История

RecordedFutureOskbo 6306b4747b Change default risk lists, updated defaults and update documentation.		2024-03-19 12:24:19 +01:00
..
RecordedFuture_IP_SCF_ImportToDefenderATP.json	Change default risk lists, updated defaults and update documentation.	2024-03-19 12:24:19 +01:00
RecordedFuture_IP_SCF_IndicatorProcessor.json	Change default risk lists, updated defaults and update documentation.	2024-03-19 12:24:19 +01:00
readme.md	Change default risk lists, updated defaults and update documentation.	2024-03-19 12:24:19 +01:00

readme.md

Recorded Future - IP - Command and Control Security Control Feed

Author: Recorded Future
Link to Recorded Future main readme

These playbooks leverage the Recorded Future API to automate the ingestion of Recorded Future IP Command and Control - Security Control Feed, into the ThreatIntelligenceIndicator table, for prevention (block) actions in Microsoft Defender ATP. For additional information please visit Recorded Future.

Permissions and Roles

The following Azure roles and permissions will be needed at various stages of installation. This install guide will specify at each step which specific permission is required

Security Administrator (AD role, not the RBAC role)
Global Administrator
Logic app contributor
Recorded Future Token The RecordedFuture_IP_SCF_ImportToDefenderATP logic app uses Graph API and permissions ThreatIndicators.ReadWrite.OwnedBy are described in Microsoft Graph Security Permissions.
Microsoft Graph Security
Microsoft Graph Security & Azure Logic Apps

Dependencies

Playbooks takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs.

How to use cost analysis to monitor your costs:

https://learn.microsoft.com/en-us/azure/cost-management-billing/costs/cost-analysis-common-uses

Adjust Cadence of pulling Risk Lists

You can adjust the cadence in the Recurrence block of the IndicatorProcessor logic apps. However, if you do so it is critical that you also adjust the expirationDateTime parameter in the final block of same logic app to be synchronized with the recurrence timing. Failure to do so can result in either

duplicate indicators or
having no active Recorded Future indicators the majority of the time.

Installation order

Due to internal Microsoft Logic Apps dependencies, please deploy first the RecordedFuture_IP_SCF_ImportToDefenderATP playbook before the RecordedFuture_IP_SCF_IndicatorProcessor one.

Installation links

Links to deploy the RecordedFuture_IP_SCF_ImportToDefenderATP playbook template:

Links to deploy the RecordedFuture_IP_SCF_IndicatorProcessor playbook template: