История

RecordedFutureOskbo 6306b4747b Change default risk lists, updated defaults and update documentation.		2024-03-19 12:24:19 +01:00
..
RecordedFuture-ImportToDefenderEndpoint.json	Updated postDeployment, prerequisitesDeployTemplateFile and tier on all playbooks. Added correct entities to enrichments playbooks.	2022-11-22 17:05:57 +01:00
RecordedFuture-TIforDefenderEndpoint.json	Change default risk lists, updated defaults and update documentation.	2024-03-19 12:24:19 +01:00
readme.md	Change default risk lists, updated defaults and update documentation.	2024-03-19 12:24:19 +01:00

readme.md

Block IPs and Domains on Microsoft Defender for Endpoint with RecordedFuture

Author: Recorded Future
Link to Recorded Future main readme

Overview

This playbook delivers active C&C Server IPs and Recent C&C DNS Name to your Microsoft Defender for Endpoint for blocking and alerting. These indicators come from a broad collection of sources (e.g., open source, dark web, technical sources, Insikt Group research), analyzed by Recorded Future's proprietary security graph, and delivered daily to Microsoft Defender via two interdependent Microsoft Azure Logic App playbooks. For more information, see Recorded Future's webpage about the Microsoft Defender for Endpoint integration.

Permissions and Roles

The following Azure roles and permissions will be needed at various stages of installation. This install guide will specify at each step which specific permission is required

Security Administrator (AD role, not the RBAC role)
Global Administrator
Logic app contributor
Recorded Future Token

The RecordedFuture_IP_SCF_ImportToDefenderATP logic app uses Graph API and permissions ThreatIndicators.ReadWrite.OwnedBy are described in Microsoft Graph Security Permissions.

Dependencies

Playbooks takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs.

How to use cost analysis to monitor your costs:

https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-analysis-common-uses

Adjust Cadence of pulling Risk Lists

You can adjust the cadence in the Recurrence block of the IndicatorProcessor logic apps. However, if you do so it is critical that you also adjust the expirationDateTime parameter in the final block of same logic app to be synchronized with the recurrence timing. Failure to do so can result in either

duplicate indicators or
having no active Recorded Future indicators the majority of the time.

Installation order

Due to internal Microsoft Logic Apps dependencies, you must deploy the first the playbook, RecordedFuture_ImportToDefenderEndpoint, before the larger scope playbook, RecordedFuture-TIforDefenderEndpoint.

Installation links

Links to deploy the RecordedFuture-ImportToDefenderEndpoint playbook template:

Links to deploy the RecordedFuture-TIforDefenderEndpoint playbook template: