525d001024
|
||
|---|---|---|
| .. | ||
| RecordedFuture-ImportToDefenderEndpoint.json | ||
| RecordedFuture-TIforDefenderEndpoint.json | ||
| readme.md | ||
readme.md
Block IPs and Domains on Microsoft Defender for Endpoint with RecordedFuture
author: Glenn Wong, Recorded Future
Overview
This playbook delivers active C&C Server IPs and recently weaponized domains to your Microsoft Defender for Endpoint for blocking and alerting. These indicators come from a broad collection of sources (e.g., open source, dark web, technical sources, Insikt Group research), analyzed by Recorded Future's proprietary security graph, and delivered daily to Microsoft Defender via two interdependent Microsoft Azure Logic App playbooks. For more information, see Recorded Future's webpage about the Microsoft Defender for Endpoint integration.
Dependencies
These playbooks use the ThreatIntelligenceIndicator table in Microsoft Graph Security. Hence a successful deployment requires both Microsoft Graph Security, as well as Azure Sentinel, to enable the ThreatIntelligenceIndicator table. In addition, this playbook uses a managed identity to access the API. You will need to add the playbook to the subscriptions or management group with Security Reader Role.
Installation order
Due to internal Microsoft Logic Apps dependencies, you must deploy the first the playbook, RecordedFuture_ImportToDefenderEndpoint, before the larger scope playbook, RecordedFuture-TIforDefenderEndpoint.
Links to deploy the RecordedFuture-ImportToDefenderEndpoint playbook template:
Links to deploy the RecordedFuture-TIforDefenderEndpoint playbook template: