Recorded Future - Playbook Alerts
This Integration is part of the Recorded Future Intelligence Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Fetch & triage Recorded Future Playbook Alerts This integration was integrated and tested with version 1.0.2 of RecordedFuturePlaybookAlerts
Configure Recorded Future - Playbook Alerts on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Recorded Future - Playbook Alerts.
Click Add instance to create and configure a new integration instance.
Parameter Description Required API URL (e.g., https://api.recordedfuture.com/gw/xsoar/) True API Token True Trust any certificate (not secure) False Use system proxy settings False Fetch incidents False First Incidient Fetch: Time Range Limit incidents to include in the first fetch by time range. Input format: "NN hours" or "NN days". E.g., input "5 days" to fetch all incidents created in the last 5 days. False Playbook Alerts: Fetched Categories Some listed Playbook alert Categories might be unavailable due to limitations in the current Recorded Future subscription False Maximum number of incidents per fetch False Playbook Alerts: Fetched Statuses False Playbook Alerts: Fetched Priorities Threshold Returns alerts with this selected priority or higher. High > Moderate > Informational False Incident type False Click Test to validate the URLs, token, and connection.
Pre-Process Rule#
The integration pulls in Playbook alerts from Recorded Future base on its updates, this creates the need for a preprocessing rule that updates existing incidents instead of creating duplicates. Follow the guidlines below to configure the preprocessing rule.
- Navigate to Settings > Integrations > Pre-Process Rules
- Click New Rule
- Enter a name for the rule
- In the Conditions for Incoming Incident section, enter the following: Name - Includes - Recorded Future Playbook Alert
- In the Action section, select: Drop and update
- In the Update section, choose: Link to - Oldest incident - Created within the last - Your desired timeframe
- In the rule for update, choose: DbotMirrorId - Is identical (Incoming Incident) - to incoming incident
The configuration of the preprocessing rule is optional, but highly recommended.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
recordedfuture-playbook-alerts-details#
Get Playbook alert details by id.
Base Command#
recordedfuture-playbook-alerts-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_ids | Ids of the playbook alert that should be fetched. | Required |
| detail_sections | What evidence sections to include in the fetch, fetches all available if not specified. Possible values are: status, action, summary, log, whois, dns. | Optional |
Command Example#
!recordedfuture-playbook-alerts-details alert_ids="12312312-1231-1231-1231-123123123123" detail_sections="status,log"
Context Output#
| Path | Type | Description |
|---|---|---|
| RecordedFuture.PlaybookAlerts.playbook_alert_id | String | Unique id of the playbook alert |
| RecordedFuture.PlaybookAlerts.category | String | Playbook alert category |
| RecordedFuture.PlaybookAlerts.priority | String | Recommended Priority of the alert |
| RecordedFuture.PlaybookAlerts.status | String | Current alert status in Recorded Future |
| RecordedFuture.PlaybookAlerts.title | String | Title of the alert |
| RecordedFuture.PlaybookAlerts.updated | date | Date of last update |
| RecordedFuture.PlaybookAlerts.created | date | Date of creation |
| RecordedFuture.PlaybookAlerts.organization_id | String | Organization uhash |
| RecordedFuture.PlaybookAlerts.organization_name | String | Plaintext Organization name |
| RecordedFuture.PlaybookAlerts.assignee_id | String | uhash of the assigned user |
| RecordedFuture.PlaybookAlerts.assignee_name | String | name of the assigned user |
| RecordedFuture.PlaybookAlerts.owner_id | String | uhash of the enterprise that owns the alert |
| RecordedFuture.PlaybookAlerts.owner_name | String | Name of the enterprise that owns the alert |
| RecordedFuture.PlaybookAlerts.panel_status.playbook_alert_id | String | Unique id of the playbook alert |
| RecordedFuture.PlaybookAlerts.panel_status.category | String | Playbook alert category |
| RecordedFuture.PlaybookAlerts.panel_status.priority | String | Recommended Priority of the alert |
| RecordedFuture.PlaybookAlerts.panel_status.status | String | Current alert status in Recorded Future |
| RecordedFuture.PlaybookAlerts.panel_status.title | String | Title of the alert |
| RecordedFuture.PlaybookAlerts.panel_status.updated | date | Date of last update |
| RecordedFuture.PlaybookAlerts.panel_status.created | date | Date of creation |
| RecordedFuture.PlaybookAlerts.panel_status.organization_id | String | Organization uhash |
| RecordedFuture.PlaybookAlerts.panel_status.organization_name | String | Plaintext Organization name |
| RecordedFuture.PlaybookAlerts.panel_status.assignee_id | String | uhash of the assigned user |
| RecordedFuture.PlaybookAlerts.panel_status.assignee_name | unknown | name of the assigned user |
| RecordedFuture.PlaybookAlerts.panel_status.owner_id | String | uhash of the enterprise that owns the alert |
| RecordedFuture.PlaybookAlerts.panel_status.owner_name | String | Name of the enterprise that owns the alert |
| RecordedFuture.PlaybookAlerts.panel_status.case_rule_id | String | Id of the playbook alert category |
| RecordedFuture.PlaybookAlerts.panel_status.case_rule_label | String | Name of the playbook alert category |
| RecordedFuture.PlaybookAlerts.panel_status.context_list.context | Array | Context of entity connected to the Playbook alert. |
| RecordedFuture.PlaybookAlerts.panel_status.created | String | Date marking the creation of the Playbook alert in Recorded Future |
| RecordedFuture.PlaybookAlerts.panel_status.entity_criticality | String | Criticality of the Playbook alert |
| RecordedFuture.PlaybookAlerts.panel_status.entity_id | String | Id of the entity in Recorded Future |
| RecordedFuture.PlaybookAlerts.panel_status.entity_name | String | Name of the entity |
| RecordedFuture.PlaybookAlerts.panel_status.risk_score | String | Risk score of the entity in Recorded Future |
| RecordedFuture.PlaybookAlerts.panel_status.targets | Array | List of targets of the Playbook alert |
| RecordedFuture.PlaybookAlerts.panel_status.lifecycle_stage | String | Indicates what lifecycle the vulerability is in |
| RecordedFuture.PlaybookAlerts.panel_summary.explanation | String | Entails the explanation to the triggering of the Playbook alert |
| RecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.context_list.context | String | Context of entity connected to the Playbook alert. |
| RecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.criticality | String | Level of criticality |
| RecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.entity | String | ID of the entitiy in Recorded Future |
| RecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.record_type | String | Type of record A, CNAME or MX |
| RecordedFuture.PlaybookAlerts.panel_summary.resolved_record_list.risk_score | String | Risk score of the entity in Recorded Future |
| RecordedFuture.PlaybookAlerts.panel_summary.screenshots.description | String | Description of the image |
| RecordedFuture.PlaybookAlerts.panel_summary.screenshots.image_id | String | ID of the screenshot in recorded future |
| RecordedFuture.PlaybookAlerts.panel_summary.screenshots.tag | String | Image Analisys tag |
| RecordedFuture.PlaybookAlerts.panel_summary.screenshots.created | String | When the image was created |
| RecordedFuture.PlaybookAlerts.panel_summary.screenshots.base64 | String | The image binary encoded as a base64 string |
| RecordedFuture.PlaybookAlerts.panel_summary.summary.targets.name | String | Target affected by the vulnerability |
| RecordedFuture.PlaybookAlerts.panel_summary.summary.lifecycle_stage | String | The current lifecycle stage of the Playbook Alert |
| RecordedFuture.PlaybookAlerts.panel_summary.summary.riskrules.rule | String | Name of the rule that triggered |
| RecordedFuture.PlaybookAlerts.panel_summary.summary.riskrules.description | String | Short description of the trigger (E.g 13 sightings on 1 source..) |
| RecordedFuture.PlaybookAlerts.panel_summary.affected_products.name | String | Name of of affected product |
| RecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.id | String | The id of the Insikt note |
| RecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.title | String | The title of the Insikt note |
| RecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.topic | String | The topic of the Insikt note |
| RecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.published | String | The time at which the Insikt note was published |
| RecordedFuture.PlaybookAlerts.panel_summary.insikt_notes.fragment | String | A fragment of the Insikt note text |
| RecordedFuture.PlaybookAlerts.panel_log.id | String | Log id in Recorded Future |
| RecordedFuture.PlaybookAlerts.panel_log.actor_id | String | Id of the actor |
| RecordedFuture.PlaybookAlerts.panel_log.created | String | When was the log created |
| RecordedFuture.PlaybookAlerts.panel_log.modified | String | When was the log last modified |
| RecordedFuture.PlaybookAlerts.panel_log.action_priority | String | The priority of the Playbook alert |
| RecordedFuture.PlaybookAlerts.panel_log.message | String | Log message |
| RecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.old | String | Previous assignee |
| RecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.new | String | New assignee |
| RecordedFuture.PlaybookAlerts.panel_log.changes.assigne_change.type | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_log.changes.status_change.old | String | Previous status |
| RecordedFuture.PlaybookAlerts.panel_log.changes.status_change.new | String | New status |
| RecordedFuture.PlaybookAlerts.panel_log.changes.status_change.type | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_log.changes.title_change.old | String | Previous title |
| RecordedFuture.PlaybookAlerts.panel_log.changes.title_change.new | String | New title |
| RecordedFuture.PlaybookAlerts.panel_log.changes.title_change.type | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.old | String | Previous priority |
| RecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.new | String | New priority |
| RecordedFuture.PlaybookAlerts.panel_log.changes.priority_change.type | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.old | String | Previous reopen strategy |
| RecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.new | String | New reopen strategy |
| RecordedFuture.PlaybookAlerts.panel_log.changes.reopen_strategy_change.type | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.removed | String | Removed entity |
| RecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.added | String | Added entity |
| RecordedFuture.PlaybookAlerts.panel_log.changes.entities_change.type | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_change.removed | String | Removed related entity |
| RecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_change.added | String | Added related entity |
| RecordedFuture.PlaybookAlerts.panel_log.changes.related_entities_changetype | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_log.changes.description_change.old | String | Previous description |
| RecordedFuture.PlaybookAlerts.panel_log.changes.description_change.new | String | New description |
| RecordedFuture.PlaybookAlerts.panel_log.changes.description_change.type | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.old | String | Previous external ID |
| RecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.new | String | New external ID |
| RecordedFuture.PlaybookAlerts.panel_log.changes.external_id_change.type | String | Type of change |
| RecordedFuture.PlaybookAlerts.panel_action.action | String | The name of the action |
| RecordedFuture.PlaybookAlerts.panel_action.updated | String | When was the action last updated |
| RecordedFuture.PlaybookAlerts.panel_action.assignee_name | String | Full name of the assignee |
| RecordedFuture.PlaybookAlerts.panel_action.assignee_id | String | ID of the assignee |
| RecordedFuture.PlaybookAlerts.panel_action.status | String | The status of the action |
| RecordedFuture.PlaybookAlerts.panel_action.description | String | A short description of the action |
| RecordedFuture.PlaybookAlerts.panel_action.link | String | A link associated with the action |
| RecordedFuture.PlaybookAlerts.panel_dns.ip_list.record | String | The DNS record |
| RecordedFuture.PlaybookAlerts.panel_dns.ip_list.risk_score | String | Risk score associated with the record |
| RecordedFuture.PlaybookAlerts.panel_dns.ip_list.criticality | String | The level of criticality |
| RecordedFuture.PlaybookAlerts.panel_dns.ip_list.record_type | String | Type of record A, CNAME or MX |
| RecordedFuture.PlaybookAlerts.panel_dns.ip_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. |
| RecordedFuture.PlaybookAlerts.panel_dns.mx_list.record | String | The DNS record |
| RecordedFuture.PlaybookAlerts.panel_dns.mx_list.risk_score | String | Risk score associated with the record |
| RecordedFuture.PlaybookAlerts.panel_dns.mx_list.criticality | String | The level of criticality |
| RecordedFuture.PlaybookAlerts.panel_dns.mx_list.record_type | String | Type of record A, CNAME or MX |
| RecordedFuture.PlaybookAlerts.panel_dns.mx_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. |
| RecordedFuture.PlaybookAlerts.panel_dns.ns_list.record | String | The DNS record |
| RecordedFuture.PlaybookAlerts.panel_dns.ns_list.risk_score | String | Risk score associated with the record |
| RecordedFuture.PlaybookAlerts.panel_dns.ns_list.criticality | String | The level of criticality |
| RecordedFuture.PlaybookAlerts.panel_dns.ns_list.record_type | String | Type of record A, CNAME or MX |
| RecordedFuture.PlaybookAlerts.panel_dns.ns_list.context_list.context | String | Labels of malicious behavior types that can be associated with an entity. |
| RecordedFuture.PlaybookAlerts.panel_whois.body.added | String | When the whois information was added |
| RecordedFuture.PlaybookAlerts.panel_whois.body.attribute | String | Attribute, either whois or whoisContancts |
| RecordedFuture.PlaybookAlerts.panel_whois.body.entity | String | Id of whois entity |
| RecordedFuture.PlaybookAlerts.panel_whois.body.provider | String | Name of provider |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.createdDate | String | When was it created |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.nameServers | Array | List of name server IDs |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.privateRegistration | Bool | Boolean indicating private registration |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.registrarName | String | Name of the registrar |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.status | String | Status of registrar |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.city | String | Contact located in this city |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.country | String | Contact located in this city |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.name | String | Name of contact |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.organization | String | Name of contact organization |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.postalCode | String | Postal code of contact organization |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.state | String | Contact located in state |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.street1 | String | Street name of contact |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.telephone | String | Phone number of contact |
| RecordedFuture.PlaybookAlerts.panel_whois.body.value.type | String | Type of contact |
recordedfuture-playbook-alerts-update#
Update the status of one or multiple Playbook alerts
Base Command#
recordedfuture-playbook-alerts-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_ids | Ids of the playbook alerts that will be updated. | Required |
| new_status | New status to set for all alerts in alert_ids. Possible values are: new, in-progress, dismissed, resolved. | Required |
Command Example#
!recordedfuture-playbook-alerts-update alert_ids="12312312-1231-1231-1231-123123123123" new_status="New"
Context Output#
| Path | Type | Description |
|---|---|---|
| RecordedFuture.PlaybookAlerts.playbook_alert_id | string | Unique id of the playbook alert in Recorded Future |
| RecordedFuture.PlaybookAlerts.current_status | string | Current status of playbook alert in Recorded Future |
| RecordedFuture.PlaybookAlerts.title | string | Title of the playbook alert in Recorded Future |
| RecordedFuture.PlaybookAlerts.status_message | string | Message describing the outcome of the update |
recordedfuture-playbook-alerts-search#
Search playbook alerts based on filters
Base Command#
recordedfuture-playbook-alerts-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| category | filter what playbook alert categories that is wanted. (default = all available). Possible values are: all_available, domain_abuse, vulnerability, code_repo_leakage. | Optional |
| limit | Limits the number of alerts to fetch. | Optional |
| time_since_update | Time between now and e.g. "2 hours" or "7 days" ago. | Optional |
| playbook_alert_status | Filter what statuses are fetched, defaults to only new status if not specified. Possible values are: new, in-progress, dismissed, resolved. | Optional |
| priority | Actions pritority assigned in Recorded Future. Possible values are: high, moderate, informational. | Optional |
| order_search_by | Actions pritority assigned in Recorded Future. Possible values are: updated, created. | Optional |
Command Example#
!recordedfuture-playbook-alerts-search
!recordedfuture-playbook-alerts-search category=domain_abuse
!recordedfuture-playbook-alerts-search category=vulnerability
!recordedfuture-playbook-alerts-search limit=10
!recordedfuture-playbook-alerts-search playbook_alert_status=in-progress
!recordedfuture-playbook-alerts-search priority=high
!recordedfuture-playbook-alerts-search order_search_by=updated
Context Output#
| Path | Type | Description |
|---|---|---|
| RecordedFuture.PlaybookAlerts.playbook_alert_id | String | Unique id of the playbook alert |
| RecordedFuture.PlaybookAlerts.category | String | Playbook alert category |
| RecordedFuture.PlaybookAlerts.priority | String | Recommended Priority of the alert |
| RecordedFuture.PlaybookAlerts.status | String | Current alert status in Recorded Future |
| RecordedFuture.PlaybookAlerts.title | String | Title of the alert |
| RecordedFuture.PlaybookAlerts.updated | date | Date of last update |
| RecordedFuture.PlaybookAlerts.created | date | Date of creation |
| RecordedFuture.PlaybookAlerts.organization_id | String | Organization uhash |
| RecordedFuture.PlaybookAlerts.organization_name | String | Plaintext Organization name |
| RecordedFuture.PlaybookAlerts.assignee_id | String | uhash of the assigned user |
| RecordedFuture.PlaybookAlerts.assignee_name | unknown | name of the assigned user |
| RecordedFuture.PlaybookAlerts.owner_id | String | uhash of the enterprise that owns the alert |
| RecordedFuture.PlaybookAlerts.owner_name | String | Name of the enterprise that owns the alert |