Recorded Future for Microsoft Sentinel

Updated

Overview

Recorded Future are the world’s largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.

The Recorded Future Microsoft Sentinel Integration will supercharge Sentinel by integrating intelligence from Recorded Future.

Benefits

  • Detect risky indicators of compromise (IOCs) in your environment.
  • Triage alerts faster with elite, real-time intelligence.
  • Respond quickly with transparency and context around internal telemetry data.
  • Maximize your investment in Microsoft Sentinel.

Use cases

The playbooks provided in the Recorded Future Solution support use cases for detection and incident response. Automation of a complete use case will require installation of playbooks, creation of analytic rules, and configuration of automation rules.

Detection - Risk list

The TI-Processor pulls configured risk lists from Recorded Future and writes the contained indicators to Sentinels ThreatIntelligenceIndicator table in batches via the RecordedFuture-ImportToSentinel playbook. 

Analytic rules correlates threat intelligence indicators with logs provided to Sentinel and creates incidents for any matches found. 

Response - Enrichment

Automation rules trigger on each incident and enriches the incidents with Recorded Future intelligence. 

 

Playbooks

The following playbooks are provided by Recorded Future.

RecordedFuture-ImportToSentinel

Type: Detection | Included in Recorded Future Intelligence Solution: Yes

This playbook will serve all the TIProcessor playbooks with batch import of threat intelligence indicators into the ThreatIntelligenceIndicator table.

RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor

Type: Detection | Included in Recorded Future Intelligence Solution: Yes

This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future Actively Communicating C&C Server IP RiskList (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit Recorded Future.

RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor

Type: Detection | Included in Recorded Future Intelligence Solution: Yes

This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future C&C DNS Name Domain RiskList (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit Recorded Future.

RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor

Type: Detection | Included in Recorded Future Intelligence Solution: Yes

This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future Recently Reported by Insikt Group URL RiskList (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit Recorded Future.

RecordedFuture-HASH-Obs_in_Underground-TIProcessor

Type: Detection | Included in Recorded Future Intelligence Solution: Yes

This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future Observed in Underground Virus Testing Sites Hash RiskList (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit Recorded Future.

RecordedFuture-Ukraine-IndicatorProcessor

Type: Detection | Included in Recorded Future Intelligence Solution: Yes

This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future Ukraine Threat List of Related IOCs (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit Recorded Future.

RecordedFuture-Sandbox_Enrichment-Url

Type: Response | Included in Recorded Future Intelligence Solution: Yes

The Recorded Future Sandbox Playbook enables security and IT teams to analyze and understand URLs, which provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. Through this playbook, organizations can incorporate the malware analysis sandbox into automated workflows with applications. Incidents will be enriched with the following Recorded Future context: Sandbox Analysis Score, Signatures and a link to the full Recorded Future Sandbox report. The sandbox enrichment will be posted as a comment in the Microsoft Sentinel incident. For additional information please visit Recorded Future Sandbox.

The automatic enrichments works on known entities of type Url mapped to alerts via analytic rules as described here Create custom analytics rules to detect threats. How to setup automatic enrichment is described in the next section.

RecordedFuture-Sandbox_Outlook_Attachment

Type: Response | Included in Recorded Future Intelligence Solution: No

This playbook is in preview and not part of the Recorded Future Sentinel Solution. It's provided as an example how to build sandbox playbooks.

The Recorded Future Sandbox Playbook enables security and IT teams to analyze and understand Outlook attachments, which provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. Through this playbook, organizations can incorporate the malware analysis sandbox into automated workflows with outlook. Attachments will be enriched with the following Recorded Future context: Sandbox Analysis Score, Signatures and a link to the full Recorded Future Sandbox report. The sandbox enrichment will be sent as a reply to the originating mailbox and a Microsoft Sentinel incident. For additional information about Recorded Future sandbox please visit Recorded Future Sandbox.

The automatic enrichments works on known entities of type Url mapped to alerts via analytic rules as described here Create custom analytics rules to detect threats. How to setup automatic enrichment is described in the next section.

RecordedFuture-Sandbox_StorageAccount

Type: Response | Included in Recorded Future Intelligence Solution: No

This playbook is in preview state not part of the Recorded Future Sentinel Solution. It's provided as an example how to build sandbox playbooks.

The Recorded Future Sandbox Playbook enables security and IT teams to upload and detonate files in Recorded Future Sandbox from a storage accounts. Recorded Future Sandbox provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. Through this playbook, organizations can incorporate the malware analysis sandbox into automated workflows with storage accounts. Files will be enriched with the following Recorded Future context: Sandbox Analysis Score, Signatures and a link to the full Recorded Future Sandbox report. The sandbox enrichment will create a Microsoft Sentinel incident. For additional information about Recorded Future sandbox please visit Recorded Future Sandbox.

The automatic enrichments works on known entities of type Url mapped to alerts via analytic rules as described here Create custom analytics rules to detect threats. How to setup automatic enrichment is described in the next section.

RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash

Type: Response

This playbook leverages the Recorded Future API to automatically enrich the IP, Domain, Url and Hash indicators, found in incidents. Incidents will be enriched with the following Recorded Future context: Risk Score, Risk Rules, Research links, Technical links, Previous detections and a link to the Recorded Future Intelligence Card. The enrichment will be posted as a comment in the Microsoft Sentinel incident. For additional information please visit Recorded Future.

The automatic enrichments works on known entity type (IP, Domain, Url or File Hash) mapped to alerts via analytic rules as described here Create custom analytics rules to detect threats. How to setup automatic enrichment is described in the next section.

 

Collective Insights in Recorded Future for MS Sentinel 

The Recorded Future Intelligence Cloud aggregates data related to Sigma Rules and other indicators, driving collective insights to better identify threats. Anonymized, unattributable data is collected for analytical purposes to identify trends and insights with the Intelligence Cloud. The RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash playbook gives end users the ability to contribute collective insights to the Intelligence Cloud. Click here to learn more (Require Recorded Future Login)

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more