User Guide

Synapse-RecordedFuture User Guide

Synapse-RecordedFuture adds new Storm commands to allow you to query the Recorded Future API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> recordedfuture.setup.apikey --self myapikey
Setting Recorded Future API key for the current user.

Load risk rules

Load IP, hash, domain, URL, and vulnerability risk rules (limited to 5 results for readability):

> recordedfuture.riskrules --yield | limit 5
meta:rule=b4d831355e6de095f5ba84c00ea68b0e
        .created = 2024/06/21 18:04:00.696
        :_recordedfuture:risk:criticality = 1
        :desc = Historical Multicategory Blocklist
        :name = ip:multiblacklist
meta:rule=2701b3d1422e97104b68824d342273ea
        .created = 2024/06/21 18:04:00.758
        :_recordedfuture:risk:criticality = 1
        :desc = Cyber Exploit Signal: Medium
        :name = ip:cybersignalmedium
meta:rule=91a4ba7ecea11dfce5cf2588325ac092
        .created = 2024/06/21 18:04:00.797
        :_recordedfuture:risk:criticality = 2
        :desc = Recent SSH/Dictionary Attacker
        :name = ip:recentsshdictattacker
meta:rule=98cb70a96a1d1168acef727cf22edf54
        .created = 2024/06/21 18:04:00.869
        :_recordedfuture:risk:criticality = 2
        :desc = Recently Linked to Intrusion Method
        :name = ip:recentlinkedintrusion
meta:rule=c8aff4ef2a716bde88bd03a9499cb7c2
        .created = 2024/06/21 18:04:00.929
        :_recordedfuture:risk:criticality = 2
        :desc = Nameserver for C&C Server
        :name = ip:cncnameserver

Look up indicator details

Enrich an inet:ipv4 node:

> inet:ipv4=197.232.36.108 | recordedfuture.enrich
inet:ipv4=197.232.36.108
        .created = 2024/06/21 18:04:01.062
        .seen = ('2020/08/26 09:22:12.893', '2021/11/03 17:40:19.926')
        :_recordedfuture:risk:criticality = 4
        :_recordedfuture:risk:score = 99
        :type = unicast

Retrieve co-references for nodes and yield the results:

> inet:ipv4=197.232.36.108 | recordedfuture.corefs --yield --size 5
hash:sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
        .created = 2024/06/21 18:04:02.072
hash:sha256=d465172175d35d493fb1633e237700022bd849fa123164790b168b8318acb090
        .created = 2024/06/21 18:04:02.124
hash:sha256=0710860600cb122c52199c9b4691c432dc371960f7f600aabd6e9017550d08b9
        .created = 2024/06/21 18:04:02.178
hash:sha256=077b6dc26c294e48ad3a4e3e42d3dc2f69b6b86d69c7e5a5baf7e46a9cbc84c2
        .created = 2024/06/21 18:04:02.230
hash:sha256=09652359c67ce7604ac4e1c68e3df206848ced84d910a6e2c9fcb0a17fd9b9b3
        .created = 2024/06/21 18:04:02.284

Search workflow

Synapse-RecordedFuture provides a workflow for performing searches with the RecordedFuture API. Additional information on valid syntax for the various filters can be found in the Recorded Future documentation.

Use of meta:source nodes

Synapse-RecordedFuture uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Recorded Future API.

> meta:source=01c7b0b81fe73e43b47dcf3154bace6d
meta:source=01c7b0b81fe73e43b47dcf3154bace6d
        .created = 2024/06/21 18:04:00.656
        :name = recorded future api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-RecordedFuture. The following example shows how to filter the results of a query to include only results observed by Synapse-RecordedFuture:

> meta:rule +{ <(seen)- meta:source=01c7b0b81fe73e43b47dcf3154bace6d } | limit 5
meta:rule=0f989020ce477f9e909a6adccc358be6
        .created = 2024/06/21 18:04:01.430
        .seen = ('2022/06/06 18:54:00.851', '2022/06/06 18:54:00.852')
        :_recordedfuture:risk:criticality = 1
        :desc = Historically Reported in Threat List
meta:rule=2701b3d1422e97104b68824d342273ea
        .created = 2024/06/21 18:04:00.758
        :_recordedfuture:risk:criticality = 1
        :desc = Cyber Exploit Signal: Medium
        :name = ip:cybersignalmedium
meta:rule=67156458f990b5a9441a9cc42aad93f1
        .created = 2024/06/21 18:04:01.336
        .seen = ('2020/10/22 00:00:00.000', '2020/10/22 00:00:00.001')
        :_recordedfuture:risk:criticality = 1
        :desc = Historically Reported as a Defanged IP
meta:rule=762cbfe50c868f837d58b19efa88378d
        .created = 2024/06/21 18:04:01.399
        .seen = ('2021/01/25 23:59:00.000', '2021/01/25 23:59:00.001')
        :_recordedfuture:risk:criticality = 1
        :desc = Historical Positive Malware Verdict
meta:rule=85f7b7fe9a007dc10eeb10956e28950a
        .created = 2024/06/21 18:04:01.304
        .seen = ('2021/01/26 04:16:00.000', '2021/01/26 04:16:00.001')
        :_recordedfuture:risk:criticality = 1
        :desc = Historically Linked to Intrusion Method

The Recorded Future Sandbox API uses a separate meta:source node to track nodes ingested from sandbox reports:

> meta:source=8eda761343b80a67f12cd1367029b3b9
meta:source=8eda761343b80a67f12cd1367029b3b9
        .created = 2024/06/21 18:04:02.494
        :name = recorded future sandbox api