Now Available: Recorded Future's New Threat Intelligence API

Posted: 24th January 2017
Threat Intelligence API

We're pleased to announce the launch of Recorded Future’s new API for machine-readable threat intelligence. This API makes it faster and easier to automate threat intelligence context to top security processes with enrichment, correlation, and monitoring.

Most security teams will benefit from this API through our integrations with SIEM and incident response platforms without needing to “open the hood” and learn our API. Those details are important to security teams that want to creatively expand on those integrations to add our threat intelligence to even more products and workflows. This blog post is for those practitioners and developers, since this new API makes their job easier!

Before this launch, we invited customers and partners to test drive the new API and received both invaluable feedback and early validation.

For example, we previewed the new API with our friends at IBM, who quickly used it to integrate Recorded Future into X-Force Exchange for IOC enrichment.

Access your @RecordedFuture intelligence through X-Force Exchange

— Dan Schofield (@Dan__Schofield) December 12, 2016

We also updated our integration with Phantom, the new and highly acclaimed security automation and orchestration platform. Rob Truesdell, Director of Product Management at Phantom, said this about our recently certified app:

We're excited to make the new Recorded Future app available to our customers. This well-constructed app automates the enrichment of artifacts with real-time, broad-based threat intelligence, thus helping security operations teams make decisions faster and with more confidence. Automation is a key to cyber defense; Recorded Future understands this and makes it easy to integrate their data with the different tools our customers use. Rob Truesdell, Director of Product Management at Phantom

In the details, the API offers REST operations for common security data types like domains, IP addresses, file hashes, malware, and vulnerabilities. These are generally called “entities” in our jargon. Each entity type offers API operations for lookup (enrichment), search (monitoring), and risk list download (correlation). The API also offers operations for lists of entities, which include threat lists, white lists, and deployment-specific watchlists.


Our new API explorer allows analysts and developers to learn about the Recorded Future API and its features through an interactive interface.



Our new API is easy to learn and use; the explorer lets you create sample queries and run them on the fly; accompanying request examples can be cut and pasted directly into your automation scripts and integration code.

Integration developers will find this API very similar to other threat intelligence enrichment and monitoring APIs which they've used, and the early feedback has already been extremely positive. To find out if our new API is a good fit for your security needs, request a demo today.