rf-enrich-domain-batch
Query threat information for domains using Recorded Future API.
Syntax
rf-enrich-domain-batch [profile=PROFILE] field=FIELD [output=OUTPUT] [batch=BATCH] [verbose=VERBOSE]
- profile=PROFILE
- Optional. Recorded Future connect profile code
- field=FIELD
- Required. Input field name containing domain
- output=OUTPUT
- Optional. Output field prefix. Default: rf_
- batch=BATCH
- Optional. Batch size (1-1000). Default: 100
- verbose=VERBOSE
- Optional. Include evidences in output (t/f). Default: f
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| rf_risk_score | Integer | Risk Score | Overall risk score (0-99) |
| rf_risk_level | Integer | Risk Level | Overall risk level (1-4) |
| rf_c2_score | Integer | C2 Score | C2 context score |
| rf_phishing_score | Integer | Phishing Score | Phishing context score |
| rf_public_score | Integer | Public Score | Public threat score |
| rf_public_rule | String | Public Rule | e.g. Recently Suspected Phishing Techniques |
| rf_evidences | List | Evidences | Evidence list with keys: signature, rule, level, count, description, mitigation, sightings, timestamp |
| _error | String | Error | Error message for invalid input |