# Recorded Future Documentation > Documentation for Recorded Future ## API Reference - [Build a Case around a Reference Alert, or a Signal Alert](https://docs.recordedfuture.com/reference/cases-create.md): Create a new case linked to a reference alert (document-based) or signal alert (entity risk-based) for triage and investigation. - [Deletes specified Cases](https://docs.recordedfuture.com/reference/cases-delete-many.md): Bulk-delete up to 100 cases by ID, with partial-success handling that distinguishes deleted from already-removed cases. - [Deletes one Case](https://docs.recordedfuture.com/reference/cases-delete.md): Permanently remove a single case by its ID (idempotent — already-deleted or non-existent cases return success). - [Retrieve all eligible assignees for a Case](https://docs.recordedfuture.com/reference/cases-eligible-assignees.md): List users in an organization who are eligible to be assigned to a specific case, with optional name or email filtering. - [Lookup of Cases using Case IDs](https://docs.recordedfuture.com/reference/cases-lookup-many.md): Retrieve full case details (metadata, alert context, activity history) for one or more cases by their IDs. - [Lookup a Case using its ID](https://docs.recordedfuture.com/reference/cases-lookup.md): Retrieve full case details for a single case by ID (known routing bug — prefer POST /lookup with a single ID instead). - [Searches for any Case matching the criteria](https://docs.recordedfuture.com/reference/cases-search.md): Search cases by filter criteria to get matching case IDs, which can then be passed to the lookup endpoint for full details. - [Update Assignee, Status, Priority, Title or Description of a Case](https://docs.recordedfuture.com/reference/cases-update.md): Update assignee, status, priority, title, or description on an existing case. - [Fetch alert by id](https://docs.recordedfuture.com/reference/alerts-get-by-id.md): Retrieve a single alert by ID, including triage state, triggering rule, and the intelligence hits that activated it. - [Fetch a flat collection of hits](https://docs.recordedfuture.com/reference/alerts-get-hits.md): Retrieve a flat array of intelligence hits across one or more alerts for bulk processing, each tagged to its parent alert. - [Fetch raw image data](https://docs.recordedfuture.com/reference/alerts-get-image.md): Download the raw PNG image tied to an alert hit, primarily used for brand-protection evidence like fake apps or impersonated domains. - [Search for alert rules.](https://docs.recordedfuture.com/reference/alerts-search-rules.md): Search and list configured alert rules by freetext filter to discover rule IDs for use in alert queries. - [Search for alerts](https://docs.recordedfuture.com/reference/alerts-search.md): Search and filter alerts by time range, review status, alert rule, assignee, or freetext, with paginated results sorted by trigger time. - [Update one or several alerts](https://docs.recordedfuture.com/reference/alerts-update.md): Batch-update assignee, workflow status, and notes across one or more classic alerts in a single request. - [Available assignees](https://docs.recordedfuture.com/reference/playbook-alerts-assignees.md): List all users that are available as possible assignees for a given Playbook Alert - [Enumerations](https://docs.recordedfuture.com/reference/playbook-alerts-metadata.md): List all metadata and enumerations common to all types of Playbook Alerts. - [Preview Playbook Alert](https://docs.recordedfuture.com/reference/playbook-alerts-preview.md): Returns a Playbook Alert representation containing only properties shared between all alert types. - [Search for Playbook Alerts](https://docs.recordedfuture.com/reference/playbook-alerts-search.md): Searches for Playbook Alerts based on filtering conditions supplied in the body. Not specifying a filter for a property means the filter will match a Playbook Alert regardless of the property's value. Only Playbook Alerts matching all specified criteria are included in the response. - [Update Playbook Alert](https://docs.recordedfuture.com/reference/playbook-alerts-update.md): Update a Playbook Alert. Generic alert properties like status, priority and assignee may be updated, or a log message may be appended. - [Bulk Code Repository Data Leakage alert lookup](https://docs.recordedfuture.com/reference/playbook-alerts-code-repo-leakage-bulk.md): Perform a detailed lookup of data panels for several alerts at once. - [Detailed Code Repository Data Leakage alert data](https://docs.recordedfuture.com/reference/playbook-alerts-code-repo-leakage-detail.md): Retrieve detailed information about a Code Repository Data Leakage Playbook Alert with data grouped into UI-ready panels. - [Bulk Domain Abuse alert lookup](https://docs.recordedfuture.com/reference/playbook-alerts-domain-abuse-bulk.md): Perform a detailed lookup of data panels for several alerts at once. - [Detailed Domain Abuse alert data](https://docs.recordedfuture.com/reference/playbook-alerts-domain-abuse-detail.md): Retrieve detailed information about a Domain Abuse Playbook Alert with data grouped into UI-ready panels. - [Screenshot related to Domain Abuse alert](https://docs.recordedfuture.com/reference/playbook-alerts-domain-abuse-image.md): Fetch a screenshot associated with the Domain Abuse alert. - [Bulk Geopolitics Facility alerts lookup](https://docs.recordedfuture.com/reference/playbook-alerts-geopolitics-facility-bulk.md): Perform a detailed lookup of data panels for several Geopolitics Facility alerts at once. - [Geopolitics Facility alert data](https://docs.recordedfuture.com/reference/playbook-alerts-geopolitics-facility-detail.md): Retrieve detailed information about a Geopolitics Facility with data grouped into UI-ready panels. - [Image content by image id](https://docs.recordedfuture.com/reference/playbook-alerts-geopolitics-facility-image.md): Fetch an image content by image id - [Bulk Identity Novel Exposures alerts lookup](https://docs.recordedfuture.com/reference/playbook-alerts-identity-exposures-bulk.md): Perform a detailed lookup of data panels for several Identity Novel Exposures alerts at once. - [Detailed Identity Novel Exposures alert data](https://docs.recordedfuture.com/reference/playbook-alerts-identity-exposures-detail.md): Retrieve detailed information about a Identity Novel Exposures Playbook Alert with data grouped into UI-ready panels. - [Bulk Malware Report alert lookup](https://docs.recordedfuture.com/reference/playbook-alerts-malware-report-bulk.md): Retrieve detailed information about multiple Malware Report notifications with data grouped into UI-ready panels. - [Malware Report alert notification data.](https://docs.recordedfuture.com/reference/playbook-alerts-malware-report-detail.md): Retrieve detailed information about a Malware report notification with data grouped into UI-ready panels. - [Bulk Compromised Bank Checks alert lookup](https://docs.recordedfuture.com/reference/playbook-alerts-bank-checks-bulk.md): Retrieve detailed information about multiple compromised bank check notifications with data grouped into UI-ready panels. - [Compromised Bank Checks alert notification data.](https://docs.recordedfuture.com/reference/playbook-alerts-bank-checks-detail.md): Retrieve detailed information about a compromised bank check notification with data grouped into UI-ready panels. - [Check image by alert id](https://docs.recordedfuture.com/reference/playbook-alerts-bank-checks-image.md): Fetch a compromised bank check image content by alert id - [Bulk Third Party Risk alert lookup](https://docs.recordedfuture.com/reference/playbook-alerts-third-party-risk-bulk.md): Perform a detailed lookup of data panels for several alerts at once. - [Third Party Risk alert data](https://docs.recordedfuture.com/reference/playbook-alerts-third-party-risk-detail.md): Retrieve detailed information about a Third Party Risk Playbook Alert with data grouped into UI-ready panels. - [Bulk Vulnerability alert lookup](https://docs.recordedfuture.com/reference/playbook-alerts-vulnerability-bulk.md): Perform a detailed lookup of data panels for several alerts at once. - [Detailed Vulnerability alert data](https://docs.recordedfuture.com/reference/playbook-alerts-vulnerability-detail.md): Retrieve detailed information about a Vulnerability Playbook Alert with data grouped into UI-ready panels. - [Playbook Alerts: Malicious Sites Screenshot](https://docs.recordedfuture.com/reference/get_malicious-sites-playbook-alert-id-image-image-id.md): Fetch a screenshot associated with the Malicious Sites alert. - [Playbook Alerts: Malicious Sites Create](https://docs.recordedfuture.com/reference/post_malicious-sites-create.md): Manually create a Malicious Sites Playbook Alert for the supplied attacker domain. The alert is created with the cause `manual` and the creator is taken from the authenticated request. If the attacker matches the main attacker of an existing alert, the attacker is added to that alert instead of creating a new one. Provide exactly one of `rule` or `organization` to select the use case configuration the alert is created under. - [Playbook Alerts: Malicious Sites Detail](https://docs.recordedfuture.com/reference/post_malicious-sites-playbook-alert-id.md): Retrieve detailed information about a Malicious Sites Playbook Alert with data grouped into UI-ready panels. - [Playbook Alerts: Malicious Sites Bulk](https://docs.recordedfuture.com/reference/post_malicious-sites.md): Batch-retrieve detailed intelligence for up to 250 Malicious Sites alerts in a single request. - [Analyst Notes: Available Topics](https://docs.recordedfuture.com/reference/analyst-note-available-topics.md) - [Analyst Notes: Note Attributes](https://docs.recordedfuture.com/reference/analyst-note-note-attributes.md) - [Analyst Notes: Serialization Options](https://docs.recordedfuture.com/reference/analyst-note-serialization-options.md) - [Analyst Notes: Delete](https://docs.recordedfuture.com/reference/analyst-note-delete.md): Permanently delete an analyst note owned by your organization. - [Analyst Notes: Draft](https://docs.recordedfuture.com/reference/analyst-note-draft.md): Create a draft analyst note in the database without publishing it. - [Analyst Notes: Preview](https://docs.recordedfuture.com/reference/analyst-note-preview.md): Preview a rendered analyst note with entity resolution without saving it. - [Analyst Notes: Publish](https://docs.recordedfuture.com/reference/analyst-note-publish.md): Publish an analyst note, making it visible to your organization. - [Analyst Notes: Attachment](https://docs.recordedfuture.com/reference/analyst-note-attachment.md): Download the binary attachment file associated with an analyst note. - [Analyst Notes: Export](https://docs.recordedfuture.com/reference/analyst-note-export.md): Export an analyst note as a rendered PDF or HTML file. - [Analyst Notes: Lookup](https://docs.recordedfuture.com/reference/analyst-note-lookup.md): Retrieve a specific analyst note by its ID with configurable serialization level. - [Analyst Notes: Search](https://docs.recordedfuture.com/reference/analyst-note-search.md): Search published analyst notes from your enterprise and Insikt Group. - [ASI Assets: Apply Tag](https://docs.recordedfuture.com/reference/assets-apply-tag.md): Apply a custom tag to an asset, auto-creating the tag if needed. - [ASI Assets: Bulk Add/Remove Tags](https://docs.recordedfuture.com/reference/assets-bulk-tag.md): Add and remove multiple custom tags on a single asset atomically in one request. - [ASI Assets: Find](https://docs.recordedfuture.com/reference/assets-find.md): List and filter project assets using query-parameter-based criteria with OR logic. - [ASI Assets: Get Filtered Filters](https://docs.recordedfuture.com/reference/assets-get-filtered-filters.md): Retrieve filter facets narrowed to a specific asset subset using structured search filters. - [ASI Assets: Get Filters](https://docs.recordedfuture.com/reference/assets-get-filters.md): Discover available filter facets and their values across all project assets. - [ASI Assets: List Exposures](https://docs.recordedfuture.com/reference/assets-list-exposures.md): Retrieve all exposures for a specific asset with CVE/CWE identifiers, severity, and remediation steps. - [ASI Assets: Read](https://docs.recordedfuture.com/reference/assets-read.md): Retrieve the full risk profile for a single asset with optional enrichment fields. - [ASI Assets: Remove Tag](https://docs.recordedfuture.com/reference/assets-remove-tag.md): Remove a custom tag from an asset idempotently without deleting the tag definition. - [ASI Assets: Search](https://docs.recordedfuture.com/reference/assets-search.md): Perform advanced compound asset queries using structured JSON filters with AND logic. - [ASI Exposures: Get Assets](https://docs.recordedfuture.com/reference/exposures-get-assets.md): List all assets affected by a specific exposure signature with per-asset extracted evidence. - [ASI Exposures: List](https://docs.recordedfuture.com/reference/exposures-list.md): Retrieve a deduplicated, project-wide list of exposure signatures with affected-asset counts. - [ASI Projects: List](https://docs.recordedfuture.com/reference/project-list.md): List all accessible ASI projects and their IDs. - [ASI Rules: Add Static Assets](https://docs.recordedfuture.com/reference/rules-add-static-assets.md): Bulk add or remove up to 1,000 static asset scope rules in a single asynchronous request. - [ASI Rules: Get Static Assets](https://docs.recordedfuture.com/reference/rules-get-static-assets.md): List the manually defined scope rules (included/excluded hostnames, IPs, wildcards) for a project. - [ASI Tagging: Add Tag](https://docs.recordedfuture.com/reference/tagging-add-tag.md): Create a custom tag at the project level, idempotently returning the tag if it already exists. - [ASI Tagging: Bulk Tag Assets](https://docs.recordedfuture.com/reference/tagging-bulk-tag-assets.md): Add and remove tags across multiple assets in a single request with per-asset control. - [ASI Tagging: Get Tags](https://docs.recordedfuture.com/reference/tagging-get-tags.md): Retrieve all custom tags defined for a project, including unused tags. - [ASI Tagging: Get Task Status](https://docs.recordedfuture.com/reference/tagging-get-task-status.md): Poll the completion status of an asynchronous tagging operation by task ID. - [Create Source](https://docs.recordedfuture.com/reference/sources-create.md): Register a new custom intelligence source as a container for publishing threat reports. - [Get Source](https://docs.recordedfuture.com/reference/sources-get.md): Retrieve metadata for a specific custom intelligence source. - [Get Sources](https://docs.recordedfuture.com/reference/sources-list.md): List all custom intelligence sources in your account. - [Publish Reports](https://docs.recordedfuture.com/reference/sources-publish-reports.md): Submit threat intelligence reports with observables, TTPs, and threat actor associations to a custom source. - [Update Source](https://docs.recordedfuture.com/reference/sources-update.md): Modify the name or description of an existing custom intelligence source. - [Get Profile Indicators](https://docs.recordedfuture.com/reference/threat-detection-profile-indicators.md): Fetch continuously-updated threat indicators from a detection profile with optional risk score enrichment. - [Get Profile Detection Rules](https://docs.recordedfuture.com/reference/threat-detection-profile-rules.md): Fetch deployable detection rules (Sigma, Snort, YARA) from a detection profile. - [Query Profiles](https://docs.recordedfuture.com/reference/threat-detection-profiles-query.md): Discover threat detection profiles with continuously-updated indicators and detection rules. - [Get Job Indicators](https://docs.recordedfuture.com/reference/threat-hunting-job-indicators.md): Fetch threat indicators from a completed hunt job, optionally enriched with risk scores. - [Get Job Detection Rules](https://docs.recordedfuture.com/reference/threat-hunting-job-rules.md): Fetch detection rules from a threat hunt job scoped to its time window. - [Update Job Status](https://docs.recordedfuture.com/reference/threat-hunting-job-status.md): Transition a threat hunt job through its lifecycle (started, completed, failed) with optional outcome details. - [Get Pending Jobs](https://docs.recordedfuture.com/reference/threat-hunting-jobs-pending.md): Poll for threat hunt jobs awaiting execution by an integration. - [Query Profiles](https://docs.recordedfuture.com/reference/threat-hunting-profiles-query.md): Discover threat hunting profiles configured for your organization with schedules and lookback windows. - [Get Profile Indicators](https://docs.recordedfuture.com/reference/threat-prevention-profile-indicators.md): Fetch the block list of confirmed-malicious indicators from a prevention profile. - [Get Profile Detection Rules](https://docs.recordedfuture.com/reference/threat-prevention-profile-rules.md): Fetch supplementary detection rules from a prevention profile tagged with MITRE ATT&CK techniques. - [Query Profiles](https://docs.recordedfuture.com/reference/threat-prevention-profiles-query.md): Discover threat prevention profiles with curated block lists of confirmed-malicious indicators. - [Submit detected IOCs to the Collective Insights](https://docs.recordedfuture.com/reference/collective-insights-submit-detections.md): Ingest IoC detections from your security tools into Collective Insights to enrich your enterprise's threat intelligence with detection context from firewalls, SIEMs, and other sources. - [Search Collective Insights events](https://docs.recordedfuture.com/reference/collective-insights-search.md): Query your organization's enriched detection history across all Collective Insights sources, filtered by indicator type, associated threats, detection method, and time range. - [Collective Insights: Overview](https://docs.recordedfuture.com/reference/collective-insights.md) - [Associated Entities](https://docs.recordedfuture.com/reference/detection-rules-associated-entities.md): List all entities linked to at least one detection rule, usable as search filters. - [Associated Entity Types](https://docs.recordedfuture.com/reference/detection-rules-associated-entity-types.md): List entity type categories that appear across Insikt Group detection rules. - [Search Detection Rules](https://docs.recordedfuture.com/reference/detection-rules-search.md): Search Insikt Group detection rules with deployable YARA, Sigma, and Snort source code. - [Lookup Company by domain](https://docs.recordedfuture.com/reference/company-lookup-by-domain.md): Resolve a domain to its associated company entity with risk scoring and threat intelligence enrichment. - [Lookup a Company entity by id](https://docs.recordedfuture.com/reference/company-lookup.md): Get full company enrichment including risk scoring, triggered-rule evidence, analyst notes, and relationships. - [List Company risk rules.](https://docs.recordedfuture.com/reference/company-risk-rules.md): Get the catalog of company risk rules with criticality levels, entity counts, and NIST CSF codes. - [Search for Company entities based on a filter](https://docs.recordedfuture.com/reference/company-search.md): Find companies by name, risk score, industry, or risk rules with paginated risk assessment results. - [Fetch Domain risk list demo events](https://docs.recordedfuture.com/reference/domain-demo-events.md): Get simulated Squid proxy logs with risky domains for testing SIEM integrations, refreshed every four hours. - [Lookup a Domain entity by id by querying an Intelligence Card extension](https://docs.recordedfuture.com/reference/domain-lookup-extension.md): Get third-party enrichment for a domain from extensions like SecurityTrails, VirusTotal, or Shodan. - [Lookup a Domain entity by id](https://docs.recordedfuture.com/reference/domain-lookup.md): Get full domain enrichment including risk scoring, AI insights, and relationships to threat actors and attack infrastructure. - [Fetch Domain risk list](https://docs.recordedfuture.com/reference/domain-risk-list.md): Download domains filtered by risk rule in CSV/Splunk or STIX format for SIEM and firewall integration. - [List Domain risk rules](https://docs.recordedfuture.com/reference/domain-risk-rules.md): Get the catalog of ~78 domain risk rules with criticality levels, entity counts, and MITRE ATT&CK codes. - [Search for Domain entities based on a filter](https://docs.recordedfuture.com/reference/domain-search.md): Find domains by risk score, risk rules, dates, or list membership with paginated enrichment results. - [Stat a domain risk list](https://docs.recordedfuture.com/reference/domain-stat-risk-list.md): Check domain risk list for changes via ETag headers without downloading the full file. - [Enrichment: Field Attributes](https://docs.recordedfuture.com/reference/enrichment-field-attributes.md) - [Fetch Hash risk list demo events](https://docs.recordedfuture.com/reference/hash-demo-events.md): Get simulated Symantec EP logs with risky file hashes for testing SIEM/EDR integrations, refreshed every four hours. - [Lookup a Hash entity by id by querying an Intelligence Card extension](https://docs.recordedfuture.com/reference/hash-lookup-extension.md): Get third-party enrichment for a hash from extensions like PolySwarm, VirusTotal, or ReversingLabs. - [Lookup a Hash entity by id](https://docs.recordedfuture.com/reference/hash-lookup.md): Get full hash enrichment including risk scoring, malware family attribution, and MITRE ATT&CK mappings. - [Fetch Hash risk list](https://docs.recordedfuture.com/reference/hash-risk-list.md): Download file hashes filtered by risk rule in CSV/Splunk or STIX format for SIEM and EDR integration. - [List Hash risk rules](https://docs.recordedfuture.com/reference/hash-risk-rules.md): Get the catalog of hash risk rules with criticality levels, entity counts, and malware-focused MITRE ATT&CK codes. - [Search for Hash entities based on a filter](https://docs.recordedfuture.com/reference/hash-search.md): Find file hashes by risk score, risk rules, algorithm type, or dates with paginated enrichment results. - [Stat a hash risk list](https://docs.recordedfuture.com/reference/hash-stat-risk-list.md): Check hash risk list for changes via ETag headers without downloading the full file. - [Fetch IP Address risk list demo events](https://docs.recordedfuture.com/reference/ip-demo-events.md): Get simulated Juniper NetScreen syslogs with risky IPs for testing SIEM integrations, refreshed every four hours. - [Lookup a IP Address entity by id by querying an Intelligence Card extension](https://docs.recordedfuture.com/reference/ip-lookup-extension.md): Get third-party enrichment for an IP from extensions like Shodan, GreyNoise, Censys, or VirusTotal. - [Lookup a IP Address entity by id](https://docs.recordedfuture.com/reference/ip-lookup.md): Get full IP enrichment including risk scoring, geolocation, DNS, open ports, and threat actor relationships. - [Fetch IP Address risk list](https://docs.recordedfuture.com/reference/ip-risk-list.md): Download IP addresses filtered by risk rule in CSV/Splunk or STIX format for SIEM and firewall integration. - [List IP Address risk rules](https://docs.recordedfuture.com/reference/ip-risk-rules.md): Get the catalog of ~90 IP risk rules with criticality levels, entity counts, and MITRE ATT&CK codes. - [Search for IP Address entities based on a filter](https://docs.recordedfuture.com/reference/ip-search.md): Find IP addresses by risk score, threat rules, dates, or geolocation with paginated enrichment results. - [Stat a IP Address risk list](https://docs.recordedfuture.com/reference/ip-stat-risk-list.md): Check IP address risk list for changes via ETag headers without downloading the full file. - [Lookup a Malware entity by id by querying an Intelligence Card extension](https://docs.recordedfuture.com/reference/malware-lookup-extension.md): Get third-party enrichment for a malware entity from Intelligence Card extensions. - [Lookup a Malware entity by id](https://docs.recordedfuture.com/reference/malware-lookup.md): Get full malware enrichment including classification, MITRE ATT&CK mappings, and threat actor associations. - [Search for Malware entities based on a filter](https://docs.recordedfuture.com/reference/malware-search.md): Find malware families and tools by name or filter criteria; malware entities do not have risk scores. - [Fetch URL risk list demo events](https://docs.recordedfuture.com/reference/url-demo-events.md): Get simulated Squid proxy logs with risky URLs for testing SIEM integrations, refreshed every four hours. - [Lookup a URL entity by id by querying an Intelligence Card extension](https://docs.recordedfuture.com/reference/url-lookup-extension.md): Get third-party enrichment for a URL from extensions like VirusTotal, Kaspersky, or Mandiant. - [Lookup a URL entity by id](https://docs.recordedfuture.com/reference/url-lookup.md): Get full URL enrichment including risk scoring, AI threat analysis, and malware family relationships. - [Fetch URL risk list](https://docs.recordedfuture.com/reference/url-risk-list.md): Download URLs filtered by risk rule in CSV/Splunk or STIX format for SIEM and web proxy integration. - [List URL risk rules](https://docs.recordedfuture.com/reference/url-risk-rules.md): Get the catalog of ~40 URL risk rules with criticality levels, entity counts, and MITRE ATT&CK codes. - [Search for URL entities based on a filter](https://docs.recordedfuture.com/reference/url-search.md): Find URLs by risk score, risk rules, or date ranges with paginated enrichment results. - [Stat a URL risk list](https://docs.recordedfuture.com/reference/url-stat-risk-list.md): Check URL risk list for changes via ETag headers without downloading the full file. - [Fetch Vulnerability risk list demo events](https://docs.recordedfuture.com/reference/vulnerability-demo-events.md): Get simulated vulnerability scan findings in NDJSON format for testing parsing logic, refreshed every four hours. - [Lookup a Vulnerability entity by id by querying an Intelligence Card extension](https://docs.recordedfuture.com/reference/vulnerability-lookup-extension.md): Get third-party enrichment for a vulnerability from extensions like EPSS, ReversingLabs, or AlienVault. - [Lookup a Vulnerability entity by id](https://docs.recordedfuture.com/reference/vulnerability-lookup.md): Get full CVE enrichment including severity, exploitation status, and threat actor and malware linkages. - [Fetch Vulnerability risk list](https://docs.recordedfuture.com/reference/vulnerability-risk-list.md): Download CVEs filtered by risk rule in CSV or STIX format for vulnerability management and patching. - [List Vulnerability risk rules](https://docs.recordedfuture.com/reference/vulnerability-risk-rules.md): Get the catalog of vulnerability risk rules with criticality levels, entity counts, and exploitation-focused MITRE ATT&CK codes. - [Search for Vulnerability entities based on a filter](https://docs.recordedfuture.com/reference/vulnerability-search.md): Find vulnerabilities by CVSS score, risk score, exploitation status, or affected product for patch prioritization. - [Stat a Vulnerability risk list](https://docs.recordedfuture.com/reference/vulnerability-stat-risk-list.md): Check vulnerability risk list for changes via ETag headers without downloading the full file. - [Available Entity Types](https://docs.recordedfuture.com/reference/available-entity-types.md): A categorized reference of all available entity types in the Recorded Future data. Type values are case sensitive and subject to change. - [Lookup](https://docs.recordedfuture.com/reference/entity-lookup.md): Resolve an RF entity ID to its name, type, and aliases. - [Match](https://docs.recordedfuture.com/reference/entity-match.md): Resolve human-readable entity names to Recorded Future entity IDs using fuzzy matching, with an optional type filter to narrow results to specific entity categories. - [Fetch the content of a directory](https://docs.recordedfuture.com/reference/fusion-files-list-directory.md): List files and subdirectories in a Fusion file system directory to discover available outputs before downloading. - [Stat a feed file](https://docs.recordedfuture.com/reference/fusion-files-stat.md): Check file metadata (ETag, Last-Modified) without downloading content, enabling efficient polling for changes before a full download. - [Delete a feed file](https://docs.recordedfuture.com/reference/fusion-files-delete.md): Remove a file from your organization's Fusion file system by path (public Recorded Future-managed files cannot be deleted). - [Fetch a feed file](https://docs.recordedfuture.com/reference/fusion-files-get.md): Download a file from the Fusion file system by path, including Fusion flow outputs and public Recorded Future-managed files. - [Upload a feed file](https://docs.recordedfuture.com/reference/fusion-files-upload.md): Upload a file to your organization's Fusion file system, making it available for Fusion flows or retrieval via the download endpoint. - [API Entitlements](https://docs.recordedfuture.com/reference/api-entitlements.md) - [Recorded Future API Overview](https://docs.recordedfuture.com/reference/get-started.md) - [LLM Instructions](https://docs.recordedfuture.com/reference/llm-instructions.md) - [Dump Metadata Search](https://docs.recordedfuture.com/reference/identity-dump-metadata.md): Search metadata for data dumps and breach databases by name. - [Hostname Lookup](https://docs.recordedfuture.com/reference/identity-hostname.md): Find credentials compromised from a specific hostname (e.g., internal servers, VPN endpoints). - [Incident Report](https://docs.recordedfuture.com/reference/identity-incident-report.md): Get a detailed exposure incident report for a single malware log, including compromised credentials, device details, and malware attribution. - [IP Lookup](https://docs.recordedfuture.com/reference/identity-ip.md): Find credentials compromised from a specific IP address or IP range. - [Lookup](https://docs.recordedfuture.com/reference/identity-lookup.md): Retrieve full exposure history for specific email addresses, usernames, or credential hashes. - [Lookup passwords for exposure](https://docs.recordedfuture.com/reference/identity-password.md): Checks if specified passwords were exposed. - [Search](https://docs.recordedfuture.com/reference/identity-search.md): Find compromised identities across breach data and stealer logs for one or more domains. - [Detections](https://docs.recordedfuture.com/reference/identity-detections.md): Retrieve identity exposure detections with novel-only filtering and malware family attribution. - [Metadata: Entities](https://docs.recordedfuture.com/reference/links-metadata-entities.md): List entity types that can appear in the Links graph for use as search filters. - [Metadata: Events](https://docs.recordedfuture.com/reference/links-metadata-events.md): List the analysis event types used to classify link sources in the Links graph. - [Metadata: Sections](https://docs.recordedfuture.com/reference/links-metadata-sections.md): List the link category sections used to classify relationships in the Links graph. - [Search](https://docs.recordedfuture.com/reference/links-search.md): Search validated relationships between entities in the Links graph with category and type filters. - [/list/{listId}/entity/add](https://docs.recordedfuture.com/reference/lists-add-entity.md): Adds a single entity to the specified list, optionally with context metadata. - [/list/{listId}/entities](https://docs.recordedfuture.com/reference/lists-entities.md): Returns all entities in the specified list as a JSON array with no pagination. - [/list/{listId}/entity/remove](https://docs.recordedfuture.com/reference/lists-remove-entity.md): Removes a single entity from the specified list. - [/list/{listId}/textEntries](https://docs.recordedfuture.com/reference/lists-text-entries.md): Returns unstructured text entries stored in the specified list as a JSON array. - [/list/create](https://docs.recordedfuture.com/reference/lists-create.md): Creates a new empty list and returns its metadata including the list ID. - [/list/{listId}/info](https://docs.recordedfuture.com/reference/lists-info.md): Returns metadata for a specific list including name, type, timestamps, and ownership details. - [/list/search](https://docs.recordedfuture.com/reference/lists-search.md): Searches for lists matching optional name, type, and limit filters. - [/list/{listId}/status](https://docs.recordedfuture.com/reference/lists-status.md): Returns the processing status and entity count for a specific list. - [Lists: Available Tags](https://docs.recordedfuture.com/reference/lists-available-tags.md) - [/list/{listId}/entitiesWithTags](https://docs.recordedfuture.com/reference/lists-entities-with-tags.md): Returns all entities in the specified list along with their assigned tags. - [/list/{listId}/entity/tags](https://docs.recordedfuture.com/reference/lists-replace-entity-tags.md): Replaces all tags on an entity in a Third-Parties Watch List. - [Lists: Supported Entities](https://docs.recordedfuture.com/reference/lists-supported-entities.md) - [Create a Auto Sigma job](https://docs.recordedfuture.com/reference/sigma-create-job.md): Generate Sigma detection rules from observed behavioral patterns across malware samples. - [Delete a Job](https://docs.recordedfuture.com/reference/sigma-delete-job.md): Permanently delete an Auto Sigma job and its generated rules. - [Get result of a job](https://docs.recordedfuture.com/reference/sigma-get-job.md): Retrieve a specific Auto Sigma job's status, configuration, and generated detection rules. - [Get all jobs created by user](https://docs.recordedfuture.com/reference/sigma-list-jobs.md): List all Auto Sigma jobs with status and pagination support. - [Retry a Job](https://docs.recordedfuture.com/reference/sigma-retry-job.md): Reprocess a failed Auto Sigma job without creating a new one. - [Update a Sigma Rule](https://docs.recordedfuture.com/reference/sigma-update-job.md): Classify a Sigma rule's detection quality and optionally update its YAML content. - [Create an Auto YARA job](https://docs.recordedfuture.com/reference/yara-create-job.md): Generate YARA detection rules by analyzing common byte patterns across malware samples. - [Delete a Job](https://docs.recordedfuture.com/reference/yara-delete-job.md): Permanently delete an Auto YARA job and its generated rules. - [Edit an Auto YARA job](https://docs.recordedfuture.com/reference/yara-edit-job.md): Update the generated YARA rule on an existing job with revised detection logic. - [Get result of a job](https://docs.recordedfuture.com/reference/yara-get-job.md): Retrieve a completed Auto YARA job's generated rule, byte patterns, and sample coverage analysis. - [Get all jobs created by user](https://docs.recordedfuture.com/reference/yara-list-jobs.md): List all Auto YARA jobs with status and coverage data, excluding rule text. - [Retry a Job](https://docs.recordedfuture.com/reference/yara-retry-job.md): Reprocess a failed Auto YARA job without creating a new one. - [Query Malware Intelligence data with lists of entities](https://docs.recordedfuture.com/reference/malware-intelligence-query-iocs.md): Find sandbox artifacts by matching against lists of known IOCs instead of query expressions. - [Query Malware Intelligence data with natural language](https://docs.recordedfuture.com/reference/malware-intelligence-query-nl.md): Find sandbox artifacts using plain English instead of structured query syntax. - [Query Malware Intelligence data with query language](https://docs.recordedfuture.com/reference/malware-intelligence-query.md): Find and aggregate sandbox artifacts using structured query language. - [Fetch sandbox reports for a given sha256 hash and query](https://docs.recordedfuture.com/reference/malware-intelligence-sandbox-reports.md): Retrieve detailed behavioral and static analysis reports for a specific sample, ranked by sandbox score. - [Generate and run new a pipeline from bank account preset input](https://docs.recordedfuture.com/reference/pfi-bank-account-data.md): Queue a bulk export of compromised bank account records scoped to your organization. - [Generate and run new a pipeline from bank check preset input](https://docs.recordedfuture.com/reference/pfi-check-data.md): Queue a bulk export of compromised bank check records for your organization. - [Generate and run new a pipeline from CPP preset input](https://docs.recordedfuture.com/reference/pfi-cpp-merchant-data.md): Queue a bulk export of Common Point of Purchase (CPP) merchant records identifying potential points-of-compromise. - [Generate and run new a pipeline from full card preset input](https://docs.recordedfuture.com/reference/pfi-full-card-data.md): Queue a bulk export of compromised full payment card records scoped to your organization. - [Generate and run new a pipeline from magecart domain input](https://docs.recordedfuture.com/reference/pfi-magecart-domain-data.md): Queue a bulk export of Magecart domain records tracking detected JavaScript card-skimming activity. - [Generate and run new a pipeline from magecart merchant input](https://docs.recordedfuture.com/reference/pfi-magecart-merchant-data.md): Queue a bulk export of merchant-level Magecart records enriched with merchant name and MID. - [Generate and run new a pipeline from magescanner scans input](https://docs.recordedfuture.com/reference/pfi-magescanner-scan-data.md): Queue a bulk export of Magescanner scan results for e-commerce card-skimming threat visibility. - [Generate and run new a pipeline from partial card input](https://docs.recordedfuture.com/reference/pfi-partial-card-data.md): Queue a bulk export of compromised partial card records with BIN-level data from e-skimmer activity. - [Generate and run new a pipeline from partial card sold input](https://docs.recordedfuture.com/reference/pfi-sold-partial-card-data.md): Queue a bulk export of partial card records filtered by sold date rather than first-observed date. - [Generate and run new a pipeline from checker preset input](https://docs.recordedfuture.com/reference/pfi-tester-merchant-data.md): Queue a bulk export of tester merchant records used by fraudsters to validate stolen cards. - [Get resulted file for the task](https://docs.recordedfuture.com/reference/pfi-pickup-data.md): Download the completed results of a PFI bulk data task in NDJSON or CSV format. - [Create task to prepare bank account images for download.](https://docs.recordedfuture.com/reference/pfi-bank-account-images.md): Queue bank account document images for download by record IDs. - [Create task to prepare checks images for download.](https://docs.recordedfuture.com/reference/pfi-check-images.md): Queue check document images for download by record IDs. - [Adds new domains to the customer specific scanning queue](https://docs.recordedfuture.com/reference/pfi-add-scan-domains.md): Submit up to 10,000 domains to your organization's custom Magecart e-skimmer scanning queue. - [Empties the customer specific scanning queue](https://docs.recordedfuture.com/reference/pfi-clear-scan-queue.md): Remove all domains from your organization's custom Magecart scanning queue. - [Get task status](https://docs.recordedfuture.com/reference/pfi-delete-task.md): Remove a queued PFI bulk data task before it starts executing. - [Get tasks in queue](https://docs.recordedfuture.com/reference/pfi-list-tasks.md): Retrieve all PFI bulk data tasks in the queue, most recent first. - [Get task status](https://docs.recordedfuture.com/reference/pfi-task-status.md): Poll the processing status of a PFI bulk data task to determine when results are ready. - [Get a single active risk rule with enriched evidence](https://docs.recordedfuture.com/reference/risk-get-active-risk-rule.md): Fetch a single active risk rule for a company with paginated, rule-type-specific enriched evidence (open ports, leaked credentials, vulnerable products). - [Search for risk history](https://docs.recordedfuture.com/reference/risk-search-risk-history.md): Returns change events (not daily snapshots) for the risk score, criticality, and individual risk rules of one or more entities, so you can see when each value became active and when it was replaced. - [lookup product association with given cves](https://docs.recordedfuture.com/reference/cpewebcpecontrollercve_product_lookup.md): lookup product association with a given cves - [query service by product and version, language and security_criteria using the query params](https://docs.recordedfuture.com/reference/cpewebcpecontrollerquery_with_language.md): query service by product and version, language and security_criteria using the query params - [query vulnerabilities by product and version using the query param](https://docs.recordedfuture.com/reference/cpewebcpecontrollerquery.md): query vulnerabilities by product and version using the query param - [query language and security_criteria using the query params](https://docs.recordedfuture.com/reference/cpewebcpecontrollerraw_language.md): query language and security_criteria using the query params - [query threat_intel service by ip or host_name using the query params](https://docs.recordedfuture.com/reference/cpewebcpecontrollerthreat_intel_query.md): query threat_intel service by ip or host_name using the query params. Each is optional but one is required. - [Gets Industry trends data given a TOE id](https://docs.recordedfuture.com/reference/customerapiswebv0industrytrendscontrollerindustry_trends.md): Gets Industry trends data given a TOE id - [Portfolio member data including company description and domain ratings by security domain. If you are reading this and were filtering by analysis_id, please switch over to TOE_ID at your earliest convenience](https://docs.recordedfuture.com/reference/customerapiswebv0portfoliocontrollerportfolio_member_by_analysis_id.md): Portfolio member data including company description and domain ratings by security domain. If you are reading this and were filtering by analysis_id, please switch over to TOE_ID at your earliest convenience - [This resource tracks and reports a vendors progress in addressing action plan issues.](https://docs.recordedfuture.com/reference/actionplanissueprogress.md): RiskRecon automatically reports each vendor’s progress in addressing their action plan issues. This API returns issue progress for a given action plan. - [This resource returns action plan configurations both automated and manual for a given TOE.](https://docs.recordedfuture.com/reference/getactionplanconfig.md): This API returns action plan configurations both automated and manual for a given TOE. The end-user needs to input the TOE ID (toe_id) for a given action plan in the API request. - [This resource returns a list of finding details from an action plan of a TOE.](https://docs.recordedfuture.com/reference/getactionplanfindings.md): This API returns a list of findings for a given action plan of a TOE. The end-user needs to input the TOE ID (toe_id) for a given action plan in the API request. - [This resource returns a vendor's action plan issue summary.](https://docs.recordedfuture.com/reference/getactionplanissuesummary.md): This API returns a list of issue summaries for a given action plan. There are no parameters for this use case. The end-user needs to input the TOE ID (toe_id) for a given action plan in the API request. - [This API returns the count of current action plan issues per their severity and priority.](https://docs.recordedfuture.com/reference/getactionplanprioritymatrix.md): This API returns the counts of action plans as per their severity and priority. Found issues are assigned a Priority and Severity index. The end-user needs to input the TOE ID (toe_id) for a given action plan in the API request. In this scenario, the following are returned in the response: * the asset value starting from 1 to 4, where 1 = Idle, 2 = Low, 3 = Medium, 4 = High * total count of issues for each asset value * total count of issues by severity. The severity values can be Low, Medium, High, and Critical. - [This API returns the vendor status summary counts of a given action plan.](https://docs.recordedfuture.com/reference/getactionplanvendorstatussummarycounts.md): This API returns the vendor status summary counts of a given action plan. The end-user needs to input the TOE ID (toe_id) for a given action plan in the API request. In this scenario, the following are returned in the response: * total action plans provided to the vendor * the label of the action plans * the status of the action plans - [This resource sends action plan email to recipients of a TOE.](https://docs.recordedfuture.com/reference/shareactionplan.md): This API sends action plan findings to internal and external recipients. The end-user needs to input the TOE ID (toe_id) for a given action plan in the API request. Recipients and frequency are optional. If recipients are not provided, the action plan will be shared with previously shared recipients. If frequency is not provided, the action plan will be shared manually. Users can retrieve action plan configuration from ```(GET) /v1/action_plan/{toe_id} ``` API. * recipients: An Array of first_name, last_name, email, internal (true/false) for each recipient. See schema for more details. * frequency: 0 (default) is for manual/one-off, where 30/60/90 sets periodic automated action plan emails. - [This resource returns Alerting Issues from new scans in their portfolio based on the users alert settings.](https://docs.recordedfuture.com/reference/getalertingnewissues.md): This resource returns Alerting Issues from new scans in their portfolio based on the users alert settings. Alert settings can be changed at https://portal.riskrecon.com/portal/alert-center/alert-settings. - [This resource returns any rating/score changes from new scans in the users portfolio based on the users alert settings.](https://docs.recordedfuture.com/reference/getalertingscorechanges.md): This resource returns any rating/score changes from new scans in the users portfolio based on the users alert settings. Alert settings can be changed at https://portal.riskrecon.com/portal/alert-center/alert-settings. - [:: Legacy Route Please use getToeRatings :: This resource returns the most recent `Analysis` object by the TOE identifier. Trend data is only included if `include_trend` query param is added.](https://docs.recordedfuture.com/reference/getanalysisratings.md): :: Legacy Route Please use getToeRatings :: This resource returns the most recent `Analysis` object by the TOE identifier. This includes the security domain and criteria ratings. Trend data is only included if `include_trend` query param is added. - [:: Legacy Route Please use getToeRatings :: This resource returns a collection of historical `Analysis` objects by the TOE identifier.](https://docs.recordedfuture.com/reference/gethistoricalanalysisratings.md): :: Legacy Route Please use getTOERatings :: This resource returns a collection of historical `Analysis` objects by the TOE identifier. This includes the security domain and criteria ratings for each analysis. - [This resource returns an list of custom and industry standards.](https://docs.recordedfuture.com/reference/getriskstandards.md): This resource returns an list of custom and industry standards. Each standard has a number of controls. Some of these will be mapped to RiskRecon security domain and criteria and will have the associated ratings. - [This resource returns risk standard controls associated with a TOE id and a particular custom or industry standard.](https://docs.recordedfuture.com/reference/getriskstandardscontrols.md): This resource returns risk standard controls associated with a TOE id and a particular custom or industry standard. The risk standard id can be obtained from the /v1/compliance/{toe_id} response. Some will be mapped to RiskRecon security domain and criteria so will include the ratings for these domain/criteria and the TOE being queried. - [This resource returns a collection of `BreachEvent` objects.](https://docs.recordedfuture.com/reference/getbreachevents.md): This resource returns a collection of `DataLossEvent` objects for a portfolio. This is for the entire portfolio and has pagination unlike the data_loss_events route. - [:: Legacy Route :: This resource returns a collection of `DataLossEvent` objects.](https://docs.recordedfuture.com/reference/getdatalossevents.md): "::Legacy Route please use portfolio_data_loss_events:: This resource returns a collection of `DataLossEvent` objects for a given TOE id. This are referred to as Breach Events in the RiskRecon site." - [This resource returns a mapping of security_criteria labels and their current display names in the RiskRecon portal.](https://docs.recordedfuture.com/reference/getcriteriadisplaynames.md): This resource returns a mapping of security_criteria labels and their current display names in the RiskRecon portal. It also includes if the security_criteria is currently rated and if it is deprecated. - [This resource returns a mapping of security_domain labels and their current display names in the RiskRecon portal.](https://docs.recordedfuture.com/reference/getdomaindisplaynames.md): This resource returns a mapping of security_domain labels and their current display names in the RiskRecon portal. It also includes if the security_domain is currently rated and if it is deprecated. - [:: Legacy Route :: This resource returns a list of findings for latest analysis for a given TOE.](https://docs.recordedfuture.com/reference/getfindings.md): ::Legacy Route please use findings_paginated:: This use case describes how the Findings API is used to retrieve a list of findings for the latest analysis for a TOE. The toe_id is passed in the API request. In this scenario, all findings for that TOE are returned in the response. To limit or filter the data returned in the response, you can use various parameters in the API request: * Filter by an asset value: You can use the asset_value parameter to search for findings with high, medium, or low asset value. * Filter by severity: You can use the severity parameter to search for findings with high, medium, or low severity. * Filter by asset value and severity: You can use asset_value and severity parameters to search for findings with high, medium, or low asset value and severity. * Filter by multiple asset values: You can use the asset_value parameter multiple times to search for findings with multiple asset values. - [This resource returns a list of findings for latest analysis for a given TOE.](https://docs.recordedfuture.com/reference/getpaginatedfindings.md): This use case describes how the Findings API is used to retrieve a list of findings for the latest analysis for a TOE. The toe_id is passed in the API request. In this scenario, all findings for that TOE are returned in the response. To limit or filter the data returned in the response, you can use various parameters in the API request: * Filter by an asset value: You can use the asset_value parameter to search for findings with high, medium, or low asset value. * Filter by severity: You can use the severity parameter to search for findings with high, medium, or low severity. * Filter by asset value and severity: You can use asset_value and severity parameters to search for findings with high, medium, or low asset value and severity. * Filter by page: You can use the page parameter to search for findings pages. * Sort by Findings Attribute: You can use the sort attribute to sort results of alerting issues by available sort attributes. - [This resource returns a list of Hosts for latest analysis for a given TOE.](https://docs.recordedfuture.com/reference/gethosts.md): This resource returns a list of Hosts for latest analysis for a given TOE. This includes domain and netblock information as well. - [The Integration Routes API provides a list of URLs for the security domains within the Security Profile section of the RiskRecon Portal.](https://docs.recordedfuture.com/reference/getintegrationroutes.md): The Integration Routes API provides a list of URLs for the security domains within the Security Profile section of the RiskRecon Portal. If one of the URLs is followed by an unauthenticated user, they will be prompted to authenticate before they are redirected to the requested URL. The only parameter for this API is the TOE ID, which is required. - [The Integration Routes Details API provides a list of URLs for the detailed views within each security domain in the Security Profile and its corresponding risk_dimensions section of the RiskRecon Portal.](https://docs.recordedfuture.com/reference/getintegrationroutesdetails.md): The Integration Routes Details API provides a list of URLs for the detailed views within each security domain in the Security Profile and its corresponding risk_dimensions section of the RiskRecon Portal. API will also check if the customer has access and subscription enabled for requested risk dimensions and toes. The only parameter for this API is the TOE ID, which is required. - [This endpoint is for requesting to add new TOEs (targets of evaluation) to your portfolio.](https://docs.recordedfuture.com/reference/bulktoerequest.md): This is a bulk request for requesting to add new TOEs (targets of evaluation) to your portfolio. The request must have at least one item but no more than 25 per request. - [This endpoint adds and updates subscription licenses for a TOE.](https://docs.recordedfuture.com/reference/changesubscription.md): This request sets the list of subscription licenses that determine whether a TOE appears in your portfolio, and for which risk dimensions. The currently available Risk Dimensions are CYBER and PRIVACY. The available license types are AVISOR, DISCOVER, and SNAPSHOT. A cyber license of ADVISOR or DISCOVER is a prerequisite of any privacy license. SNAPSHOT licenses are not available for the privacy risk dimension at this time. - [This resource gets the customer's risk relationship folders names and slugs.](https://docs.recordedfuture.com/reference/getriskrelationshipsfolders.md): This resource gets the customer's risk relationship folders names and slugs. The slug will be used in requests that require the risk relationship. Risk relationships can be updated here https://portal.riskrecon.com/portal/risk-configuration if you have necessary permissions. - [This resource returns the default subscription_level for bulk toe requests for your customer.](https://docs.recordedfuture.com/reference/getsubscriptionlevelconfig.md): This resource returns the default subscription_level for bulk toe requests for your customer if it has been set. This can be set if you want all /v1/portfolio/bulk_add requests to have the same subscription level. Options are 1 (Discover) or 2 (Advisor) - [This resource sets the default subscription_level for bulk toe requests for your customer.](https://docs.recordedfuture.com/reference/setsubscriptionlevelconfig.md): This resource sets the default subscription_level for bulk toe requests for your customer if it has been set. This can be set if you want all /v1/portfolio/bulk_add requests to have the same subscription level. Options are 1 (Discover) or 2 (Advisor) - [This resource returns a collection of `EnforcementAction` objects.](https://docs.recordedfuture.com/reference/getenforcementactions.md): This resource returns a collection of `EnforcementAction` in portfolio. - [Get portfolio ratings report](https://docs.recordedfuture.com/reference/getpaginatedportfolioratingsreport.md): Retrieves a paginated list of portfolio ratings with their changes over time - [This route returns a collection of `Subsidiary` objects associated with a toe.](https://docs.recordedfuture.com/reference/getsubsidiariesbytoeid.md): This route returns a collection of `Subsidiary` objects associated with a toe. Any TOEs that appear to be a subsidiary of the provided TOE id are returned in the response. - [This endpoint adds an existing TOE to the users portfolio.](https://docs.recordedfuture.com/reference/addcompanytotoebytoeid.md): This endpoint adds an existing TOE to the users portfolio. The toe_id and other information can be obtained from the /v1/toes/by_domains response. - [This endpoint deletes an existing TOE to the users portfolio.](https://docs.recordedfuture.com/reference/deletetoebytoeid.md): User can delete a TOE from their portfolio by providing the toe_id in endpoint. - [This resource returns a collection of `TOE` objects mapped to a customer.](https://docs.recordedfuture.com/reference/getpaginatedtoes.md): This API retrieves a collection of TOE objects mapped to a customer. This include overall ratings and some domain rating information for the current analysis of the provided TOE id. As a TOE can have multiple internal IDs, this API filters if the internal ID is one among the multiple internal IDs. - [This endpoint allows the user to search for Company name, TOE ID by a valid CVE.](https://docs.recordedfuture.com/reference/gettoebycve.md): This endpoint allows the user to search for Company name, TOE ID by a valid CVE. The user must provide a valid cve in query param. - [This endpoint allows the user to search for a TOE by a valid domain or hostname.](https://docs.recordedfuture.com/reference/gettoebydomain.md): This endpoint allows the user to search for a TOE by a valid domain or hostname. The user must provide a valid domain or hostname in domain query param. - [Get the current or historical overall, domain and criteria ratings for a given TOE and a given risk dimension.](https://docs.recordedfuture.com/reference/gettoeratings.md): Get the current or historical overall, domain and criteria ratings for a given TOE and a given risk dimension. Privacy can only be returned if privacy is enabled for your customer and you have a privacy license for the given TOE. - [This resource returns a collection of `TOE` objects mapped to a customer.](https://docs.recordedfuture.com/reference/gettoes.md): This API retrieves a collection of TOE objects mapped to a customer. This include overall ratings and some domain rating information for the current analysis of the provided TOE id. As a TOE can have multiple internal IDs, this API filters if the internal ID is one among the multiple internal IDs. - [This resource gets a `TOE` object by its identifier.](https://docs.recordedfuture.com/reference/gettoesbytoeid.md): This resource gets a `TOE` object by its identifier. This include overall ratings and some domain rating information for the current analysis of the provided TOE id. - [This endpoint moves an existing TOE from one risk relationship folder to another](https://docs.recordedfuture.com/reference/movetoerequest.md): User can move a TOE from one risk relationship folder to another by providing the toe_id and relationship folder slug in request. Relationship folder slug can be retrieved from [/v1/portfolio/risk_relationships_folders](#/Portfolio/getRiskRelationshipsFolders). - [This endpoint allows a user to update the internal_ids and/or internal_name of an existing `TOE` by its identifier.](https://docs.recordedfuture.com/reference/updatetoesbytoeid.md): This endpoint allows a user to update the internal_ids and/or internal_name of an existing `TOE` by its identifier. These can be used to map a TOE in the RiskRecon system to an entity in the users system. - [This resource returns the PDF report.](https://docs.recordedfuture.com/reference/downloadpdfreport.md): This resource gets the PDF report. - [This resource allows the ordering and downloading of toe reports](https://docs.recordedfuture.com/reference/requestpdfreport.md): This endpoint provides the ordering of the following toe reports: - Executive Report - The Executive Report (executive-report) provides an executive summary of the RiskRecon ratings and security performance metrics. - Summary Report - The RiskRecon Summary Report (summary-report) provides the summary RiskRecon ratings and security performance metrics. - Detailed Report - The RiskRecon Detailed Report (detailed-report) provides the RiskRecon ratings, security performance metrics, and detailed findings and recommendations. - Action Plan - The action plan (action-plan) on this toe. - [This resource returns the list of active report request.](https://docs.recordedfuture.com/reference/requestpdfreportstatus.md): This resource returns all report requests submitted in the last 24 hours by the client. - [The User route is used to get all the user data for one’s organization.](https://docs.recordedfuture.com/reference/getuserdata.md): The User route is used to get all the user data for one’s organization. There currently are no filters or params. - [Streaming Newline delimited JSON response containing findings for latest analysis for a given TOE, security domain and security criteria. Swagger didn't have a way of showing this so please don't let the schema of mislead you with the array of findings](https://docs.recordedfuture.com/reference/customerapiswebv2findingcontrollerby_security_criteria.md): Streaming Newline delimited JSON response containing findings for latest analysis for a given TOE, security domain and security_criteria. Use include_all param to include all findings. Unfortunately, swagger UI can't format the streamed response but the given curl example will execute. - [Streaming Newline delimited JSON response containing findings for latest analysis for a given TOE and security domain. Swagger didn't have a way of showing this so please don't let the schema of mislead you with the array of findings](https://docs.recordedfuture.com/reference/customerapiswebv2findingcontrollerby_security_domain.md): Streaming Newline delimited JSON response containing findings for latest analysis for a given TOE and security domain. Use include_all param to include all findings. Unfortunately, swagger UI can't format the streamed response but the given curl example will execute. - [Streaming Newline delimited JSON response containing findings for latest analysis for a given TOE. Swagger didn't have a way of showing this so please don't let the schema of mislead you with the array of findings](https://docs.recordedfuture.com/reference/customerapiswebv2findingcontrollerindex.md): Streaming Newline delimited JSON response containing findings for latest analysis for a given TOE. Use include_all param to include all findings. Swagger didn't have a way of showing this so please don't let the schema of mislead you with the array of findings. Unfortunately, swagger UI can't format the streamed response but the given curl example will execute. - [Retrieve finding given toe id and finding id](https://docs.recordedfuture.com/reference/customerapiswebv2findingcontrollershow.md): Retrieve finding given toe id and finding id - [Download sample archive (TAR)](https://docs.recordedfuture.com/reference/sandbox-download-archive-tar.md): Download all analysis artifacts for a completed sample as an uncompressed TAR archive. - [Download sample archive (ZIP)](https://docs.recordedfuture.com/reference/sandbox-download-archive-zip.md): Download all analysis artifacts for a completed sample as a compressed ZIP archive. - [Download original sample](https://docs.recordedfuture.com/reference/sandbox-download-sample.md): Download the originally submitted sample file as unencrypted binary. - [List geolocations](https://docs.recordedfuture.com/reference/sandbox-list-geolocations.md): List available VPN exit points and regional tags for geographic routing in sandbox analysis. - [List resources](https://docs.recordedfuture.com/reference/sandbox-list-resources.md): List available sandbox VM images, platforms, and capacity limits for profile creation. - [Create profile](https://docs.recordedfuture.com/reference/sandbox-create-profile.md): Create a reusable sandbox analysis profile defining OS, locale, network, timeout, and browser settings. - [Delete profile](https://docs.recordedfuture.com/reference/sandbox-delete-profile.md): Permanently remove an analysis profile without affecting previously analyzed samples. - [Get profile](https://docs.recordedfuture.com/reference/sandbox-get-profile.md): Retrieve a single analysis profile by UUID or name. - [List profiles](https://docs.recordedfuture.com/reference/sandbox-list-profiles.md): List all reusable analysis profiles configured for your organization. - [Update profile](https://docs.recordedfuture.com/reference/sandbox-update-profile.md): Fully replace an existing analysis profile configuration (omitted optional fields reset to defaults). - [Get dynamic analysis report](https://docs.recordedfuture.com/reference/sandbox-get-dynamic-report.md): Retrieve the full behavioral analysis report with process trees, network flows, signatures, and malware configurations. - [Get overview report](https://docs.recordedfuture.com/reference/sandbox-get-sample-overview.md): Retrieve the comprehensive overview report with malware config, signatures, IOCs, and MITRE ATT&CK mappings. - [Get sample summary](https://docs.recordedfuture.com/reference/sandbox-get-sample-summary.md): Retrieve a mid-level analysis summary with per-task threat scores, behavior tags, and signature counts. - [Get static analysis report](https://docs.recordedfuture.com/reference/sandbox-get-static-report.md): Retrieve the static analysis report with file metadata, hashes, PE structure, and YARA matches available before behavioral execution completes. - [Get URL scan report](https://docs.recordedfuture.com/reference/sandbox-get-url-scan-report.md): Retrieve the URL scan report with Chromium CDP data including HTTP requests, redirects, cookies, and certificates. - [Get URL scan screenshot](https://docs.recordedfuture.com/reference/sandbox-get-url-scan-screenshot.md): Retrieve the PNG screenshot captured during URL scan analysis. - [Stream all sample events](https://docs.recordedfuture.com/reference/sandbox-stream-all-events.md): Stream real-time NDJSON state-change events for all visible samples without replaying existing state. - [Stream sample events](https://docs.recordedfuture.com/reference/sandbox-stream-sample-events.md): Stream a sample's current state and real-time updates, auto-closing when analysis reaches terminal status. - [Delete a sample](https://docs.recordedfuture.com/reference/sandbox-delete-sample.md): Permanently delete a sample and all associated analysis data. - [Get sample details](https://docs.recordedfuture.com/reference/sandbox-get-sample.md): Retrieve a sample's analysis tasks and current processing status. - [List samples](https://docs.recordedfuture.com/reference/sandbox-list-samples.md): List sandbox samples in reverse chronological order with optional ownership filtering. - [Search samples](https://docs.recordedfuture.com/reference/sandbox-search.md): Search sandbox analyses by hash, malware family, tag, or network indicator. - [Set analysis profile](https://docs.recordedfuture.com/reference/sandbox-select-profile.md): Resume a paused interactive-mode submission by selecting analysis profiles for behavioral execution. - [Submit a sample](https://docs.recordedfuture.com/reference/sandbox-submit-sample.md): Submit a file or URL for sandbox malware analysis via upload, fetch, or import modes. - [Download PCAP](https://docs.recordedfuture.com/reference/sandbox-download-pcap.md): Download the raw PCAP network capture from a behavioral task (unencrypted traffic only). - [Download PCAPNG](https://docs.recordedfuture.com/reference/sandbox-download-pcapng.md): Download the PCAPNG network capture from a behavioral task, including decrypted HTTPS via embedded TLS key logs. - [Download task file](https://docs.recordedfuture.com/reference/sandbox-download-task-file.md): Download a specific file artifact dropped or extracted during behavioral execution. - [Get behavioral logs](https://docs.recordedfuture.com/reference/sandbox-get-task-logs.md): Download raw kernel/system monitor logs capturing every process, file, registry, and network event from a behavioral task. - [Create YARA rule](https://docs.recordedfuture.com/reference/sandbox-create-yara-rule.md): Add a custom YARA rule compiled and validated server-side for automatic matching in future analyses. - [Delete YARA rule](https://docs.recordedfuture.com/reference/sandbox-delete-yara-rule.md): Permanently remove a YARA rule while preserving existing match results. - [Get YARA rule](https://docs.recordedfuture.com/reference/sandbox-get-yara-rule.md): Retrieve a YARA rule's source code, compilation status, and any warnings. - [List YARA rules](https://docs.recordedfuture.com/reference/sandbox-list-yara-rules.md): List all custom YARA rule filenames accessible by your account. - [Update YARA rule](https://docs.recordedfuture.com/reference/sandbox-update-yara-rule.md): Update a YARA rule's source code and optionally rename it, with server-side recompilation. - [Fetch risk information for a set of indicators](https://docs.recordedfuture.com/reference/soar-enrich.md): Retrieve risk scores, triggered rules, and evidence for up to 1,000 indicators across six entity types in a single batch call. - [Lookup all available risk contexts](https://docs.recordedfuture.com/reference/soar-get-contexts.md): Retrieve configuration for the malware, phishing, and c2 risk contexts, including default thresholds used by the triage endpoint. - [Triage multiple IOC entities](https://docs.recordedfuture.com/reference/soar-triage-batch.md): Evaluate up to 1,000 indicators against a specific risk context (malware, phishing, or c2) and return a boolean verdict based on context-specific sub-scores. - [STIX TAXII: Overview](https://docs.recordedfuture.com/reference/stix-taxii-overview.md) - [STIX TAXII: 1.x Service](https://docs.recordedfuture.com/reference/stix-taxii-1x-service.md) - [STIX TAXII: 2.1 Service](https://docs.recordedfuture.com/reference/stix-taxii-21-service.md) - [STIX TAXII: Collections](https://docs.recordedfuture.com/reference/stix-taxii-collections.md) - [Takedown API](https://docs.recordedfuture.com/reference/takedown-api.md): This is the API for requesting and monitoring takedowns. Provided by Phishfort - [Threat Actor Categories](https://docs.recordedfuture.com/reference/threat-actor-categories.md): Retrieve the full threat actor category taxonomy used across Recorded Future. - [Threat Actor Search](https://docs.recordedfuture.com/reference/threat-actor-search.md): Search Recorded Future's threat actor database by name, alias, or classification. - [Threat Actor Threat Map for Organization](https://docs.recordedfuture.com/reference/threat-actor-threat-map-org.md): Rank threat actors by risk to a specific organization in a multi-org enterprise. - [Threat Actor Threat Map](https://docs.recordedfuture.com/reference/threat-actor-threat-map.md): Rank threat actors by risk to your primary organization using intent and opportunity scores. - [Malware Categories](https://docs.recordedfuture.com/reference/malware-categories.md): Retrieve the full malware classification taxonomy with valid category identifiers for filtering. - [Malware Threat Map for Organization](https://docs.recordedfuture.com/reference/malware-threat-map-org.md): Rank malware families by prevalence and opportunity scores for a specific organization. - [Malware Threat Map](https://docs.recordedfuture.com/reference/malware-threat-map.md): Rank malware families by prevalence and opportunity scores for your primary organization. - [Available Threat Maps](https://docs.recordedfuture.com/reference/available-threat-maps.md): List all threat maps accessible to the current API token with their organization IDs and map types. ## Changelog - [Playbook Alerts API v1.4.0](https://docs.recordedfuture.com/changelog/playbook-alerts-api-v140.md) - [RiskRecon APIs](https://docs.recordedfuture.com/changelog/riskrecon-apis.md) - [Playbook Alerts API v1.3.1](https://docs.recordedfuture.com/changelog/playbook-alerts-api-v131.md) - [Malware Intelligence API v1.7.3](https://docs.recordedfuture.com/changelog/malware-intelligence-api-v173.md) - [Playbook Alerts API v1.3.0](https://docs.recordedfuture.com/changelog/playbook-alerts-api-v130.md)