Azure-Sentinel/Playbooks/RecordedFuture_IP_SCF
..
RecordedFuture_IP_SCF_ImportToDefenderATP.json
RecordedFuture_IP_SCF_IndicatorProcessor.json
readme.md

readme.md

Recorded Future - IP - Command and Control Security Control Feed

Author: Recorded Future
Link to Recorded Future main readme

These playbooks leverage the Recorded Future API to automate the ingestion of Recorded Future IP Command and Control - Security Control Feed, into the ThreatIntelligenceIndicator table, for prevention (block) actions in Microsoft Defender ATP. For additional information please visit Recorded Future.

Permissions and Roles

The following Azure roles and permissions will be needed at various stages of installation. This install guide will specify at each step which specific permission is required

Dependencies

Playbooks takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs.

How to use cost analysis to monitor your costs:

Adjust Cadence of pulling Risk Lists

You can adjust the cadence in the Recurrence block of the IndicatorProcessor logic apps. However, if you do so it is critical that you also adjust the expirationDateTime parameter in the final block of same logic app to be synchronized with the recurrence timing. Failure to do so can result in either

  1. duplicate indicators or
  2. having no active Recorded Future indicators the majority of the time.

Installation order

Due to internal Microsoft Logic Apps dependencies, please deploy first the RecordedFuture_IP_SCF_ImportToDefenderATP playbook before the RecordedFuture_IP_SCF_IndicatorProcessor one.

Links to deploy the RecordedFuture_IP_SCF_ImportToDefenderATP playbook template:

Deploy to Azure Deploy to Azure Gov

Links to deploy the RecordedFuture_IP_SCF_IndicatorProcessor playbook template:

Deploy to Azure Deploy to Azure Gov