Skip to main content
Skip table of contents

Recorded Future-SecurityTrails

LAST UPDATED: AUG 18, 2025

Overview

SecurityTrails is a total inventory that curates comprehensive domain and IP address data for users and applications that demand clarity. By combining current and historic data of all Internet assets, SecurityTrails is the proven solution for 3rd-party risk assessment, attack surface reduction and threat hunting. This integration enables organizations to query risk issues and correlate domain and IP address data for risk assessment and threat hunting.

D3 SOAR is providing REST operations to function with Recorded Future-SecurityTrails.

Recorded Future-SecurityTrails is available for use in:

D3 SOAR

V15.4.41.0+

Category

Data Enrichment

Deployment Options

Option II, Option IV

Known Limitations

Users can monitor their API usage by navigating to API > Quota on their Recorded Future SecurityTrails account page.

Group 7.png

Connection

To connect to Recorded Future-SecurityTrails from D3 SOAR, follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL of the SecurityTrails API.

https://api.securitytrails.com

API Key

The API key to authenticate the connection.

yaYc*****sae2

API Version

The version of the API to use for the connection.

v1

Configuring Recorded Future-SecurityTrails to Work with D3 SOAR

  1. Log into SecurityTrails.

    Group 1.png

  2. Open the API accordion, then select the API Keys option.

    Group 2.png

  3. Click the Create New API Key button.

    Group 7 (1).png

  4. Enter a note for the API key, then click the Create New API Key button.

    Group 4 (1).png

  5. Copy the API key for later use. Refer to Step 3.i, Sub-step 2 in Configuring D3 SOAR to Work with Recorded Future-SecurityTrails.

    Group 5 (1).png

Configuring D3 SOAR to Work with Recorded Future-SecurityTrails

  1. Log in to D3 SOAR.

  2. Find the Recorded Future-SecurityTrails integration.

    screenshot_1.png

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Recorded Future-SecurityTrails in the search box to find the integration, then click it to select it.

    4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Recorded Future-SecurityTrails.

    screenshot_2.png

    1. Connection Name: The desired name for the connection.

    2. Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.

    4. Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): The description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.

      tenant.png

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the tick box to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      screenshot_3.png

      1. Input the domain level Server URL. The default value is https://api.securitytrails.com.
      2. Input the API Key. See Step 5 of Configuring Recorded Future-SecurityTrails to Work with D3 SOAR for instructions on obtaining the API Key.
      3. Input the API Version. The default value is v1. The following commands are available only in v2:

      • Apply Tags to Asset

      • Create Tag

      • Find Assets

      • Get Asset Details

      • Get Exposure Assets

      • Get Tags

      • List Asset Exposures

      • List Exposures

      • List Projects

      • Remove Tags From Asset

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    11. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.

  4. Test the connection.

    screenshot_4.png

    1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Recorded Future-SecurityTrails includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, users can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Recorded Future-SecurityTrails API, refer to the following SecurityTrails API references:

Note for Time-related parameters

The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

    Frame 6.png

  2. Choose the desired date and time format, then click on the Save button.

    Frame 3.png

The selected time format will now be visible when configuring Date/Time command input parameters.

READER NOTE

The following commands require an API Version v2 connection:

  • Apply Tags to Asset

  • Create Tag

  • Find Assets

  • Get Asset Details

  • Get Exposure Assets

  • Get Tags

  • List Asset Exposures

  • List Exposures

  • List Projects

  • Remove Tags From Asset

Ensure the API Version value in the connection form is set to v2.

Group 6.png

Apply Tags to Asset

Adds specified tags to an asset.

READER NOTE

Project ID, Asset ID, and Tags are required parameters to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

  • Run the Find Assets command to obtain the Asset ID. Asset IDs can be found in the raw data at $.data[*].id.

  • Run the Get Tags command to obtain the Tags. Tags can be found in the raw data at $.data[*].title.

If the specified tags do not exist, they will be created and added to the asset after a delay.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project containing the asset. Project IDs can be obtained using the List Projects command.

c797*****dc4f

Asset ID

Required

The ID of the asset to which tags will be added. Asset ID can be obtained using the Find Assets command.

foo.example.com

Tags

Required

The list of tag names to apply to the asset. Tags can be obtained using the Get Tags command. If the specified tags do not exist, they will be created and added to the asset after a delay.

JSON 
[
  "test"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Apply Tags to Asset failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Asset not found: domain.com.

Error Sample Data

Apply Tags to Asset failed.

Status Code: 404.

Message: Asset not found: domain.com.

Create Tag

Creates a new user-defined tag for the project. This tag can later be added to assets. If the tag already exists, it is returned without error.

READER NOTE

Project ID is a required parameter to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project for which new tags will be created. Project ID can be obtained using the List Projects command.

2c34*****34e4

Tag Name

Required

The name of the tag to create.

Blacklist

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Tag failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unknown Project.

Error Sample Data

Create Tag failed.

Status Code: 404.

Message: Unknown Project.

DSL Query

Runs a Domain Specific Language (DSL) query on the SecurityTrails Exploration End Point platform. This command allows querying the SecurityTrails Exploration End Point with flexible SQL-like syntax. The DSL syntax used by SecurityTrails closely resembles SQL WHERE predicates.

Input

Input Parameter

Required/Optional

Description

Example

Query

Required

The Domain Specific Language (DSL) statement to execute. The syntax closely resembles that of SQL WHERE predicates. For information on available input fields and sample queries, refer to How to Use the DSL.

ns = 'ns1.yahoo.com' AND ipv4 = '1.1.1.1'

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

DSL Query failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Query.

Error Sample Data

DSL Query failed.

Status Code: 403.

Message: Invalid Query.

Fetch Incident

Returns a list of hosts with issue updates. As issue snapshots are not taken in real time, setting the interval to 60 minutes is recommended.

READER NOTE

Project ID is a required parameter to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project for which to retrieve issues. Project ID can be obtained using the List Projects command.

c797*****dc4f

Start Time

Optional

The start of the time range to ingest incidents. By default, the Start Time is 24 hours before End Time.

2024-07-01 00:00

End Time

Optional

The end of the time range to ingest incidents. By default, the End Time is the current time.

2024-07-02 00:00

Previous Snapshot Fetch State

Optional

The most recent snapshot information to query. This parameter provides an additional option to control the snapshot source for the query. Refer to the sample data for input formatting. Leave this field empty when creating the incidents ingestion schedule, as it is automatically maintained in that context.

JSON 
{
  "snapshot_time": "2024-12-30 08:56:18",
  "is_fetched": false
}

Output

To view the sample output data for all commands, refer to this article.

Incident Field Mapping

For this integration, the default incident fields in D3 SOAR are fixed with no built-in source fields. Users can specify the source fields as needed. 

Event and Incident Intake Field Mapping

Incident and event intake commands require both Event Field and Incident Field Mapping. These field mappings are the default event/incident field mappings for D3 system integrations. Users can edit the provided mappings or create custom mappings as needed. Refer toEvent and Incident Intake Field Mapping for details. 

Incident Main JSON Path: $.Results

Field Name

Source Field

Title

User-defined

Description

User-defined

Severity

User-defined

Incident Category

User-defined

Incident Type *

User-defined

Incident Creator

User-defined

Incident Owner

User-defined

Investigation Playbook

User-defined

Due In Date

User-defined

Origin ID

User-defined

Unique Key

User-defined

Tactics

User-defined

Techniques

User-defined

Event Field Mapping

Main Event JSON Path

  • $.Issues

Refer to the table below for Event Field Mapping:

Field Name

Source Field

Host Additional

.example_entities.*[0].additional

Host Sort Value

.example_entities.*[0].sort_value

Issue Domain Count

.rule_metadata.entity_counts.domains

Issue IP Count

.rule_metadata.entity_counts.ips

Snapshot Risk Score

.risk_score

Event code

.id

Event name

.name

Hostname

.example_entities.*[0].example

Start Time

.snapshot

Description

.description

Severity

.classification

Status

.Status

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Incident failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unknown Project.

Error Sample Data

Fetch Incident failed.

Status Code: 404.

Message: Unknown Project.

Find Assets

Retrieves project assets based on specified filter criteria.

READER NOTE

Project ID is a required parameter to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

Tags is an optional parameter to run the command.

  • Run the Get Tags command to obtain the Tags. Tags can be found in the raw data at $.data[*].title.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project in which to search for assets. Project ID can be obtained using the List Projects command.

c797*****dc4f

Limit

Optional

The maximum number of assets to return. The maximum allowed value is 1000. By default, all assets matching the filters below will be returned.

50

Sort

Optional

The field by which to sort the returned assets. Available options are:

  • Discovered At

  • Added To Project At

  • Last Scanned At

  • Exposure Score

  • Asset ID

By default, the value is set to Exposure Score.

Exposure Score

Asset Type

Optional

The type of assets to retrieve. Available options are:

  • Domain

  • IP

Domain

Tags

Optional

Filters assets by custom tags. Tags can be obtained using the Get Tags command.

Blacklist

Start Time

Optional

Filters assets added to the project on or after the specified date (Y-m-d). By default, the value is 24 hours before the End Time.

2025-03-01

End Time

Optional

Filters assets added to the project on or before the specified date (Y-m-d). By default, the value is the current date (in UTC).

2025-06-26

Additional Fields

Optional

A comma-separated list of additional fields to include in the response. Available options are:

  • custom_tags

  • dns_records

  • whois

  • ip_metadata

  • open_tcp_ports

  • open_udp_ports

  • web_technologies

  • certificates

  • certificate_chain

  • defenses

  • exposures

  • exposure_instance_details

By default, only custom_tags will be returned.

custom_tags,dns_records,whois,ip_metadata,open_tcp_ports,open_udp_ports,web_technologies,certificates,certificate_chain,defenses,exposures,exposure_instance_details

Other Filters

Optional

Filters assets using additional query parameters.

Supported Keys

  • discovered_before

  • discovered_after

  • apex

  • referenced_ip

  • referenced_ip_before

  • referenced_ip_after

  • has_dns_record_type

  • dns_resolves

  • asn

  • cname_reference

  • geo_country_iso

  • ip_owner

  • whois_email

  • whois_email_current

  • open_port_number

  • open_port_protocol

  • open_port_service

  • open_port_technology

  • technology_name

  • web_technology_name

  • certificate_issuer

  • certificate_subject

  • certificate_subject_alt_name

  • certificate_sha256

  • certificate_covers_domain

  • certificate_expires_before

  • certificate_expires_after

  • certificate_issued_before

  • certificate_issued_after

  • waf_detected

  • waf_name

  • exposure_score_gte

  • exposure_score_lte

  • exposure_severity

  • exposure_id

JSON 
{
  "asn": 16509,
  "geo_country_iso": "US",
  "exposure_score_gte": 70
}

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Find Assets failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unknown Project.

Error Sample Data

Find Assets failed.

Status Code: 404.

Message: Unknown Project.

Get Asset Details

Retrieves a specific asset within a project using its asset ID.

READER NOTE

Project ID and Asset ID are required parameters to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

  • Run the Find Assets command to obtain the Asset ID. Asset IDs can be found in the raw data at $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project containing the asset. Project ID can be obtained using the List Projects command.

c797*****dc4f

Asset ID

Required

The ID of the asset used to retrieve detailed asset information. Asset IDs can be obtained using the Find Assets command.

foo.example.com

Additional Fields

Optional

A comma-separated list of additional fields to include in the response. Available options are:

  • custom_tags

  • dns_records

  • whois

  • ip_metadata

  • open_tcp_ports

  • open_udp_ports

  • web_technologies

  • certificates

  • certificate_chain

  • defenses

  • exposures

  • exposure_instance_details

By default, custom tags will be returned.

custom_tags, dns_records, whois, ip_metadata, open_tcp_ports, open_udp_ports, web_technologies, certificates, certificate_chain, defenses, exposures, exposure_instance_details

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Asset Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 422.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Validation errors, see 'validation_errors'.

Error Sample Data

Get Asset Details failed.

Status Code: 422.

Message: Validation errors, see 'validation_errors'.

Get Current Issues

Retrieves current risk issues of the specified project.

READER NOTE

Project ID is a required parameter to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project for which to retrieve risk issues. Project ID can be obtained using the List Projects command.

1218*****2376

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Current Issues failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Project ID Not Found.

Error Sample Data

Get Current Issues failed.

Status Code: 404.

Message: Project ID Not Found.

Get Exposure Assets

Retrieves a list of exposed assets within the specified project.

READER NOTE

Project ID and Signature ID are required parameters to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

  • Run the List Exposures command to obtain the Signature ID. Signature IDs can be found in the raw data at $.data[*].signature.id.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project for which to retrieve exposed assets. Project ID can be obtained using the List Projects command.

2c34*****34e4

Signature ID

Required

The ID of the signature used to retrieve associated assets. Signature ID can be obtained using the List Exposures command.

spf-record-detect

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Exposure Assets failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Signature spf-record-detectt not found.

Error Sample Data

Get Exposure Assets failed.

Status Code: 404.

Message: Signature spf-record-detectt not found.

Get Issue History

Retrieves a risk issue's history based on the specified criteria.

READER NOTE

Project ID is a required parameter to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

Query is an optional parameter to run this command. Use it to perform partial searches against the description or name fields in the data returned by this command. These fields are accessible in the raw data at:

  • Description: $.data[*].add_rules[*].description

  • Name: $.data[*].add_rules[*].name

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the Project for which to retrieve risk issues. Project ID can be obtained using the List Projects command.

1218*****2376

Start Time

Optional

The timestamp to retrieve rule changes occurring after this time.

03/01/2023 12:00 AM

End Time

Optional

The timestamp to retrieve risk issue history up to this time.

03/02/2023 12:00 AM

Rule Action

Optional

Filters rule changes by the rule action. Available options are:

  • Added Rules

  • Removed Rules

By default, both added and removed rules are returned.

Added Rules

Classification

Optional

Filters rule changes by classification. Available options are:

  • High

  • High & Moderate

  • Moderate

  • Moderate & Informational

  • Informational

By default, all rule changes are returned regardless of their classification.

Informational

Query

Optional

Filters rule changes using a freetext search string applied to the name and description fields.

Hosts with Self-Signed SSL/TLS

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Issue History failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Project ID Not Found.

Error Sample Data

Get Issue History failed.

Status Code: 404.

Message: Project ID Not Found.

Get Tags

Retrieves all user-defined tags for the specified project.

READER NOTE

Project ID is a required parameter to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project for which to retrieve tags. Project IDs can be obtained using the List Projects command.

27bf*****b57f

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unknown Project.

Error Sample Data

Get Tags failed.

Status Code: 404.

Message: Unknown Project.

List Asset Exposures

Retrieves a detailed list of exposures for an asset, including ports, signature details, and extracted data such as versions.

READER NOTE

Project ID and Asset ID are required parameters to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

  • Run the Find Assets command to obtain the Asset ID. Asset IDs can be found in the raw data at $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project containing the asset. Project IDs can be obtained using the List Projects command.

c797*****dc4f

Asset ID

Required

The ID of the asset used to retrieve the list of exposures. Asset IDs can be obtained using the Find Assets command.

foo.example.com

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Asset Exposures failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Asset not found: domain.com.

Error Sample Data

List Asset Exposures failed.

Status Code: 404.

Message: Asset not found: domain.com.

List Exposures

Retrieves exposures detected within the specified project.

READER NOTE

Project ID is a required parameter to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project for which to retrieve detected exposures. Project IDs can be obtained using the List Projects command.

2c34*****34e4

CVE

Optional

Filters assets or exposures associated with the specified CVE.

CVE-2024-6387

Severity

Optional

Filters assets with an exposure severity matching or exceeding the specified value. Acceptable values are:

  • Unknown

  • Informational

  • Moderate

  • Critical

Critical

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Exposures failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please check user credentials.

Error Sample Data

List Exposures failed.

Status Code: 401.

Message: Please check user credentials.

List Projects

Retrieves the list of projects accessible to the user.

Input

N/A

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Projects failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please check user credentials.

Error Sample Data

List Projects failed.

Status Code: 401.

Message: Please check user credentials.

Remove Tags From Asset

Removes specified tags from an asset. If a tag is not on the asset, the request will still be treated as successful.

READER NOTE

Project ID, Asset ID, and Tags are required parameters to run this command.

  • Run the List Project command to obtain the Project ID. Project IDs can be found in the raw data at $.data[*].id.

  • Run the Find Assets command to obtain the Asset ID. Asset IDs can be found in the raw data at $.data[*].id.

  • Run the Get Asset Details command to obtain the Tags. Tags can be found in the raw data at $.data.custom_tags.

It is recommended to first run the List Projects command to obtain the Project ID, then use the Project ID with the Find Assets command. Use the Asset ID with the Get Asset Details command to retrieve the associated tags, ensuring custom_tags is included in the Additional Fields parameter.

Input

Input Parameter

Required/Optional

Description

Example

Project ID

Required

The ID of the project containing the asset. Project IDs can be obtained using the List Projects command.

c797*****dc4f

Asset ID

Required

The ID of the asset from which tags will be removed. Asset IDs can be obtained using the Find Assets command.

foo.example.com

Tags

Required

The list of tags to remove from the asset. Tags can be obtained using the Get Asset Details command, ensuring that custom_tags is included in the values passed to the Additional Fields parameter.

JSON 
[
  "test"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Tags From Asset failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Asset not found: domain.com.

Error Sample Data

Remove Tags From Asset failed.

Status Code: 404.

Message: Asset not found: domain.com.

SQL Query

Runs a Structured Query Language (SQL) query against SecurityTrails data. For information on available properties and operators, refer to SQL Reference.

Input

Input Parameter

Required/Optional

Description

Example

Query

Required

The SQL query statement to execute. The query structure follows the format: SELECT attribute FROM table WHERE condition = "value". Queries can retrieve data from two tables:

  • hosts: Contains information about domains, hostnames, and related hostname details.

  • ips: Contains information about IP addresses, ASNs, and other IP-related details.

To avoid exceeding API plan limits, it is recommended to define specific conditions and values to narrow query results. For details on available properties and operators, refer to the SQL Reference.

SELECT domain.hostname, dns.a.value.ip,ip.geo.owner.country FROM hosts WHERE domain.apex = 'google.com' AND dns.a.value.ip neq Null AND ip.geo.owner.country_iso_code = 'CN'

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

SQL Query failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Query.

Error Sample Data

SQL Query failed.

Status Code: 403.

Message: Invalid Query.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output Type

Description

Return Data Type

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

More details about an error can be viewed in the Error tab.

String

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Recorded Future-SecurityTrails portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please check user credentials.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 401.

Message: Please check user credentials.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close