forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 13
/
RecordedFutureLists.yml
217 lines (217 loc) · 7.85 KB
/
RecordedFutureLists.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
commonfields:
id: RecordedFutureLists
version: -1
name: RecordedFutureLists
display: 'Recorded Future - Lists'
category: Data Enrichment & Threat Intelligence
image:
description: 'Search and manage watchlists in Recorded Future'
configuration:
- display: API URL
name: server_url
additionalinfo: "Default URL: https://api.recordedfuture.com/gw/xsoar/"
defaultvalue: https://api.recordedfuture.com/gw/xsoar/
type: 0
required: true
- displaypassword: API Token
name: token
defaultvalue: ""
type: 9
hiddenusername: true
required: true
- display: Trust any certificate (not secure)
name: insecure
type: 8
required: false
- display: Use system proxy settings
name: proxy
type: 8
required: false
script:
script: '-'
type: python
subtype: python3
dockerimage: demisto/python3:3.10.12.68714
commands:
- name: recordedfuture-lists-search
description: Search for lists in Recorded Future
arguments:
- name: list_names
description: Freetext name to search for
- name: contains
description: Filter lists based on entity types, will only include lists with the entity types specified. Default value "" includes all types
auto: PREDEFINED
predefined:
- entity
- source
- text
- custom
- ip
- domain
- tech_stack
- industry
- brand
- partner
- industry_peer
- location
- supplier
- vulnerability
- company
- hash
- operation
- attacker
- target
- method
- name: limit
description: Limits the amount of returned results
- name: include
required: false
description: Include all search results. Default is to exclude all lists owned by the system user.
auto: PREDEFINED
predefined:
- all
outputs:
- contextPath: RecordedFuture.List.id
description: Unique id of the list in Recorded Future
type: String
- contextPath: RecordedFuture.List.name
description: Name of the list in Recorded Future
type: String
- contextPath: RecordedFuture.List.type
description: Recorded future entity type
type: String
- contextPath: RecordedFuture.List.created
description: Timestamp of creation
type: String
- contextPath: RecordedFuture.List.updated
description: Timestamp of last update to the list
type: String
- contextPath: RecordedFuture.List.owner_id
description: Unique id of the owner in Recorded Future
type: String
- contextPath: RecordedFuture.List.owner_name
description: Readable name of list in Recorded Future
type: String
- name: recordedfuture-lists-add-entities
description: Add entities to a list, separate entities by commas. "NOTE:" if entity type is specified, only one entity type can be added with each action.
arguments:
- name: list_id
required: true
description: Id of the list that should be added, can be found by running !recordedfuture-lists-search with the corresponding filters or in the Recorded Future portal
- name: entity_ids
description: 'A comma-separated list of specific IDs from Recorded Future. For URLs containing commas, replace the comma with %2C. For more information, go to https://xsoar.pan.dev/docs/reference/integrations/recorded-future-lists#recordedfuture-lists-add-entities.'
required: false
- name: freetext_names
description: 'Freetext names will be matched to Recorded Future ids separated by comma, this alernative will add the best match in the Recorded Future data. For urls containing commas: escape with %2C'
- name: entity_type
required: false
description: Type of the entities that should be added. Use together with freetext_names to improve entity resolution.
auto: PREDEFINED
predefined:
- ip
- domain
- malware
- url
- hash
- cve
- company
- person
- product
- industry
- country
- attack-vector
- operation
- mitre-identifier
- malware-category
outputs:
- contextPath: RecordedFuture.List.Entities.name
description: Name of the entity in the list.
type: String
- contextPath: RecordedFuture.List.Entities.type
description: The Recorded Future entity type resolved during the action.
type: String
- contextPath: RecordedFuture.List.Entities.id
description: Unique ID of the entity in Recorded Future.
type: String
- contextPath: RecordedFuture.List.Entities.input_value
description: The value inputted to the command.
type: String
- contextPath: RecordedFuture.List.Entities.action_result
description: Entity specific result for the action.
type: String
- name: recordedfuture-lists-remove-entities
description: Remove entities from a list. Separate entities with a comma. "NOTE:" If entity type is specified, only one entity type can be added with each action.
arguments:
- name: list_id
required: true
description: ID of the list that should be removed. Can be found by running !recordedfuture-lists-search with the corresponding filters or in the Recorded Future portal.
- name: entity_ids
description: 'A comma-separated list of specific IDs from Recorded Future. For URLs containing commas, replace the comma with %2C. For more information, go to https://xsoar.pan.dev/docs/reference/integrations/recorded-future-lists#recordedfuture-lists-add-entities.'
required: false
- name: freetext_names
description: 'A comma-separated list of freetext names to be matched to Recorded Future IDs. Will remove the best match in the Recorded Future data. For URLs containing commas, escape with %2C.'
required: false
- name: entity_type
required: false
description: Type of the entities that should be removed. Use together with freetext_names to improve entity resolution.
auto: PREDEFINED
predefined:
- ip
- domain
- malware
- url
- hash
- cve
- company
- person
- product
- industry
- country
- attack-vector
- operation
- mitre-identifier
- malware-category
outputs:
- contextPath: RecordedFuture.List.Entities.name
description: Name of the entity in the list
type: String
- contextPath: RecordedFuture.List.Entities.type
description: The Recorded Future entity type resolved during the action
type: String
- contextPath: RecordedFuture.List.Entities.id
description: Unique id of the entity in Recorded Future
type: String
- contextPath: RecordedFuture.List.Entities.input_value
description: The value inputted to the command
type: String
- contextPath: RecordedFuture.List.Entities.action_result
description: Entity specific result for the action
type: String
- name: recordedfuture-lists-entities
description: Get the entities that are currently in the given lists.
arguments:
- name: list_ids
required: true
description: A comma-separated list of Recorded Future list IDs.
outputs:
- contextPath: RecordedFuture.List.id
description: Unique ID of the list in Recorded Future.
type: String
- contextPath: RecordedFuture.List.name
description: Name of the list in Recorded Future.
type: String
- contextPath: RecordedFuture.List.type
description: Recorded Future entity type.
type: String
- contextPath: RecordedFuture.List.Entities.name
description: Name of the entity in the list.
type: String
- contextPath: RecordedFuture.List.Entities.type
description: The Recorded Future entity type resolved during the action.
type: String
- contextPath: RecordedFuture.List.Entities.id
description: Unique ID of the entity in Recorded Future.
type: String
fromversion: 6.5.0
tests:
- No tests (auto formatted)