soar
Recorded Future For Splunk SOAR
Splunk SOAR Cloud
Overview
Details
Enhance your security posture with Recorded Future for Splunk SOAR.
Key Capabilities:
•Swift Threat Assessments: Access Recorded Future's extensive IOC data for swift and accurate assessments
Key Capabilities:
•Swift Threat Assessments: Access Recorded Future's extensive IOC data for swift and accurate assessments
Supported Actions Version 4.4.3
- test connectivity: Validate the asset configuration for connectivity
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- alert lookup: Get details on an alert
- alert rule search: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- list search: Find lists based on a query
- create list: Create new list
- list add entity: Add new entity to list
- list remove entity: Remove entity from list
- list details: Get list details
- list status: Get list status info
- list entities: Get list entities
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
- playbook alerts search: Search Playbook alerts
- playbook alert update: Update Playbook alert
- playbook alert details: Get Playbook alert details
- entity search: Find entities based on a query
- links search: Search for links data
- detection rule search: Search for detection rule
- threat actor intelligence: Get threat actor intelligence
- threat map: Get threat map
- collective insights submit: Enables contribute data, `collective insights`, into the Recorded Future Intelligence Cloud
- on poll: Ingest alerts from Recorded Future
Supported Actions Version 4.4.2
- test connectivity: Validate the asset configuration for connectivity
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- alert lookup: Get details on an alert
- alert rule search: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- list search: Find lists based on a query
- create list: Create new list
- list add entity: Add new entity to list
- list remove entity: Remove entity from list
- list details: Get list details
- list status: Get list status info
- list entities: Get list entities
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
- playbook alerts search: Search Playbook alerts
- playbook alert update: Update Playbook alert
- playbook alert details: Get Playbook alert details
- entity search: Find entities based on a query
- links search: Search for links data
- detection rule search: Search for detection rule
- threat actor intelligence: Get threat actor intelligence
- threat map: Get threat map
- collective insights submit: Enables contribute data, `collective insights`, into the Recorded Future Intelligence Cloud
- on poll: Ingest alerts from Recorded Future
Supported Actions Version 4.3.2
- test connectivity: Validate the asset configuration for connectivity
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- alert lookup: Get details on an alert
- alert rule search: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- list search: Find lists based on a query
- create list: Create new list
- list add entity: Add new entity to list
- list remove entity: Remove entity from list
- list details: Get list details
- list status: Get list status info
- list entities: Get list entities
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
- playbook alerts search: Search Playbook alerts
- playbook alert update: Update Playbook alert
- playbook alert details: Get Playbook alert details
- entity search: Find entities based on a query
- links search: Search for links data
- detection rule search: Search for detection rule
- threat actor intelligence: Get threat actor intelligence
- threat map: Get threat map
- collective insights submit: Enables contribute data, `collective insights`, into the Recorded Future Intelligence Cloud
- on poll: Ingest alerts from Recorded Future
Supported Actions Version 4.3.1
- test connectivity: Validate the asset configuration for connectivity
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- alert lookup: Get details on an alert
- alert rule search: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- list search: Find lists based on a query
- create list: Create new list
- list add entity: Add new entity to list
- list remove entity: Remove entity from list
- list details: Get list details
- list status: Get list status info
- list entities: Get list entities
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
- playbook alerts search: Search Playbook alerts
- playbook alert update: Update Playbook alert
- playbook alert details: Get Playbook alert details
- entity search: Find entities based on a query
- links search: Search for links data
- detection rule search: Search for detection rule
- threat actor intelligence: Get threat actor intelligence
- threat map: Get threat map
- collective insights submit: Enables contribute data, `collective insights`, into the Recorded Future Intelligence Cloud
- on poll: Ingest alerts from Recorded Future
Supported Actions Version 4.3.0
- test connectivity: Validate the asset configuration for connectivity
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- alert lookup: Get details on an alert
- alert rule search: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- list search: Find lists based on a query
- create list: Create new list
- list add entity: Add new entity to list
- list remove entity: Remove entity from list
- list details: Get list details
- list status: Get list status info
- list entities: Get list entities
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
- playbook alerts search: Search Playbook alerts
- playbook alert update: Update Playbook alert
- playbook alert details: Get Playbook alert details
- entity search: Find entities based on a query
- links search: Search for links data
- detection rule search: Search for detection rule
- threat actor intelligence: Get threat actor intelligence
- threat map: Get threat map
- collective insights submit: Enables contribute data, `collective insights`, into the Recorded Future Intelligence Cloud
- on poll: Ingest alerts from Recorded Future
Supported Actions Version 4.2.0
- test connectivity: Validate the asset configuration for connectivity
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- alert lookup: Get details on an alert
- alert rule search: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- list search: Find lists based on a query
- create list: Create new list
- list add entity: Add new entity to list
- list remove entity: Remove entity from list
- list details: Get list details
- list status: Get list status info
- list entities: Get list entities
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
- playbook alerts search: Search Playbook alerts
- playbook alert update: Update Playbook alert
- playbook alert details: Get Playbook alert details
- entity search: Find entities based on a query
- on poll: Ingest alerts from Recorded Future
Supported Actions Version 4.1.0
- test connectivity: Validate the asset configuration for connectivity
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- alert lookup: Get details on an alert
- alert rule search: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
- on poll: Ingest alerts from Recorded Future
Supported Actions Version 4.0.0
- test connectivity: Validate the asset configuration for connectivity
- alert update: Update status and/or notes for the alert specified with alert_id
- alert search: Get details on alerts configured and generated by Recorded Future by alert rule ID and time range
- alert lookup: Get details on an alert
- alert rule search: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
- on poll: Ingest alerts from Recorded Future
Supported Actions Version 3.1.0
- test connectivity: Validate the asset configuration for connectivity
- alert data lookup: Get details on alerts configured and generated by Recorded Future by alert rule ID and/or time range
- alert rule lookup: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk for a collection of entities based on context
- list contexts: Get a list of possible contexts to use in threat assessment
Supported Actions Version 3.0.0
- test connectivity: Validate the asset configuration for connectivity
- alert data lookup: Get details on alerts configured and generated by Recorded Future by alert rule ID and/or time range
- alert rule lookup: Search for alert rule IDs by name
- url intelligence: Get threat intelligence for a URL
- url reputation: Get a quick indicator of the risk associated with a URL
- vulnerability intelligence: Get threat intelligence for a vulnerability
- vulnerability reputation: Get a quick indicator of the risk associated with a vulnerability
- file intelligence: Get threat intelligence for a file identified by its hash
- file reputation: Get a quick indicator of the risk associated with a file identified by its hash
- domain intelligence: Get threat intelligence for a domain
- domain reputation: Get a quick indicator of the risk associated with a domain
- ip intelligence: Get threat intelligence for an IP address
- ip reputation: Get a quick indicator of the risk associated with an IP address
- threat assessment: Get an indicator of the risk based on context
- list contexts: Get a list of possible contexts to use in threat triage
This app implements investigative actions to perform lookups for quick reputation information, contextual threat intelligence and external threat alerts.
Recorded Future App for Splunk SOAR allows clients to work smarter, respond faster, and strengthen their defenses through automation and orchestration. The Recorded Future App provides a number of actions that enable the creation of Playbooks to do automated enrichment, correlation, threat hunting, and alert handling.
Access playbook templates created by Recorded Future automation experts to embed intelligence in your new and existing security workflows: https://support.recordedfuture.com/hc/en-us/articles/12294483605523-Splunk-SOAR-Template-Playbooks-Library
Release Notes
Version 4.4.3
Dec. 4, 2024
- Remove usage of md5 to be compatible with FIPS
Version 4.4.2
July 10, 2024
- Changes to polling of alerts; now requires a comma seperated list to pull in alerts
- Fixing logic issue blocking the polling of alerts
- Fixing issues with hardcoded path for Cloud
Version 4.3.2
April 18, 2024
- Improved visibility of support documents
- Renaming of app headers
- Fixing issues with hardcoded path for Cloud
- Improved format for Intelligence Command Widgets
- Added status config options for fetching standard and playbook alerts
Version 4.3.1
Oct. 3, 2023
- Increase timeout setting for RecordedFuture HTTP client
Version 4.3.0
Sept. 20, 2023
- Added new actions:
- links search - find links data in Recorded Future dataset.
- detection rule search - download detection rules (yara, sigma, snort) into the system for provided entity.
- threat actor intelligence - get intelligence data for threat actor.
- threat map - get a threat map from Recorded Future.
- Change the way Playbook alerts are polled from Recorded future into the Splunk SOAR. On the first poll the creation date is used to poll the alerts and all the next poll the alert that were updated during the time period from last poll to current poll.
- Now the intelligence commands will not fail with error NotFound but will successfully finish with the message that Recorded future does not have data for that entity.
- Added a code_repo_leakage type of playbook alerts.
- Recorded Future AI Insights added to Intelligence and Alert Lookup results.
Version 4.2.0
March 27, 2023
- Added new actions:
- create list
- list search
- list details
- list add entity
- list remove entity
- list entities
- list status
- playbook alerts search
- playbook alert details
- playbook alert update
- Added new configs to ingest settings
Version 4.1.0
Jan. 11, 2023
- Fixed the bug when scheduled pulling for events was not working.
- Change the name of the app from "Recorded Future" to "Recorded Future For Splunk SOAR"
Version 4.0.0
Aug. 26, 2022
- Added two new actions: alert_lookup and alert_update
- On_poll functionality to download alerts
- alert_rule_lookup renamed to alert_rule_search to better describe the action
- alert_data_lookup renamed to alert_search to better describe the action
- Improved tagging of entities in alert widgets to find the related actions
Version 3.1.0
April 5, 2022
- Added MITRE ATT@Ck codes to the entity information
- Added links information to intelligence lookups
- Improved presentation of Fixed table output views
- API call response tailored to the app
Version 3.0.0
Sept. 21, 2021
Recorded Future Release Notes - Published by Recorded Future June 24, 2020
Version 3.0.0 - Released June 24, 2020
- Compatibility changes for Python 3 support
- Added 2 new actions
- threat assessment
-
list contexts
-
Fixed table output views
- Handled exceptions for Unicode character issues