Linking to Intelligence Cards

Recorded Future makes it straightforward to quickly navigate or link to Intelligence Cards for IP Addresses, Domains, and Hashes. These cards serve as a starting point for investigation or incident response, e.g., what can external threat intelligence from Recorded Future tell me about this observable?

The summary pages have a consistent URL structure, which makes it easy to deep link into Recorded Future from other systems.

The URL structure for these deep links to app.recordedfuture.com is:

  • /live/sc/entity/ip:<IP Address> Example

Please note: URLs to IP Intelligence Cards need to have leading zeros removed from IPv4 Addresses

  • /live/sc/entity/idn:<Internet Domain Name> Example
  • /live/sc/entity/hash:<Hash value> Example
  • /live/sc/entity/?name=< Vulnerability name or CVE number> Example 1Example 2


Clients who do not wish to expose the Intelligence Card details in the URL may instead POST a request to the following link with entity parameters in the body of the POST:

https://app.recordedfuture.com/live/sc/entity

For example, here is a simple HTML file illustrating this method; note the different "Name" field for CVEs compared to the other indicator types.

<html>
<body>
Hash,IP,IDN
<form method="post" action="https://app.recordedfuture.com/live/sc/entity">
<label>Entity id:<label><input type="text" name="id"/>
<button type="submit">Submit</button>
</form>
<br>
<br>
CVE
<form method="post" action="https://app.recordedfuture.com/live/sc/entity">
<label>Entity name:<label><input type="text" name="name"/>
<button type="submit">Submit</button>
</form>
</body>
</html>

Please note: Authenticated Recorded Future users will see the full Intelligence Card; non-Recorded Future users will see an abbreviated set of information on the Intelligence Card.