Command Line Reference

banshee

PS Banshee is a command-line tool for fast, efficient access to Recorded Future Intelligence, built for security professionals and SOC teams.

Usage

banshee [OPTIONS] <COMMAND>

Commands

banshee ca

Search, lookup and update Recorded Future Classic Alerts

banshee entity

Search and lookup Recorded Future entities

banshee ioc

Search and lookup Indicators of Compromise (IOCs)

banshee list

Manage Recorded Future lists and Watch lists

banshee pba

Search, lookup and update Recorded Future Playbook Alerts

banshee pcap

Analyze packet capture (pcap) files by enriching them with Recorded Future Intelligence

banshee risklist

Manage Risk Lists

banshee rules

Search for and download detection rules

banshee ca

Search, lookup and update Recorded Future Classic Alerts

Usage

banshee ca [OPTIONS] COMMAND [ARGS]...

Commands

banshee ca lookup

Lookup a Classic Alert

banshee ca search

Search for Classic Alerts

banshee ca rules

Search for Classic Alert rules

banshee ca update

Update one or more Classic Alert

banshee ca lookup

Lookup a Classic Alert.

By default the command will print the results in JSON format.

Usage

banshee ca lookup [OPTIONS] ALERT_ID

Arguments

ALER_ID

Alert ID to lookup

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee ca search

Search for Classic Alerts.

By default the command will print the results in JSON format.

Usage

banshee ca search [OPTIONS]

Options

--triggered, -t triggered

Filter on triggered time, for example: 1d; 12h; [2024-08-01, 2024-08-14]; [2024-09-23 12:03:58.000, 2024-09-23 12:03:58.567)

Defaults to 1d

--rule rule-name

Filter by an alert rule name (freetext)

--status, -s alert-status

Filter by alert status

Possible values are: New, Pending, Dismissed, Resolved

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee ca rules

Search for Classic Alert rules.

By default the command will print the results in JSON format.

Usage

banshee ca rules [OPTIONS] [FREETEXT]

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee ca update

Update one or more Classic Alert

Usage

banshee ca update [OPTIONS] ALERT_IDS...

Arguments

ALERT_IDS

One or more whitespace separated Alert ID

Options

--status, -s alert-status

Update the alert(s) to this alert status

Possible values are: New, Pending, Dismissed, Resolved

--note, -n note

Note text for the alert.

The length limit for the note is 1000 characters

--append, -a

This flag will append the note text if the alert already has a note

--assignee, -a assignee

New user to assign the alert(s) to. Accepts uhash or email address of the user, for example: uhash:3aXZxdkM12, analyst@acme.com

--help, -h

Show help for this command

Example Usage

Provide one or more Alert IDs (whitespace separated) and specify the desired update options:

banshee ca update  -s Dismissed
banshee ca update  -s Dismissed -n "note text"
banshee ca update  -s Dismissed -n "note text" -a analyst@acme.com

Supplying Alert IDs

1. Directly as arguments (single or multiple):

banshee ca update ALERT_ID -s Resolved
banshee ca update ALERT_ID_1 ALERT_ID_2 -s Pending

2. From a file or standard input:

If you have a file (e.g., alerts.txt) with one Alert ID per line:

ALERT_ID_1
ALERT_ID_2
ALERT_ID_3

You can update all listed alerts using:

banshee ca update -s Dismissed < alerts.txt
cat alerts.txt | banshee ca update -s Dismissed

3. By piping from a search command:

Use tools like jq to extract Alert IDs from search results and pipe them into the update command:

banshee ca search | jq -r '.[].id' | banshee ca update -n "Investigation started"

Note Append

Classic Alerts support only a single note. By default, the update command will overwrite the existing note with the new one. If you wish to append a new note instead, use the --append (-A) option.

banshee entity

Search and lookup Recorded Future entities

Usage

banshee entity [OPTIONS] COMMAND [ARGS]...

Commands

banshee entity lookup

Lookup an entity by its ID

banshee entity search

Search entities by name and/or type

banshee entity lookup

Lookup an entity by its ID

By default the command will print the results in JSON format.

Usage

banshee entity lookup [OPTIONS] ENTITY_ID

Arguments

ENTITY_ID

Entity ID to lookup

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee entity search

Search for entities by name and/or type

By default the command will print results in JSON format.

Usage

banshee entity search [OPTIONS]

Options

--type, -t entity-type

Entity type to search for

Can be supplied multiple times for different entity types

Supported values are:

• ASNumber
• AWSAccessKey
• Aircraft
• Airport
• AnalystNote
• Anniversary
• AttackVector
• BankIdentificationNumber
• BitcoinAddress
• BusinessIdentifierCode
• Case
• Category
• City
• CodeIdentifier
• Commodity
• Company
• ContentType
• Continent
• Country
• Currency
• CurrencyPair
• CyberExploitTargetCategory
• CyberSecurityCategory
• CyberThreatActorCategory
• CyberVulnerability
• DEANumber
• Dataset
• DetectionRule
• Document
• EconomicIndicator
• EmailAddress
• Embassy
• Emoji
• EntertainmentAwardEvent
• Entity
• EntityAlias
• EntityList
• EntityRange
• EntityRelation
• ExternalIdentifier
• Facility
• FaxNumber
• Feature
• FileContent
• FileName
• FileNameExtension
• FileType
• GeoBoundingBox
• GeoEntity
• Hash
• HashAlgorithm
• Hashtag
• Holiday
• IRCNetwork
• Identifier
• Image
• IncidentImpactCategory
• Industry
• IndustryTerm
• IntegrationApplication
• IntegrationUser
• InternetDomainName
• IpAddress
• Keyword
• Language
• LinkReport
• Logotype
• MICR
• Malware
• MalwareCategory
• MalwareMutex
• MalwareSignature
• MarketIndex
• MedicalCondition
• MedicalTreatment
• MetaAttribute
• MetaType
• MilitaryBase
• MilitaryExercise
• MitreAttackIdentifier
• Movie
• MusicAlbum
• MusicGroup
• Nationality
• NaturalFeature
• Neighborhood
• NetworkPort
• NetworkProtocol
• NumericIdentifier
• OperatingSystem
• Operation
• OrgEntity
• Organization
• PaymentCardNumber
• Person
• PhoneNumber
• Port
• Position
• ProductIdentifier
• ProductModule
• ProductModuleAddon
• ProductVersion
• Product
• ProgrammingLanguage
• ProvinceOrState
• PublishedMedium
• RadioProgram
• RadioStation
• Region
• Religion
• ReportEntity
• ReportingEntity
• RiskContext
• RiskRule
• Sector
• SnortDetectionRule
• SocialSecurityNumber
• Source
• SourceMediaType
• SportsEvent
• SportsGame
• SportsLeague
• TVShow
• TVStation
• Task
• Technology
• TechnologyArea
• Thread
• Topic
• UPSTrackingNumber
• URL
• USPSTrackingNumber
• UUID
• UseCaseConfiguration
• UseCaseReport
• User
• UserEnterprise
• UserEntity
• UserGroup
• UserLabel
• UserModuleGroup
• UserModuleRoleGroup
• UserOrganization
• UserRole
• Username
• Vessel
• WebMoneyID
• WinRegKey
• YaraDetectionRule

--limit, -l limit

Limit the number of results

The maximum limit is 100

Defaults to 100

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee ioc

Search and lookup Indicators of Compromise (IOCs)

Usage

banshee ioc [OPTIONS] COMMAND [ARGS]...

Commands

banshee ioc lookup

Detailed enrichment for one or more IOCs with configurable verbosity

banshee ioc bulk-lookup

Fast bulk enrichment returning risk score and triggered rules — batches up to 1000 IOCs per API call

banshee ioc search

Search for IOCs

banshee ioc rules

Search for IOC rules

banshee ioc lookup

Detailed enrichment for one or more IOCs — one API call per indicator. Use --verbosity to control how many fields are returned, from basic risk score up to full intel including links, analyst notes, etc.. Use this when you need rich context.

By default the command will print the results in JSON format.

Usage

banshee ioc lookup [OPTIONS] ENTITY_TYPE IOC...

Arguments

ENTITY_TYPE

Entity type to lookup

Supported values: ip, domain, url, hash, vulnerability

IOC

One or more whitespace separated IOC to lookup

Options

--ai-insights, -a

Enable AI-generated insights from Recorded Future that summarize relevant risk rules and key references.

Note: Response times may be slightly longer due to AI processing.

--verbosity, -v verbosity-level

Controls the amount of data returned in the response (1-5). Higher verbosity levels include additional fields and details in the JSON output.

Note: Higher verbosity levels may result in slower response times due to increased data retrieval.

Defaults to 1

Available Fields by Verbosity Level

ip:

• 1: entity, risk, timestamps
• 2: entity, intelCard, location, risk, timestamps
• 3: analystNotes, entity, intelCard, links, location, risk, timestamps
• 4: analystNotes, enterpriseLists, entity, intelCard, links, location, risk, riskMapping, sightings, threatLists, timestamps
• 5: analystNotes, dnsPortCert, enterpriseLists, entity, intelCard, links, location, risk, riskMapping, scanner, sightings, threatLists, timestamps

domain:

• 1: entity, risk, timestamps
• 2: entity, intelCard, risk, timestamps
• 3: analystNotes, entity, intelCard, links, risk, timestamps
• 4: analystNotes, enterpriseLists, entity, intelCard, links, risk, riskMapping, sightings, threatLists, timestamps
• 5: analystNotes, enterpriseLists, entity, intelCard, links, risk, riskMapping, sightings, threatLists, timestamps

url:

• 1: entity, risk, timestamps
• 2: entity, intelCard, risk, timestamps
• 3: analystNotes, entity, intelCard, links, risk, timestamps
• 4: analystNotes, enterpriseLists, entity, intelCard, links, risk, riskMapping, sightings, timestamps
• 5: analystNotes, enterpriseLists, entity, intelCard, links, risk, riskMapping, sightings, timestamps

hash:

• 1: entity, hashAlgorithm, risk, timestamps
• 2: entity, fileHashes, hashAlgorithm, intelCard, risk, timestamps
• 3: analystNotes, entity, fileHashes, hashAlgorithm, intelCard, links, risk, timestamps
• 4: analystNotes, enterpriseLists, entity, fileHashes, hashAlgorithm, intelCard, links, risk, riskMapping, sightings, threatLists, timestamps
• 5: analystNotes, enterpriseLists, entity, fileHashes, hashAlgorithm, intelCard, links, risk, riskMapping, sightings, threatLists, timestamps

vulnerability:

• 1: entity, lifecycleStage, risk, timestamps
• 2: entity, intelCard, lifecycleStage, risk, timestamps
• 3: analystNotes, entity, intelCard, lifecycleStage, links, risk, timestamps
• 4: analystNotes, cvss, cvssv3, cvssv4, enterpriseLists, entity, intelCard, lifecycleStage, links, risk, riskMapping, sightings, threatLists, timestamps
• 5: analystNotes, cpe, cpe22uri, cvss, cvssv3, cvssv4, enterpriseLists, entity, intelCard, lifecycleStage, links, nvdDescription, nvdReferences, risk, riskMapping, sightings, threatLists, timestamps

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

Example Usage

banshee ioc lookup ip 139.224.189.177
banshee ioc lookup domain overafazg.org
banshee ioc lookup ip 8.140.135.23 -v 3
banshee ioc lookup ip 8.140.135.23,139.224.189.177 -p

Pipe a comma or newline separated list of IOCs to lookup:

cat test_ips.csv| banshee ioc lookup ip -p

banshee ioc bulk-lookup

Fast bulk enrichment for any number of IOCs of a single type. The command batches up to 1000 IOCs per API call and handles batching automatically, making it significantly faster than banshee ioc lookup for large volumes.

Returns a fixed set of fields per indicator: risk score and triggered risk rules. Use this for high-volume triage.

By default the command will print the results in JSON format.

Usage

banshee ioc bulk-lookup [OPTIONS] ENTITY_TYPE IOC...

Arguments

ENTITY_TYPE

Entity type to enrich

Supported values: ip, domain, url, hash, vulnerability

IOC

One or more whitespace separated IOCs to enrich. Also accepts input from stdin (see examples below).

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

Example Usage

banshee ioc bulk-lookup ip 92.38.178.133 203.0.113.17
banshee ioc bulk-lookup domain overafazg.org coolbeans.org -p
banshee ioc bulk-lookup hash e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877

File / Stdin Input

Pipe or redirect a newline-separated file of IOCs (one per line):

> cat cves.txt
CVE-2012-4792
CVE-2011-0611
CVE-2013-0422
CVE-2021-22204
CVE-2016-4557

banshee ioc bulk-lookup vulnerability < cves.txt
cat cves.txt | banshee ioc bulk-lookup vulnerability

Extract Names and Scores

Use jq to extract specific fields from the JSON output, for example:

banshee ioc bulk-lookup vulnerability CVE-2021-22204 CVE-2016-4557 | jq '[.[] | {ioc: .entity.name, risk_score: .risk.score}]'

banshee ioc search

Search for Classic Alerts.

By default the command will print the results in JSON format.

Usage

banshee ioc search [OPTIONS] ENTITY_TYPE

Arguments

ENTITY_TYPE

Entity type to lookup

Supported values: ip, domain, url, hash, vulnerability

Options

--limit, -l limit

Limit the number of results

The maximum limit is 1000

Defaults to 5

--risk-score, -r risk-score

Filter by risk score range, for example:

• --risk-score '[20,90]' → same as 20 <= riskScore <= 90
• --risk-score '(20,90)' → same as 20 < riskScore < 90
• --risk-score '[20,90)' → same as 20 <= riskScore < 90
• --risk-score '[20,)' → same as 20 <= riskScore
• --risk-score '[,90)' → same as riskScore < 90

Surround the risk score range with quotes to ensure correct parsing

--risk-rule, -R rule-name

Filter by risk rule name

For available options refer to this support article, specifically the Machine Name column in the risk rules tables, or use the banshee ioc rules command

--verbosity, -v verbosity-level

Controls the amount of data returned in the response (1-5). Higher verbosity levels include additional fields and details in the JSON output.

Note: Higher verbosity levels may result in slower response times due to increased data retrieval.

Defaults to 1

Available Fields by Verbosity Level

ip:

• 1: entity, risk, timestamps
• 2: entity, intelCard, location, risk, timestamps
• 3: analystNotes, entity, intelCard, links, location, risk, timestamps
• 4: analystNotes, enterpriseLists, entity, intelCard, links, location, risk, riskMapping, sightings, threatLists, timestamps
• 5: analystNotes, dnsPortCert, enterpriseLists, entity, intelCard, links, location, risk, riskMapping, scanner, sightings, threatLists, timestamps

domain:

• 1: entity, risk, timestamps
• 2: entity, intelCard, risk, timestamps
• 3: analystNotes, entity, intelCard, links, risk, timestamps
• 4: analystNotes, enterpriseLists, entity, intelCard, links, risk, riskMapping, sightings, threatLists, timestamps
• 5: analystNotes, enterpriseLists, entity, intelCard, links, risk, riskMapping, sightings, threatLists, timestamps

url:

• 1: entity, risk, timestamps
• 2: entity, intelCard, risk, timestamps
• 3: analystNotes, entity, intelCard, links, risk, timestamps
• 4: analystNotes, enterpriseLists, entity, intelCard, links, risk, riskMapping, sightings, timestamps
• 5: analystNotes, enterpriseLists, entity, intelCard, links, risk, riskMapping, sightings, timestamps

hash:

• 1: entity, hashAlgorithm, risk, timestamps
• 2: entity, fileHashes, hashAlgorithm, intelCard, risk, timestamps
• 3: analystNotes, entity, fileHashes, hashAlgorithm, intelCard, links, risk, timestamps
• 4: analystNotes, enterpriseLists, entity, fileHashes, hashAlgorithm, intelCard, links, risk, riskMapping, sightings, threatLists, timestamps
• 5: analystNotes, enterpriseLists, entity, fileHashes, hashAlgorithm, intelCard, links, risk, riskMapping, sightings, threatLists, timestamps

vulnerability:

• 1: entity, lifecycleStage, risk, timestamps
• 2: entity, intelCard, lifecycleStage, risk, timestamps
• 3: analystNotes, entity, intelCard, lifecycleStage, links, risk, timestamps
• 4: analystNotes, cvss, cvssv3, cvssv4, enterpriseLists, entity, intelCard, lifecycleStage, links, risk, riskMapping, sightings, threatLists, timestamps
• 5: analystNotes, cpe, cpe22uri, cvss, cvssv3, cvssv4, enterpriseLists, entity, intelCard, lifecycleStage, links, nvdDescription, nvdReferences, risk, riskMapping, sightings, threatLists, timestamps

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee ioc rules

Search for IOC rules for a given entity type.

By default the command will print the results in JSON format.

Usage

banshee ioc rules [OPTIONS] ENTITY_TYPE

Arguments

ENTITY_TYPE

Entity type of the IOC rules

Supported values: ip, domain, url, hash, vulnerability

Options

--freetext, -F freetext-rule-name

Filter by risk rule name using freetext search

--mitre-code, -M mitre-code

Filter by MITRE ATT&CK code

--criticality, -C criticality

Filter by criticality. Higher the value, higher the criticality

Accepted values are from 1 to 5

Criticality Levels (IP, Domain, URL, Hash)

• 4 – Very Malicious (Risk Score band: 90–99)
• 3 – Malicious (Risk Score band: 65–89)
• 2 – Suspicious (Risk Score band: 25–64)
• 1 – Unusual (Risk Score band: 5–24)
• 0 – No evidence of risk (Risk Score band: 0)

Criticality Levels (Vulnerability)

• 5 – Very Critical (Risk Score band: 90–99)
• 4 – Critical (Risk Score band: 80–89)
• 3 – High (Risk Score band: 65–79)
• 2 – Medium (Risk Score band: 25–64)
• 1 – Low (Risk Score band: 5–24)
• 0 – No evidence of risk (Risk Score band: 0)

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee list

Manage Recorded Future lists and Watch lists

Usage

banshee list [OPTIONS] COMMAND [ARGS]...

banshee list create

Create a new list

banshee list info

Get basic information about a list

banshee list search

Search for lists

banshee list status

Get the status of a list

banshee list entities

Get the entities in a list

banshee list add

Add an entity to a list

banshee list bulk-add

Bulk add entities to a list

banshee list remove

Remove an entity from a list

banshee list bulk-remove

Bulk remove entities from a list

banshee list clear

Clear all entities from a list

banshee list entries

Get text entries from a list

banshee list create

Create a new list.

By default the command will print the results in JSON format.

Usage

banshee list create [OPTIONS] NAME [LIST_TYPE]

Arguments

NAME

List name to create

LIST_TYPE

List type to create

Supported types are:

• entity
• source
• text

Defaults to entity

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee list info

Get information about a list, such as name, type, timestamps and owner details.

By default the command will print the results in JSON format.

Usage

banshee list info [OPTIONS] LIST_ID

Arguments

LIST_ID

List ID to get information about

List ID can be supplied with and without the 'report:' prefix

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee list search

Search for lists

By default the command will print the results in JSON format.

Usage

banshee list search [OPTIONS] LIST_ID

Arguments

NAME

List name to search for

Not specifying a name will return all lists

Options

--list-type, -t list-type

Filter by list type

Supported types:

• entity
• source
• text
• custom
• ip
• domain
• tech_stack
• industry
• brand
• partner
• industry_peer
• location
• supplier
• vulnerability
• company
• hash
• operation
• attacker
• target
• method
• executive

--limit, -l limit

Limit the number of results

The maximum limit is 3 000

Defaults to 1 000

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee list status

Get list status and number of entities.

By default the command will print the results in JSON format.

Usage

banshee list status [OPTIONS] LIST_ID

Arguments

LIST_ID

List ID to get the status of

List ID can be supplied with and without the 'report:' prefix

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee list entities

Get entities on the list

By default the command will print the results in JSON format.

Usage

banshee list entities [OPTIONS] LIST_ID

Arguments

LIST_ID

List ID to fetch entities from

List ID can be supplied with and without the 'report:' prefix

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee list entries

Get text entries on the list

By default the command will print the results in JSON format.

Usage

banshee list entries [OPTIONS] LIST_ID

Arguments

LIST_ID

List ID to fetch text entries from

List ID can be supplied with and without the 'report:' prefix

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee list clear

Fully clear the list and remove all entities. Please note this command will not clear text entries and is not supported.

Usage

banshee list clear [OPTIONS] LIST_ID

Arguments

LIST_ID

List ID to clear

List ID can be supplied with and without the 'report:' prefix

Options

--help, -h

Show help for this command

banshee list add

Add an entity to the list.

Usage

banshee list add [OPTIONS] LIST_ID ENTITY_ID [PROPERTIES]

Arguments

LIST_ID

List ID to add to

List ID can be supplied with and without the 'report:' prefix

ENTITY_ID

Entity ID or name with type to add to the list, for example:

• SoA6SP
• wannacry,malware
• www.duckdns.org,InternetDomainName

PROPERTIES

Optional properties to set on the entity

Properties can be supplied as key=value pairs, for example: type=malware,cool=beans,another=value

Options

--help, -h

Show help for this command

banshee list bulk-add

Add multiple entities to a list

Usage

banshee list bulk-add [OPTIONS] LIST_ID ENTITY_INPUT...

Arguments

LIST_ID

List ID to add to

List ID can be supplied with and without the 'report:' prefix

ENTITY_ID

One or more space/newline separated entities, for example:

• SoA6SP
• wannacry,malware
• www.duckdns.org,InternetDomainName

The command also accepts input from stdin. Assume 'entities.txt' is a newline separated file of entities, for example:

    $ cat entities.txt
    verifyaccount.otzo.com,InternetDomainName
    92.38.178.133,IpAddress
    https://constructorachg.cl/eFSLb6eV/j.html,URL
    CVE-2019-1215,CyberVulnerability
    e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877,Hash
    SoA6SP
    lYNvCK
    

Considering the above you could then run one of the following commands to bulk add the entities:

    $ banshee list bulk-add LIST_ID < entities.txt
    $ cat entities.txt | banshee list bulk-add LIST_ID
    

Options

--help, -h

Show help for this command

banshee list remove

Remove an entity from the list.

Usage

banshee list remove [OPTIONS] LIST_ID ENTITY_ID

Arguments

LIST_ID

List ID to remove from

List ID can be supplied with and without the 'report:' prefix

ENTITY_ID

Entity ID to remove from the list

Options

--help, -h

Show help for this command

banshee list bulk-remove

Remove multiple entities from a list

Usage

banshee list bulk-remove [OPTIONS] LIST_ID ENTITY_INPUT...

Arguments

LIST_ID

List ID to remove from

List ID can be supplied with and without the 'report:' prefix

ENTITY_ID

One or more space/newline separated entities, for example:

• SoA6SP
• wannacry,malware
• www.duckdns.org,InternetDomainName

The command also accepts input from stdin. Assume 'entities.txt' is a newline separated file of entities, for example:

    $ cat entities.txt
    verifyaccount.otzo.com,InternetDomainName
    92.38.178.133,IpAddress
    https://constructorachg.cl/eFSLb6eV/j.html,URL
    CVE-2019-1215,CyberVulnerability
    e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877,Hash
    SoA6SP
    lYNvCK
    

Considering the above you could then run one of the following commands to bulk remove the entities:

    $ banshee list bulk-remove LIST_ID < entities.txt
    $ cat entities.txt | banshee list bulk-remove LIST_ID
    

Options

--help, -h

Show help for this command

banshee pba

Search, lookup and update Recorded Future Playbook Alerts

Usage

banshee pba [OPTIONS] COMMAND [ARGS]...

Commands

banshee pba lookup

Lookup a Playook Alert

banshee pba search

Search for Playook Alerts

banshee pba update

Update one or more Playook Alert

banshee pba lookup

Lookup a Playook Alert.

By default the command will print the results in JSON format.

Usage

banshee pba lookup [OPTIONS] ALERT_ID

Arguments

ALERT_ID

Alert ID to lookup

Alert ID can be supplied with and without the 'task:' prefix

Options

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee pba search

Search for Playook Alerts.

By default the command will print the results in JSON format.

Usage

banshee pba search [OPTIONS]

Options

--created, -C created-from

Filter on the created from time, for example: 1d; 12h

--updated, -u updated-from

Filter on the updated from time, for example: 1d; 12h

--category, -c category

Filter by alert category

Supported categories:

• domain_abuse
• cyber_vulnerability
• third_party_risk
• code_repo_leakage
• identity_novel_exposures
• geopolitics_facility

--priority, -P priority

Filter by alert priority

Possible values are: Informational, Moderate, High

Defaults to all categories

--status, -s alert-status

Filter by alert status

Possible values are: New, InProgress, Dismissed, Resolved

Defaults to all categories

--entity, -e entity

Filter alerts by associated entity, for example: idn:recordedfuture.com

--limit, -l limit

Limit the number of results

The maximum limit is 10 000

Defaults to 50

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee pba update

Update one or more Playook Alert

Usage

banshee pba update [OPTIONS] ALERT_IDS...

Arguments

ALERT_IDS

One or more whitespace separated Alert ID

Alert ID can be supplied with and without the 'task:' prefix

Options

--status, -s alert-status

Update the alert(s) to this alert status

Possible values are: New, InProgress, Dismissed, Resolved

--repopen, -r reopen

Reopen strategies can only be applied to alerts with a status of Dismissed or Resolved. The following combinations of status/reopen are allowed: Dismissed -> Never; Resolved -> Never; Resolved -> SignificantUpdates

Supported values are: Never, SignificantUpdates

--priority, -P priority

Set a new alert priority

Possible values are: Informational, Moderate, High

--comment, -t comment

Comment to add to the alert(s), for example: "Bulk resolved via banshee"

--assignee, -a assignee

New user to assign the alert(s) to. Accepts uhash of the user, for example: uhash:3aXZxdkM12

--help, -h

Show help for this command

Example Usage

Provide one or more alert IDs (whitespace separated) and specify the desired update options:

banshee pba update ALERT_ID -s Dismissed
banshee pba update ALERT_ID -s InProgress -p High -t "Escalated due to new findings"
banshee pba update ALERT_ID_1 ALERT_ID_2 -s Resolved -a uhash:3aXZxdkM12

Supplying Alert IDs

1. Directly as arguments (single or multiple):

banshee pba update ALERT_ID -s Resolved
banshee pba update ALERT_ID -s Resolved
banshee pba update ALERT_ID_1 ALERT_ID_2 -s Resolved

2. From a file or standard input:

If you have a file (e.g., alerts.txt) with one alert ID per line:

ALERT_ID_1
ALERT_ID_2
ALERT_ID_3

You can update all listed alerts using:

banshee pba update -s Dismissed < alerts.txt
cat alerts.txt | banshee pba update -s Dismissed

3. By piping from a search command:

Use tools like jq to extract alert IDs from search results and pipe them into the update command:

banshee pba search | jq -r '.data[].playbook_alert_id' | banshee pba update -p High -t "Investigation started"

Additional Usage Examples

banshee pba search -c domain_abuse -P Informational | jq -r '.data[].playbook_alert_id' | banshee pba update -s Resolved
banshee pba update ALERT_ID -s Resolved -r Never
banshee pba update ALERT_ID_1 ALERT_ID_2 -s InProgress -p Informational -t "Bumping priority down due to recent findings."
banshee pba update ALERT_ID -a

banshee pcap

Enrich packet captures (pcap) with Recorded Future intelligence.

Usage

banshee pcap [OPTIONS] COMMAND [ARGS]...

Commands

banshee pcap enrich

Enrich a packet capture (pcap) file with Recorded Future intelligence

banshee pcap enrich

This command parses the pcap file to extract network indicators like IP addresses and domains, then enriches them with threat intelligence data. By default, results are filtered to show only indicators that meet your risk score threshold. Use --threat-hunt to also include indicators linked to threat actors, even if they fall below the risk score threshold.
Please note that lowering the risk score threshold and/or enabling threat hunting may significantly increase both the number of results and processing time.

By default the command will print the results in JSON format.

JSON Output

Each result object in the JSON array contains the following fields:

Field	Description
ioc	The network indicator extracted from the pcap — either an IP address or a domain name
risk_score	Recorded Future risk score
most_malicious_rule	The name of the highest-severity risk rule that contributed to the risk score
rule_evidence	Array of individual risk rule evidence details, sorted highest severity first
ta_names	List of threat actor names associated with this IOC. Empty if none known
malwares	List of malware family names linked to this IOC. Empty if none known
wireshark_query	Ready-to-paste Wireshark display filter to isolate this IOC's traffic

Each object in the rule_evidence array contains:

Field	Description
count	Number of sources that contributed references to this risk rule
description	Human-readable summary of the evidence
level	Severity level of this rule — higher integers mean more severe
mitigation	Describes white lists that the IOC may appear on which reduces (or mitigates) the associated risk
rule	Name of the specific Recorded Future risk rule that fired
sightings	Number of individual sightings recorded
timestamp	ISO 8601 timestamp of the most recent sighting for this rule
type	Type identifier

Usage

banshee pcap enrich [OPTIONS] FILE_PATH

Arguments

FILE_PATH

Path to the pcap file to enrich

Options

--risk-score, -r risk-score

Filter results to show only indicators with risk score (1 - 99) above this threshold

Defaults to 65

--threat-hunt, -t

Include indicators linked to threat actors regardless of risk score threshold (retrospective threat hunting)

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

banshee risklist

Manage Risk Lists.

Usage

banshee risklist [OPTIONS] COMMAND [ARGS]...

Commands

banshee risklist create

Build a custom risk list by combining one or more risk rules

banshee risklist fetch

Download a risk list

banshee risklist stat

Show risk list metadata (etag and timestamp)

banshee risklist create

Build a custom risk list by combining one or more Recorded Future risk rules into a single deduplicated file.

Entries are fetched for each --risk-rule, merged by IOC (first occurrence wins), and optionally filtered down to a minimum --risk-score. The output is sorted by risk score descending and written in your chosen format — ready to feed into a firewall, SIEM, or other integration.

Output is written to a local file by default. Use --fusion with --output-path to upload the result directly to Recorded Future Fusion without writing a local copy.

Usage

banshee risklist create [OPTIONS]

Options

--entity-type, -e entity-type

Entity type for the risk list. Valid values: ip, domain, url, hash, vulnerability
Required

--risk-rule, -R risk-rule

Risk rule to include. Use default, large, or any rule name from banshee ioc rules. Repeatable — specify multiple times to merge rules into a single output.
Required (at least one)

--risk-score, -r risk-score

Minimum risk score threshold (5–99). Entries with a risk score below this value are excluded from the output

--format, -f format

Output format. Defaults to csv

• csv — Comma-separated with headers: Name, Risk, RiskString, EvidenceDetails. Hash entity type includes an additional Algorithm column: Name, Algorithm, Risk, RiskString, EvidenceDetails
• edl — Plain list of IOC values, one per line (suitable for firewall EDL feeds). Written with a .txt extension
• json — JSON array of full risk list entries

--output-path, -o output-path

Output file path. Accepts a file path or a directory (filename is auto-generated as custom_risklist_{entity_type}.{ext}). Defaults to the current directory with an auto-generated filename.
Required when using --fusion

--fusion, -F

Upload the result directly to Recorded Future Fusion using --output-path as the destination path. No local file is written when this flag is set

--help, -h

Show help for this command

Usage Examples

Build a CSV risk list for IPs from the default rule, filtered to risk score 70+

banshee risklist create -e ip -R default -r 70 -o ip_risklist_70.csv

Merge two domain rules into a single deduplicated CSV, filtered to risk score 80+

banshee risklist create -e domain -R analystNote -R recentPhishing -r 80

Merge two IP rules and output as an EDL (plain IOC list)

banshee risklist create -e ip -R recentActiveCnc -R recentValidatedCnc -f edl

Build a JSON risk list for hashes from two rules and output to a specific local file path

banshee risklist create -e hash -R default -f json -o /tmp/hash_risklist.json

Build a risk list and upload directly to Recorded Future Fusion

banshee risklist create -e ip -R recentValidatedCnc -F -o /home/risklists/ip_cnc_risklist.csv

banshee risklist fetch

Download a risk list for a specific entity type and list name, or use a custom risk list file.

Risk lists can be downloaded from Recorded Future by specifying an entity type (--entity-type) and list name (--list-name). Available list names include default, large, or any rule name from banshee ioc rules. For more information about Recorded Future Risk Rules, see the Risk Scoring in Recorded Future support article.

Alternatively, you can provide a path to a custom risk list file using --custom-list-path.

Usage

banshee risklist fetch [OPTIONS]

Options

--entity-type, -e entity-type

Entity type for the risk list. Valid values: ip, domain, url, hash, vulnerability
Required when using --list-name

--list-name, -l list-name

Risk list name: default, large, or rule name from banshee ioc rules
Required when using --entity-type

--custom-list-path, -c custom-list-path

Path to custom risk list file. Cannot be used with --entity-type or --list-name

--output-path, -o output-path

Output file path. Defaults to current directory with auto-generated filename

--as-json, -j

Convert risk list to JSON format. Can only be used with --list-name and --entity-type

--help, -h

Show help for this command

Usage Examples

# Download the default risk list for IP addresses
banshee risklist fetch -e ip -l default

# Download the large risk list for domains as JSON
banshee risklist fetch -e domain -l large -j

# Download a risk list for hashes that are involved in an Insikt Group Note
banshee risklist fetch -e hash -l analystNote

# Download a custom risk list file
banshee risklist fetch -c /path/to/custom_risklist.csv

# Download the default risklist for URLs and save to a specific output path
banshee risklist fetch -e url -l default -o /tmp/rf_default_url_risklist.csv

banshee risklist stat

Show risk list metadata including etag and timestamp information.

This command retrieves metadata for a risk list without downloading the full list content. It can be used to check when a risk list was last updated.

Usage

banshee risklist stat [OPTIONS]

Options

--entity-type, -e entity-type

Entity type for the risk list. Valid values: ip, domain, url, hash, vulnerability
Required when using --list-name

--list-name, -l list-name

Risk list name: default, large, or rule name from banshee ioc rules
Required when using --entity-type

--custom-list-path, -c custom-list-path

Path to custom risk list file. Cannot be used with --entity-type or --list-name

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

Usage Examples

# Check metadata for the default IP risk list
banshee risklist stat -e ip -l default

# Check metadata with pretty formatting
banshee risklist stat -e domain -l large -p

# Check metadata for a custom risk list file
banshee risklist stat -c /path/to/custom_risklist.txt

banshee rules

Search for and download detection rules.

Usage

banshee rules [OPTIONS] COMMAND [ARGS]...

Commands

banshee rules search

Search for detection rules based on filter options

banshee rules search

Search for detection rules based on the provided filter options. Results can be displayed in the console or saved to disk as individual rule files.

Detection rules can be filtered by type (YARA, Snort, Sigma), associated entities (threat actors, malware, MITRE ATT&CK techniques), creation/update dates, and more. Use --threat-actor-map or --threat-malware-map to automatically filter rules based on entities in your Threat Map.

To avoid overwhelming output, results are limited to 10 by default. Use the --limit option to retrieve up to 1000 rules.

By default the command will print the results in JSON format.

Usage

banshee rules search [OPTIONS]

Options

--type, -t type

Filter by rule type. Valid values: yara, snort, sigma
Multiple types can be specified and work as a logical OR (e.g., -t yara -t snort returns rules matching either type)

--threat-actor-map, -T

Filter rules by threat actors from your Threat Actor Map. When enabled, detection rules associated with actors in your Threat Actor Map will be returned

--threat-actor-category, -C category

Filter by threat actor categories from your Threat Actor Map. Multiple categories can be specified and work as a logical OR (e.g., -C nation_state_sponsored -C ransomware_and_extortion_groups)

--threat-malware-map, -M

Filter rules by malware from your Malware Threat Map. When enabled, detection rules associated with malware in your Malware Threat Map will be returned

--org-id, -O org-id

Specify the organization ID when fetching threat actors from a Threat Maps (requires --threat-actor-map or --threat-malware-map). Accepts values with or without the uhash: prefix. Useful for MSSP and multi-organization accounts

--entity, -e entity

Filter by Recorded Future entity IDs associated with detection rules. Multiple entities can be specified and work as a logical OR. Use banshee entity search to find entity IDs (e.g., lzQ5GL for IsaacWiper malware, mitre:T1486 for Data Encrypted for Impact)

--created-after, -a time

Filter detection rules created after the specified time. Accepts relative time (e.g., 1d, 3d, 7d) or absolute date (e.g., 2024-01-01)

--created-before, -b time

Filter detection rules created before the specified time. Accepts relative time (e.g., 1d, 3d, 7d) or absolute date (e.g., 2024-01-01)

--updated-after, -u time

Filter detection rules updated after the specified time. Accepts relative time (e.g., 1d, 3d, 7d) or absolute date (e.g., 2024-01-01)

--updated-before, -U time

Filter detection rules updated before the specified time. Accepts relative time (e.g., 1d, 3d, 7d) or absolute date (e.g., 2024-01-01)

--id, -i document-id

Filter by a specific Insikt Note document ID associated with detection rules (e.g., doc:lmRPGB)

--title, -n title

Free text search for detection rules by their associated Insikt Note titles

--limit, -l limit

Maximum number of detection rules to return

Defaults to 10

--output-path, -o output-path

Save the detection rules to the specified directory. Can be a relative or an absolute path. If not specified, results are printed to console

--pretty, -p

Pretty print the results in a human readable format

--help, -h

Show help for this command

Usage Examples

# Search for YARA rules created in the last 7 days
banshee rules search -t yara -a 7d

# Search for rules associated with threat actors in your Threat Map and pretty print results
# Since --limit defaults to 10, this will return the first 10 matching rules
banshee rules search -Tp

# Combine threat actor and malware maps 
banshee rules search -TMp

# Search for rules by specific entity IDs (e.g., IsaacWiper malware)
banshee rules search -e lzQ5GL -p

# Search for Snort and Sigma rules updated in the last 3 days, save to directory
banshee rules search -t snort -t sigma -u 3d -o ./detection_rules

# Search by Insikt Note title
banshee rules search --title "APT28" -p