> ## Documentation Index
> Fetch the complete documentation index at: https://docs.recordedfuture.com/llms.txt
> Use this file to discover all available pages before exploring further.

# LLM Instructions

This document routes you to the correct endpoint documentation based on the user's objective. It is NOT API documentation. Always fetch and read the endpoint .md files for parameters, schemas, and behavior.

```yaml
instructions:
  - Ask the user their objective with the Recorded Future APIs and their preferred language (Python or PowerShell).
  - Match their objective to a workflow below. Combine workflows if the objective spans multiple.
  - Fetch https://docs.recordedfuture.com/llms.txt to resolve endpoint names below to documentation URLs. Each line follows the format `- [Endpoint Name](url): description` — search for the exact endpoint name and extract the URL.
  - If you have code execution capabilities, prefer downloading endpoint .md files directly via HTTP to avoid content summarization by intermediate models.
  - Fetch the .md file for each endpoint in the matched workflow, in order.
  - If no workflow matches, browse the full llms.txt index to discover relevant endpoints.
  - Before taking action, ask the user whether they want (a) to explore the API capabilities and responses or (b) working code.
  - If exploration — summarize what each relevant endpoint does, its parameters, and what it returns. Offer to dive deeper or pivot to code when ready.
  - If code — present a data flow plan covering endpoints, auth, request/response flow, and execution order. Wait for approval before writing.
  - In either case, state which base URL and auth header apply. These vary across API families — always read them from the securitySchemes and servers fields in each endpoint document.

also_read_guidance:
  - "also_read entries are NOT required reading. Do NOT fetch them upfront."
  - "Only fetch an also_read endpoint when the user's question or plan specifically requires information that the primary workflow steps did not cover."
  - "When presenting a plan, mention relevant also_read endpoints as 'available if needed' so the user can request them."

error_handling:
  - "If you cannot fetch llm-instructions.md, stop and tell the user: 'I was unable to load the Recorded Future API routing guide. This assistant requires web fetch capabilities to function. Please try a model or tool configuration that supports raw URL fetching.'"
  - "If you cannot fetch llms.txt or a specific endpoint .md file, tell the user which resource failed and offer to proceed with what you have, or retry."
  - "If a fetched document appears summarized, truncated, or otherwise incomplete, inform the user and do not treat partial information as authoritative."

response_schema_guidance:
  - Endpoint .md files define complete OpenAPI response schemas with nested properties, types, and descriptions. Trust the documented schema and use it to guide field access when writing code.
  - When the user asks "can I get field X from endpoint Y?", answer based on the fetched schema. Only answer "no" if the documentation explicitly states that something is unsupported, deprecated, or restricted.
  - If you encounter an endpoint where the schema appears underspecified (e.g., generic `properties: {}` or `additionalProperties` placeholders), do NOT treat the gap as a "no". Instead, note that the schema does not document that field and recommend the user verify with a real API call.


api_behavior:
  rate_limiting:
    - "Rate limit is 1000 requests per 60 seconds. Exceeding it returns 429. Implement exponential backoff."
  error_format:
    - "All v2 errors return: {\"error\": {\"status\": <code>, \"message\": \"...\", \"reason\": \"...\"}, \"traceId\": \"...\"}. Save traceId for support escalation."
  http_403_types:
    - "'Missing API privileges' = wrong module entitlement. Check API Entitlements page."
    - "'Missing Data permissions' = correct module but restricted data-group scope. Contact RF admin."

language_defaults:
  python: Use the requests library. Auth via headers dict.
  powershell: Use Invoke-RestMethod. Auth via Headers parameter.

workflows:
  - name: Enrich IOCs
    triggers: [risk scores, malicious indicators, SIEM enrichment, IOC triage, IP lookup, domain lookup, hash lookup, URL lookup, threat intelligence enrichment]
    steps:
      - endpoint: "SOAR: Enrich"
        why: Batch lookup up to 1000 IOCs. Returns risk scores and triggered risk rules. Start here for bulk triage.
      - endpoint: "IP Address: Lookup"
        why: Deep enrichment for individual IOCs. Use after SOAR Enrich to drill into high-risk indicators. Also available as Domain: Lookup, Hash: Lookup, and URL: Lookup — fetch the variant matching the entity type you need.
      - endpoint: "Links: Search"
        why: Relationship graph — connected threat actors, malware, or TTPs.
      - endpoint: "IP Address: List Risk Rules"
        why: List available risk rules for filtering or understanding what drove a risk score. Also available as Domain: List Risk Rules, Hash: List Risk Rules, and URL: List Risk Rules.
    also_read: ["SOAR: Get Contexts", "Links: Metadata Entities", "Links: Metadata Events", "Links: Metadata Sections"]

  - name: Manage Watch Lists and Entity Lists
    triggers: [watch list, tech stack, add entities to list, remove entities, track companies, custom list, entity list management]
    steps:
      - endpoint: "Lists: Search"
        why: Find the target list by type (tech_stack, vulnerability, company, custom, etc.). Also covers entity ID formats and the 1000-entity limit in its documentation.
      - endpoint: "Lists: Get Entities"
        why: Retrieve current members to avoid duplicates before adding.
      - endpoint: "Entity: Match"
        why: Resolve human-readable names to RF entity IDs. Required for complex entity types.
      - endpoint: "Entity: Lookup"
        why: Optional. Retrieve metadata for disambiguation when Entity Match returns multiple candidates.
      - endpoint: "Links: Search"
        why: Optional. Enrich candidates with relationship data to rank match quality.
      - endpoint: "Lists: Add Entity"
        why: Add resolved entities.
    also_read: ["Lists: Remove Entity", "Lists: Create", "Lists: Get Info", "Lists: Get Status"]

  - name: Search and Triage Alerts
    triggers: [alerts, triage, alert status, ticketing, alert integration, alert management]
    variants:
      - name: Standard Alerts
        steps:
          - endpoint: "Alerts: Search"
            why: Find alerts by status, priority, rule, or time range.
          - endpoint: "Alerts: Get by ID"
            why: Full alert detail.
          - endpoint: "Alerts: Get Hits"
            why: Intelligence data that triggered the alert.
      - name: Playbook Alerts
        steps:
          - endpoint: "Playbook Alerts: Search"
            why: Find playbook alerts with filters.
          - endpoint: "Playbook Alerts: Preview"
            why: Quick view of alert properties.
          - endpoint: "Playbook Alerts: [Type] Detail"
            why: Type-specific detail. Use variant matching alert type (Vulnerability, Domain Abuse, Identity Exposures, etc.).
          - endpoint: "Playbook Alerts: Update"
            why: Change status, priority, or assignee.
    also_read: ["Playbook Alerts: Metadata", "Cases: Create"]

  - name: Manage Cases
    triggers: [cases, investigation, case management, escalation, assign case]
    steps:
      - endpoint: "Cases: Search"
        why: Find existing cases by status, priority, assignee, or time range.
      - endpoint: "Cases: Lookup"
        why: Full detail on a specific case.
      - endpoint: "Cases: Create"
        why: Create from a reference alert or signal alert.
      - endpoint: "Cases: Update"
        why: Change assignee, status, priority, title, or description.
      - endpoint: "Cases: Eligible Assignees"
        why: List users who can be assigned.

  - name: Vulnerability Intelligence
    triggers: [CVE, vulnerability, exploit, vulnerability risk list, patch prioritization, vulnerability management]
    steps:
      - endpoint: "Entity: Match"
        why: Resolve CVE IDs (e.g. CVE-2021-44228) to RF entity IDs. CVE strings are NOT valid entity IDs. This step is required.
      - endpoint: "Vulnerability: Lookup"
        why: Full intelligence card for a vulnerability.
      - endpoint: "Vulnerability: Search"
        why: Find vulnerabilities matching filter criteria.
      - endpoint: "Vulnerability: List Risk Rules"
        why: Available risk rules and their criticality.
      - endpoint: "Vulnerability: Download Risk List"
        why: Bulk download of scored vulnerabilities for SIEM integration.
      - endpoint: "Links: Search"
        why: Connected threat actors, malware, exploits, and affected products.

  - name: Attack Surface Intelligence
    triggers: [attack surface, external assets, exposures, ASI, asset discovery, asset tagging, exposure monitoring]
    note: "Auth and base URL differ from Core API. Read the securitySchemes and servers fields from the endpoint docs fetched in this workflow."
    steps:
      - endpoint: "ASI Projects: List"
        why: Find available projects. Required — all ASI operations are scoped to a project.
      - endpoint: "ASI Assets: Find"
        why: Locate assets by type, exposure severity, tag, IP owner, or other filters. Alternative — ASI Assets: Search for complex queries.
      - endpoint: "ASI Assets: Read"
        why: Detailed view of a single asset.
      - endpoint: "ASI Assets: List Exposures"
        why: Specific exposures for an asset — ports, signatures, extracted versions.
      - endpoint: "ASI Exposures: List"
        why: Browse exposures across the project.
    also_read: ["ASI Tagging: Get Tags", "ASI Tagging: Add Tag", "ASI Assets: Apply Tag", "ASI Assets: Bulk Add/Remove Tags", "ASI Rules: Get Static Assets", "ASI Rules: Add Static Assets"]

  - name: Threat Actor and Malware Research
    triggers: [threat actors, malware families, TTPs, threat landscape, threat map, APT, threat intelligence research]
    steps:
      - endpoint: "Threat Maps: Available Maps"
        why: Discover which threat maps the user has access to.
      - endpoint: "Threat Maps: Threat Actor Map"
        why: Organizational threat landscape with opportunity/intent scores. Use Malware Map variant for malware focus. Use "for Organization" variants for multi-org enterprises.
      - endpoint: "Threat Maps: Threat Actor Search"
        why: Find all known threat actors.
      - endpoint: "Malware: Search"
        why: Research specific malware families. Alternative — Malware: Lookup for a known entity.
      - endpoint: "Links: Search"
        why: Relationships between actors, malware, TTPs, and infrastructure.
      - endpoint: "Entity: Match"
        why: Resolve entity names. Chain with Entity: Lookup for metadata.
    also_read: ["Threat Maps: Threat Actor Categories", "Threat Maps: Malware Categories"]

  - name: Detection Engineering
    triggers: [detection rules, Sigma, YARA, Snort, detection profiles]
    variants:
      - name: Find existing rules
        steps:
          - endpoint: "Detection Rules: Search"
            why: Search Insikt Group-authored YARA, Sigma, and Snort rules.
          - endpoint: "Detection Rules: Associated Entities"
            why: Entities linked to detection rules, for filtering.
      - name: Generate new rules
        steps:
          - endpoint: "Auto Sigma: Create Job"
            why: Kick off Sigma rule generation. Use Auto YARA: Create Job for YARA rules.
          - endpoint: "Auto Sigma: Get Job"
            why: Poll for completion and retrieve generated rule. Use Auto YARA: Get Job for YARA.
          - endpoint: "Auto Sigma: Update Job"
            why: Modify the generated rule. Use Auto YARA: Edit Job for YARA.

  - name: Identity and Credential Intelligence
    triggers: [credentials, breached accounts, credential exposure, password exposure, credential dumps, identity intelligence]
    steps:
      - endpoint: "Identity: Search"
        why: Search credential exposures for a set of domains.
      - endpoint: "Identity: Lookup"
        why: Detailed credential data for specific subjects.
      - endpoint: "Identity: Hostname Lookup"
        why: Credentials associated with a specific hostname.
      - endpoint: "Identity: Password Lookup"
        why: Check if specific passwords have been exposed.
      - endpoint: "Identity: Dump Metadata Search"
        why: Check if a specific database dump is in the Identity Intelligence dataset.
      - endpoint: "Identity: Incident Report"
        why: Exposure incident report for a single malware log.

  - name: Malware Analysis and Sandboxing
    triggers: [sandbox, file analysis, URL analysis, malware analysis, detonation, malware intelligence, PCAP, YARA, sandbox profile, sandbox search, sandbox report]
    variants:
      - name: Sandbox analysis
        note: "Auth and base URL differ from Core API. Base URL is https://sandbox.recordedfuture.com/api/v0. Auth is Bearer token via Authorization header. Read the securitySchemes and servers fields from the endpoint docs fetched in this workflow."
        steps:
          - endpoint: "Sandbox: Submit Sample"
            why: Submit a file or URL for analysis. Supports four modes — file upload, URL analysis, URL fetch, and import. Use interactive=true to pause after static analysis for manual profile selection, or omit for automatic mode. Optional defaults object controls timeout (max 3600s), network mode (internet/drop/tor/sim/vpn), and geolocation.
          - endpoint: "Sandbox: Stream Sample Events"
            why: Monitor analysis progress in real time. Returns current sample state then streams updates as newline-delimited JSON. Auto-closes when sample reaches terminal status (reported/failed). Preferred over polling Get Sample.
          - endpoint: "Sandbox: Get Sample"
            why: Alternative to streaming. Poll analysis status. Use when streaming is not feasible.
          - endpoint: "Sandbox: Select Profile"
            why: Required for interactive mode only. When sample reaches static_analysis status, use this to choose analysis profiles and continue processing.
          - endpoint: "Sandbox: Get Sample Overview"
            why: Primary high-level results. Returns malware config, signatures, IOCs, extracted artifacts, and MITRE ATT&CK mappings.
          - endpoint: "Sandbox: Get Static Report"
            why: Static analysis details — file metadata, hashes (MD5/SHA1/SHA256/SHA512/ssdeep), PE imports, signatures, and unpacked files.
          - endpoint: "Sandbox: Get Dynamic Report"
            why: Behavioral analysis details — process tree, network flows, DNS/HTTP/TLS requests, extracted configs, MITRE ATT&CK TTPs, and risk score (0-10). Requires sampleID and taskID (e.g., behavioral1).
          - endpoint: "Sandbox: Get Sample Summary"
            why: Mid-level summary with per-task metadata including scores, platform details, tags, and backend info.
      - name: URL analysis
        note: "Use this variant when the submission is a URL rather than a file."
        steps:
          - endpoint: "Sandbox: Submit Sample"
            why: Submit with kind=url. Generates a urlscan1 task in addition to behavioral tasks.
          - endpoint: "Sandbox: Stream Sample Events"
            why: Monitor until status reaches reported.
          - endpoint: "Sandbox: Get URL Scan Report"
            why: URL-specific report with page metadata, network requests, and detected threats. Only available for samples with a urlscan1 task.
          - endpoint: "Sandbox: Get URL Scan Screenshot"
            why: Screenshot captured during URL scan analysis. Only available for URL-type submissions.
          - endpoint: "Sandbox: Get Sample Overview"
            why: Full analysis results combining URL scan and behavioral analysis.
      - name: Forensic artifact retrieval
        note: "Use after analysis completes to retrieve network captures, execution logs, and dumped files for deep forensic investigation."
        steps:
          - endpoint: "Sandbox: Download PCAP"
            why: Network capture for a specific task. Compatible with Wireshark/tcpdump. Use for basic traffic analysis.
          - endpoint: "Sandbox: Download PCAPNG"
            why: Extended network capture including decrypted HTTPS traffic. Requires Wireshark/TShark v3+. Prefer over PCAP when HTTPS decryption is needed.
          - endpoint: "Sandbox: Get Task Logs"
            why: Kernel monitor and behavioral logs. Log types — onemon (Windows), stahp (Linux), bigmac (macOS), droidy (Android). Returns newline-delimited JSON.
          - endpoint: "Sandbox: Download Task File"
            why: Retrieve a specific file dumped during execution or a memory dump from analysis.
          - endpoint: "Sandbox: Download Archive (ZIP)"
            why: Complete sample archive — all reports, network captures, dumped files, and configs in one download. Alternative — Download Archive (TAR) for TAR format.
          - endpoint: "Sandbox: Download Sample"
            why: Retrieve the original submitted file (unencrypted binary). File submissions only.
      - name: Sandbox search and history
        note: "Use to search across past analyses or browse submission history."
        steps:
          - endpoint: "Sandbox: Search"
            why: Query all sandbox analyses using a rich query language. Supports hash lookups (md5/sha1/sha256/sha512), family/tag filters (family:wannacry, tag:ransomware), network indicators (url/domain/ip), date ranges (from:/to:), and Boolean operators (AND/OR/NOT). Max 200 results per page.
          - endpoint: "Sandbox: List Samples"
            why: Browse submissions by scope — owned (your submissions), org (organization-wide), or public. Supports pagination.
          - endpoint: "Sandbox: Get Sample"
            why: Detailed info on a specific sample including its analysis tasks.
          - endpoint: "Sandbox: Delete Sample"
            why: Remove a sample and all associated analysis data. Note — public cloud users typically cannot delete samples.
      - name: Sandbox profile management
        note: "Profiles define reusable analysis configurations — OS, network mode, timeout, browser. Manage them before submitting samples."
        steps:
          - endpoint: "Sandbox: List Resources"
            why: Discover available VM images, platforms (e.g., windows10-1703_x64), and capacity limits. Use this to determine valid tags for profile creation.
          - endpoint: "Sandbox: List Geolocations"
            why: List available VPN geolocations. Required when creating a profile with network mode vpn.
          - endpoint: "Sandbox: List Profiles"
            why: View existing profiles. Profile names must be unique within the organization.
          - endpoint: "Sandbox: Create Profile"
            why: Create a reusable profile. Required fields — name, tags (OS/locale), timeout (max 3600s), network mode (internet/drop/tor/sim200/sim404/simnx/vpn). Optional — geolocation (required for vpn), browser (chrome/firefox).
          - endpoint: "Sandbox: Get Profile"
            why: Retrieve a specific profile by ID or name.
          - endpoint: "Sandbox: Update Profile"
            why: Overwrite a profile's configuration. Full profile object (excluding id) must be provided.
          - endpoint: "Sandbox: Delete Profile"
            why: Remove a profile by ID or name.
      - name: Sandbox YARA rule management
        note: "Create and manage custom YARA rules that run against sandbox submissions. Rules are compiled and validated on save."
        steps:
          - endpoint: "Sandbox: List YARA Rules"
            why: List all accessible rules. Returns names only — use Get YARA Rule for content.
          - endpoint: "Sandbox: Create YARA Rule"
            why: Create a new rule. Provide name (e.g., my_rule.yar) and rule content. Compiled and validated on creation. Include triage_score, description, and triage_description metadata for integration with analysis results.
          - endpoint: "Sandbox: Get YARA Rule"
            why: Retrieve a rule's source content and any compilation warnings.
          - endpoint: "Sandbox: Update YARA Rule"
            why: Update rule content or rename. Recompiled and validated on save.
          - endpoint: "Sandbox: Delete YARA Rule"
            why: Remove a rule by name.
      - name: Real-time monitoring
        note: "Stream live analysis events across all samples or a specific sample."
        steps:
          - endpoint: "Sandbox: Stream All Events"
            why: Organization-wide event stream. Emits real-time state changes for all visible samples. Does not replay initial state — only new events. Connection remains open indefinitely.
          - endpoint: "Sandbox: Stream Sample Events"
            why: Single-sample event stream. Returns current state then streams updates. Auto-closes on terminal status.
      - name: Malware intelligence queries
        steps:
          - endpoint: "Malware Intelligence: Query by IOCs"
            why: Search by known indicators.
          - endpoint: "Malware Intelligence: Query Natural Language"
            why: Free-text search.
          - endpoint: "Malware Intelligence: Get Sandbox Reports"
            why: Highest-scoring sandbox reports matching a query.
    also_read: ["Sandbox: List Resources", "Sandbox: List Geolocations", "Sandbox: Download Archive (TAR)", "Sandbox: Download PCAPNG"]

  - name: Risk List Downloads
    triggers: [risk list, SIEM integration, firewall feed, threat feed, indicator feed, risk list download]
    note: "Risk lists are available per entity type: IP Address, Domain, Hash, URL, and Vulnerability. Each type follows the same three-endpoint pattern. When searching llms.txt, replace the type name below with the specific entity type (e.g., 'IP Address: List Risk Rules', 'Domain: Download Risk List')."
    steps:
      - endpoint: "IP Address: List Risk Rules"
        why: List available risk rules and entity counts per rule. Also available as Domain: List Risk Rules, Hash: List Risk Rules, URL: List Risk Rules, Vulnerability: List Risk Rules.
      - endpoint: "IP Address: Download Risk List"
        why: Download the list. Use the list parameter to filter by risk rule. Without it, returns the default risk list. Also available as Domain: Download Risk List, Hash: Download Risk List, URL: Download Risk List, Vulnerability: Download Risk List.
      - endpoint: "IP Address: Stat Risk List"
        why: Check if list has changed (ETag-based) without downloading the full file. Also available as Domain: Stat Risk List, Hash: Stat Risk List, URL: Stat Risk List, Vulnerability: Stat Risk List.

  - name: Payment Fraud Intelligence (PFI)
    triggers: [payment fraud, card fraud, compromised cards, BIN data, bank accounts, checks, magecart, e-skimmer, card testing, CPP, common point of purchase, PFI]
    note: "Auth and base URL differ from Core API. Read the securitySchemes and servers fields from the endpoint docs fetched in this workflow. All bulk data endpoints are asynchronous — submit a query, monitor the task, then retrieve results. Max 2 tasks run concurrently; additional tasks queue FIFO."
    variants:
      - name: Bulk data retrieval
        steps:
          - endpoint: "PFI: [Data Type]"
            why: Submit a bulk data query. Choose the endpoint matching your data need — Full Card Data, Partial Card Data, Sold Partial Card Data, Check Data, Bank Account Data, CPP Merchant Data, Magecart Domain Data, Magecart Merchant Data, Magescanner Scan Data, or Tester Merchant Data. Use dryRun at the root level of the request body to preview record count without creating a task.
          - endpoint: "PFI: Task Status"
            why: Poll task progress. Wait at least 1 minute after submission, then poll no more than once per minute. Task is complete when completedAt is non-null.
          - endpoint: "PFI: Pickup Data"
            why: Retrieve results. Returns newline-delimited JSON (one object per line, not a JSON array). For CSV format, you must explicitly list column names.
      - name: Task management
        steps:
          - endpoint: "PFI: List Tasks"
            why: See queued tasks waiting to run. Tasks leave the queue once they start executing.
          - endpoint: "PFI: Task Status"
            why: Check progress of a specific task by ID.
          - endpoint: "PFI: Delete Task"
            why: Remove a queued task before it starts. Only works on tasks that haven't begun running.
      - name: Document image retrieval
        steps:
          - endpoint: "PFI: Bank Account Data"
            why: First retrieve bank account records to get record IDs. Alternative — use PFI: Check Data for check records.
          - endpoint: "PFI: Bank Account Images"
            why: Submit record IDs (max 100) to prepare images for download. Completes in seconds. Alternative — PFI: Check Images for check document images.
          - endpoint: "PFI: Task Status"
            why: Confirm the image preparation task completed.
          - endpoint: "PFI: Pickup Data"
            why: Download the prepared images using the image task ID.
      - name: Magecart domain scanning
        note: Requires Magecart-specific module entitlement beyond standard PFI access.
        steps:
          - endpoint: "PFI: Add Scan Domains"
            why: Submit up to 10,000 domains for e-skimmer scanning. Adds to your custom scanning queue.
          - endpoint: "PFI: Clear Scan Queue"
            why: Empty the custom scanning queue if needed.
          - endpoint: "PFI: Magecart Domain Data"
            why: Retrieve scan results. Also use PFI: Magescanner Scan Data for automated scan results.
    also_read: ["API Entitlements"]

  - name: Collective Insights
    triggers: [collective insights, detection enrichment, submit IOCs, detection telemetry, enriched detections, SIEM detections, security telemetry, bidirectional intelligence]
    steps:
      - endpoint: "Collective Insights: Overview"
        why: Read first. Explains the bidirectional pipeline and data flow.
      - endpoint: "Collective Insights: Submit Detections"
        why: Ingest IoC detections (IP, domain, hash, vulnerability, URL) from security tools. Pair each IoC with a detection type (detection_rule, correlation, playbook, or sandbox). Use options.debug=true for test submissions. Invalid IoC types are silently dropped — check processed counts in the response.
      - endpoint: "Collective Insights: Search"
        why: Query enriched detection history. Aggregates events from API submissions, integrations, Autonomous Threat Operations, and Sandbox. Filter by malware, threat actors, MITRE codes, indicator type, detection type, or time range. Paginate with next_offset.
      - endpoint: "Entity: Match"
        why: Resolve Recorded Future entity IDs returned in search results to get additional entity details.

cross_workflow_endpoints:
  - endpoint: "Entity: Match"
    when: You have a human-readable name and need an RF entity ID.
  - endpoint: "Entity: Lookup"
    when: You need metadata (aliases, type) for a known entity ID.
  - endpoint: "Links: Search"
    when: You need to understand relationships between entities.
  - endpoint: "Links: Metadata Entities"
    when: Building dynamic entity type filters for Links Search.
  - endpoint: "Links: Metadata Events"
    when: Building dynamic event type filters for Links Search.
  - endpoint: "Links: Metadata Sections"
    when: Building dynamic section filters for Links Search.
  - endpoint: "Enrichment: Field Attributes"
    when: Understanding available fields for enrichment queries.

  - endpoint: "Company: Lookup by Domain"
    when: You have a domain and need to identify the owning company.
  - endpoint: "API Entitlements"
    when: You get a 403/Forbidden error and need to check which module license is required for a specific API. If the required module is not part of your current license, contact your Recorded Future account team to discuss adding it.
  - endpoint: "Collective Insights: Submit Detections"
    when: You want to feed IOCs discovered through other workflows (PFI, alerts, risk lists) back into the Collective Insights enrichment pipeline.

verification_code: RF-DOCS-2026Q1
```