
Recorded Future ASI
External Attack Surface Management- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Recorded Future ASI Connector integrates with the Recorded Future Attack Surface Intelligence (ASI) platform to synchronize external attack surface data. It connects to the ASI API (SecurityTrails) to fetch domain assets, IP assets, exposures, and exposure definitions across projects.
Official documentation can be found at https://api.securitytrails.com.
Data retrieved from Recorded Future ASI
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Domain | Yes | Site |
| IP | Yes | Host |
| Exposure | Yes | Vulnerability |
| Exposure Definition | Yes | Vulnerability Definition |
Model relationships
For detailed steps on how to view the data retrieved from Recorded Future ASI in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Recorded Future ASI from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | Yes | https://api.securitytrails.com | Recorded Future ASI API URL |
| API Key | No | — | Recorded Future ASI API Key |
| Page Size | No | — | Number of records to fetch per API call. Default is 1000 |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
Authentication
The connector uses API key authentication. The API key is provided in the request header to authenticate and authorize access to the endpoints.
Endpoint
| Method | URL |
|---|---|
GET | https://api.securitytrails.com/v2/projects |
Request Headers
| Header | Value |
|---|---|
Content-Type | application/json |
apiKey | your-api-key |
Sample Response
The connectivity/authentication check lists the available projects:
{
"data": [
{
"id": "proj_a1b2c3d4",
"name": "Production Attack Surface"
}
],
"meta": {
"pagination": {
"page": 1,
"perPage": 1000,
"totalCount": 1
}
}
}
Response Fields
| Field | Description |
|---|---|
data[].id | Project identifier used in asset/exposure URLs |
data[].name | Project display name |
meta.pagination | Paging metadata for list responses |
Usage
The API key is sent on every request in the apiKey request header to authenticate and authorize access to project, asset, and exposure endpoints:
apiKey: <your-api-key>
Sync Behavior
The connector performs a full synchronization on every run. getLatestSyncToken returns no token, so each run retrieves the complete data set from the beginning — there is no incremental (delta) mode. A since timestamp derived from the previous run may be passed in, but it is not applied as a request filter; all projects, assets, and exposures are re-fetched each time.
Projects are enumerated first (GET /v2/projects), then assets and exposures are fetched per project in parallel (controlled by parallelismLevel) using cursor-based pagination. Assets are cached in a per-sync-transaction local key-value store and shared across the asset-derived models.
- Domain / IP — Full sync of project assets, filtered client-side by asset
type. - Exposure — Full sync; exposures are read from each asset's embedded
exposuresarray (no separate request). - Exposure Definition — Full sync of the per-project exposures endpoint (
GET /v2/projects/{projectId}/exposures).
How to obtain Recorded Future ASI credentials
Obtain the required credentials (url, apiKey) from your Recorded Future ASI administrator or the Recorded Future ASI admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Domain
| Source Field Name | SDM Attribute |
|---|---|
ASSET_CATEGORY_DOMAIN, AssetResource.type | CATEGORIES |
AssetResource.addedToProjectAt | SOURCE_CREATED_DATE |
AssetResource.customTags | TAGS |
AssetResource.defenses | DEFENSES |
AssetResource.discoveredAt | FIRST_SEEN |
AssetResource.id | UID |
AssetResource.id | ASSET_ID |
AssetResource.isStaticAsset | IS_STATIC_ASSET |
AssetResource.lastScannedAt | LAST_SCANNED |
AssetResource.name | NAME |
AssetResource.projectId | PROJECT_ID |
AssetResource.resolvedIps | RESOLVED_IPS |
AssetResource.scannedIps.ip | SCANNED_IPS |
AssetResource.scannedIps.openPorts | OPEN_PORTS |
AssetResource.type | ASSET_TYPE |
AssetResource.whois.expiresAt | TERMINATION_DATE |
AssetResource.whois.nameServers | NAME_SERVERS |
AssetResource.whois.registrar | REGISTRAR |
| — | LAST_CAPTURED |
IP
| Source Field Name | SDM Attribute |
|---|---|
ASSET_CATEGORY_HOST, AssetResource.type | CATEGORIES |
AssetResource.addedToProjectAt | SOURCE_CREATED_DATE |
AssetResource.customTags | TAGS |
AssetResource.defenses | DEFENSES |
AssetResource.discoveredAt | FIRST_SEEN |
AssetResource.id | UID |
AssetResource.id | ASSET_ID |
AssetResource.isStaticAsset | IS_STATIC_ASSET |
AssetResource.lastScannedAt | LAST_SCANNED |
AssetResource.name | NAME |
AssetResource.projectId | PROJECT_ID |
AssetResource.scannedIps.ip | SCANNED_IPS |
AssetResource.scannedIps.openPorts | OPEN_PORTS |
AssetResource.type | ASSET_TYPE |
AssetResource.whois.expiresAt | TERMINATION_DATE |
| — | LAST_CAPTURED |
Exposure
| Source Field Name | SDM Attribute |
|---|---|
AssetResource.addedToProjectAt | SOURCE_CREATED_DATE |
AssetResource.customTags | TAGS |
AssetResource.exposureScore | EXPOSURE_SCORE |
AssetResource.id | ASSET_ID |
AssetResource.id, AssetResource.projectId | TARGETS |
AssetResource.isStaticAsset | IS_STATIC_ASSET |
AssetResource.lastScannedAt | LAST_FOUND |
AssetResource.projectId | PROJECT_ID |
AssetResource.scannedIps.openPorts.port | PORTS |
AssetResource.scannedIps.openPorts.protocol | PROTOCOLS |
AssetResource.type | CATEGORIES |
ExposureResource.id | TYPE |
ExposureResource.instances.portNumber | EXPOSURE_INSTANCE_PORTS |
ExposureResource.severity | SOURCE_SEVERITY |
getFindingSeverityScore(severity) | SEVERITY_SCORE |
MD5(AssetResource.id, ExposureResource.id) | UID |
MD5(AssetResource.id, ExposureResource.id) | NAME |
normalizeFindingSeverity(severity) | SEVERITY |
StatusValues.ACTIVE | SOURCE_STATUS |
StatusValues.ACTIVE | PROVIDER_STATUS |
| — | LAST_CAPTURED |
Exposure Definition
| Source Field Name | SDM Attribute |
|---|---|
getCVSSMetrics(cvssMetrics) | CVSS_V3_AV |
getCVSSMetrics(cvssMetrics) | CVSS_V3_AC |
getCVSSMetrics(cvssMetrics) | CVSS_V3_PR |
getCVSSMetrics(cvssMetrics) | CVSS_V3_UI |
getCVSSMetrics(cvssMetrics) | CVSS_V3_CI |
getCVSSMetrics(cvssMetrics) | CVSS_V3_II |
getFindingSeverityScore(severity) | SEVERITY_SCORE |
normalizeFindingSeverity(Signature.severity) | SEVERITY |
Signature.addedAt | SOURCE_CREATED_DATE |
Signature.description | DESCRIPTION |
Signature.id | UID |
Signature.name | NAME |
Signature.references | REFERENCES |
Signature.remediationSteps.actions | RECOMMENDATION |
Signature.severity | SOURCE_SEVERITY |
Signature.vulnerabilities.cveId | CVE_IDS |
Signature.vulnerabilities.cveId | CVE_RECORDS |
Signature.vulnerabilities.cvssScore | CVSS_V3_BASE_SCORE |
Signature.vulnerabilities.cweIds | CWE_IDS |
| — | LAST_CAPTURED |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Domain
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Domain on every run and applies no incremental date filter.
API
- Type: REST · Endpoint:
GET /v2/projects/{projectId}/assets - Default filters:
additional_fields=dns_records,whois,open_tcp_ports,open_udp_ports,defenses,exposure_instance_details,exposures. Assets are filtered client-side totype = domain. Projects are first enumerated viaGET /v2/projects.
IP
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of IP on every run and applies no incremental date filter.
API
- Type: REST · Endpoint:
GET /v2/projects/{projectId}/assets - Default filters:
additional_fields=dns_records,whois,open_tcp_ports,open_udp_ports,defenses,exposure_instance_details,exposures. Assets are filtered client-side totype = ip. Projects are first enumerated viaGET /v2/projects.
Exposure
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Exposure on every run and applies no incremental date filter.
API
- Type: REST · Endpoint:
GET /v2/projects/{projectId}/assets - Default filters:
additional_fields=dns_records,whois,open_tcp_ports,open_udp_ports,defenses,exposure_instance_details,exposures. Exposures are read from each asset's embeddedexposuresarray (no separate request). Projects are first enumerated viaGET /v2/projects.
Exposure Definition
Operation options
This object does not support any operation options.
Delta sync
Not supported. The connector performs a full sync of Exposure Definition on every run and applies no incremental date filter.
API
- Type: REST · Endpoint:
GET /v2/projects/{projectId}/exposures - Default filters: None. The exposure
signatureis read from each exposure definition record. Projects are first enumerated viaGET /v2/projects.
Changelog
The Recorded Future ASI connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.3 | Improvements - Attribute consolidation precedence — Custom attributes reported by this connector now consolidate at the standard precedence, so connector-sourced values take precedence over non-connector data channels (UI edits, manual imports) instead of ranking last. | N/A |
| 3.2.2 | New Features - Last captured timestamp — A new Last captured attribute is now reported on the Exposure and Exposure Definition models, recording when each record was most recently retrieved from Recorded Future. Bug Fixes - Misspelled "Is static asset" label — The asset attribute previously displayed as "Is staic asset" is now correctly labeled "Is static asset." Improvements Dependency Upgrades - Updated underlying platform and data-model libraries to current versions. | N/A |
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | Overview The Recorded Future ASI connector integrates with Recorded Future Attack Surface Intelligence to synchronize external attack-surface assets and their exposures. Category: External Attack Surface Management Models | N/A |