rf-enrich-ip
Query threat information for a single IP address using Recorded Future API.
Syntax
rf-enrich-ip [profile=PROFILE] value=VALUE
- profile=PROFILE
- Optional. Recorded Future connect profile code
- value=VALUE
- Required. IP address to enrich
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| entity | String | Entity | IP address |
| entity_type | String | Entity Type | e.g. IpAddress |
| risk_score | Integer | Risk Score | Overall risk score (0-99) |
| risk_level | Integer | Risk Level | Overall risk level (1-4) |
| c2_score | Integer | C2 Score | C2 context score |
| phishing_score | Integer | Phishing Score | Phishing context score |
| public_score | Integer | Public Score | Public threat score |
| public_rule | String | Public Rule | e.g. Recent Phishing Host |
| evidences | List | Evidences | Evidence list with keys: signature, rule, level, count, description, mitigation, sightings, timestamp |