handle_entities_search(param)
+ elif action_id == 'links_search':
+ my_ret_val = self._handle_links_search(param)
+
+ elif action_id == 'detection_rule_search':
+ my_ret_val = self._handle_detection_rule_search(param)
+
+ elif action_id == 'threat_actor_intelligence':
+ my_ret_val = self._handle_threat_actor_intelligence(param)
+
+ elif action_id == 'threat_map':
+ my_ret_val = self._handle_threat_map(param)
+
+ elif action_id == 'collective_insights_submit':
+ my_ret_val = self._handle_collective_insights_submission(param)
+
return my_ret_val
def _is_ip(self, input_ip_address):
diff --git a/recordedfuture_view.py b/recordedfuture_view.py
index fe781cf..5c2bead 100644
--- a/recordedfuture_view.py
+++ b/recordedfuture_view.py
@@ -38,6 +38,7 @@
PLAYBOOK_ALERT_CATEGORY_DISPLAY_MAPPING = {
"domain_abuse": "Domain Abuse",
"cyber_vulnerability": "Vulnerability",
+ "code_repo_leakage": "Code Repo Leakage",
}
@@ -492,3 +493,59 @@ def entity_search_results(provides, all_app_runs, context):
results.append({'param': result.get_param(), 'data': result_data})
return 'entity_search_results.html'
+
+
+def links_search_results(provides, all_app_runs, context):
+ """Setup the view for links search results."""
+ context['results'] = results = []
+ for summary, action_results in all_app_runs:
+ for result in action_results:
+ result_data = result.get_data()
+ if result_data:
+ result_data = result_data[0]
+ results.append({'param': result.get_param(), 'data': result_data})
+ return 'links_search_results.html'
+
+
+def detection_rule_search_results(provides, all_app_runs, context):
+ """Setup the view for detection rule search results."""
+ context['results'] = results = []
+ for summary, action_results in all_app_runs:
+ for result in action_results:
+ result_data = result.get_data()
+ if result_data:
+ result_data = result_data[0]
+ results.append({'param': result.get_param(), 'data': result_data})
+ return 'detection_rule_search_results.html'
+
+
+def threat_actor_intelligence_results(provides, all_app_runs, context):
+ """Setup the view for threat actor intelligence results."""
+ context['results'] = results = []
+ for summary, action_results in all_app_runs:
+ for result in action_results:
+ result_data = result.get_data()
+ if result_data:
+ result_data = result_data[0]
+ result_data["categories"] = [category.get("name") for category in result_data.get("categories", [])]
+ results.append({'param': result.get_param(), 'data': result_data})
+ return 'threat_actor_intelligence_results.html'
+
+
+def threat_map_results(provides, all_app_runs, context):
+ """Setup the view for threat map results."""
+ context['results'] = results = []
+ for summary, action_results in all_app_runs:
+ for result in action_results:
+ result_data = result.get_data()
+ if result_data:
+ result_data = result_data[0]
+ for actor in result_data.get("threatActor", []):
+ actor["categories"] = [category.get("name") for category in actor.get("categories", [])]
+ results.append({'param': result.get_param(), 'data': result_data})
+ return 'threat_map_results.html'
+
+
+def collective_insights_submission_results(provides, all_app_runs, context):
+ """Setup the view for collective insights submission."""
+ return 'collective_insights_submission_results.html'
diff --git a/release_notes/4.3.0.md b/release_notes/4.3.0.md
new file mode 100644
index 0000000..4608946
--- /dev/null
+++ b/release_notes/4.3.0.md
@@ -0,0 +1,9 @@
+* Added new actions:
+ * links search - find links data in Recorded Future dataset.
+ * detection rule search - download detection rules (yara, sigma, snort) into the system for provided entity.
+ * threat actor intelligence - get intelligence data for threat actor.
+ * threat map - get a threat map from Recorded Future.
+* Change the way Playbook alerts are polled from Recorded future into the Splunk SOAR. On the first poll the creation date is used to poll the alerts and all the next poll the alert that were updated during the time period from last poll to current poll.
+* Now the intelligence commands will not fail with error NotFound but will successfully finish with the message that Recorded future does not have data for that entity.
+* Added a code_repo_leakage type of playbook alerts.
+* Recorded Future AI Insights added to Intelligence and Alert Lookup results.
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
index 523a0ce..e861161 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,2 +1 @@
beautifulsoup4==4.9.1
-requests==2.25.0
diff --git a/threat_actor_intelligence_results.html b/threat_actor_intelligence_results.html
new file mode 100644
index 0000000..a703008
--- /dev/null
+++ b/threat_actor_intelligence_results.html
@@ -0,0 +1,101 @@
+{% extends 'widgets/widget_template.html' %}
+{% load custom_template %}
+
+{% block custom_title_prop %}{% if title_logo %}style="background-size: auto 60%; background-position: 50%; background-repeat: no-repeat; background-image: url('/app_resource/{{ title_logo }}');"{% endif %}{% endblock %}
+{% block title1 %}{{ title1 }}{% endblock %}
+{% block title2 %}{{ title2 }}{% endblock %}
+{% block custom_tools %}
+{% endblock %}
+
+{% block widget_content %}
+
+
+
+
+
+
+
+