…
|
||
---|---|---|
.. | ||
RecordedFuture_IP_SCF_ImportToDefenderATP.json | ||
RecordedFuture_IP_SCF_IndicatorProcessor.json | ||
readme.md |
readme.md
Recorded Future - IP - Command and Control Security Control Feed
Author: Recorded Future
Link to Recorded Future main readme
These playbooks leverage the Recorded Future API to automate the ingestion of Recorded Future IP Command and Control - Security Control Feed, into the ThreatIntelligenceIndicator table, for prevention (block) actions in Microsoft Defender ATP. For additional information please visit Recorded Future.
Permissions and Roles
The following Azure roles and permissions will be needed at various stages of installation. This install guide will specify at each step which specific permission is required
-
Security Administrator (AD role, not the RBAC role)
-
Global Administrator
-
Logic app contributor
-
Recorded Future Token The RecordedFuture_IP_SCF_ImportToDefenderATP logic app uses Graph API and permissions ThreatIndicators.ReadWrite.OwnedBy are described in Microsoft Graph Security Permissions.
Dependencies
Playbooks takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs.
- https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace
- https://learn.microsoft.com/en-us/azure/logic-apps/
How to use cost analysis to monitor your costs:
Adjust Cadence of pulling Risk Lists
You can adjust the cadence in the Recurrence block of the IndicatorProcessor logic apps. However, if you do so it is critical that you also adjust the expirationDateTime parameter in the final block of same logic app to be synchronized with the recurrence timing. Failure to do so can result in either
- duplicate indicators or
- having no active Recorded Future indicators the majority of the time.
Installation order
Due to internal Microsoft Logic Apps dependencies, please deploy first the RecordedFuture_IP_SCF_ImportToDefenderATP playbook before the RecordedFuture_IP_SCF_IndicatorProcessor one.
Installation links
Links to deploy the RecordedFuture_IP_SCF_ImportToDefenderATP playbook template:
Links to deploy the RecordedFuture_IP_SCF_IndicatorProcessor playbook template: