Recorded Future Intelligence Cloud features are only available to clients running Recorded Future for MS Sentinel v2.2+
Recorded Future for MS Sentinel has been updated to display historical correlations when doing IOC enrichment. Clients can see if they have had prior detections for an IOC. If a prior detection exists the 'Infrastructure Detections' table will be populated. The timestamp of the correlation, the integration the correlation was seen in (If the client is running multiple integrations with Recorded Future) and the Azure instance_id will be displayed. This gives analysts historical context of an IOC related to their environment instead of starting from scratch when going through an investigation. This also brings together correlations that are happening around multiple integrations in a single view. Historical data points can be used to help prioritize SIEM alerts and help speed up investigations without having to pivot between multiple platforms to check correlation history. To enable this feature, set up the Recorded Future enrichment playbook inside of Sentinel. Instructions to set up the enrichment playbook can be found on the Recorded Future for Sentinel gitrepo.
Setup Collective Insights in MS Sentinel
MS Sentinel is one of premier integrations from Recorded Future that has native support for Collective Insights. To enable this feature, set up the Recorded Future enrichment playbook inside of Sentinel. Instructions to set up the enrichment playbook can be found on the Recorded Future for Sentinel gitrepo. Once the enrichment playbook is set up, any incident that is created and enriched with Recorded Future data will be included in Collective Insights. The data points used for Collective Insights from Sentinel are:
- IOC Type
- IOC Value
- Incident ID Number
- Incident ID Category
Please note that Collective Insights is turned on by default in the enrichment playbook of MS Sentinel. It is possible to opt-out of Collective Insights and still continue to use the enrichment playbook inside MS Sentinel by marking the parameter 'Intelligence Cloud' in the enrichment playbook to 'false'.
Benefits of Collective Insights
Client detections from their security tools are analyzed into Collective Insights and paired with Recorded Future intelligence to connect the dots between disparate data points, helping analysts identify patterns and trends that can guide them to more proactive responses.
Recorded Future for MS Sentinel has been updated to display historical correlations when doing IOC enrichment. Clients can see if they have had prior detections for an IOC. If a prior detection exists the 'Infrastructure Detections' table will be populated. The timestamp of the correlation, the integration the correlation was seen in (If the client is running multiple integrations with Recorded Future) and the Azure instance_id will be displayed. This gives analysts historical context of an IOC related to their environment instead of starting from scratch when going through an investigation. This also brings together correlations that are happening around multiple integrations in a single view. Historical data points can be used to help prioritize SIEM alerts and help speed up investigations without having to pivot between multiple platforms to check correlation history.
To start bringing in security events from MS Sentinel into Collective Insights from Sentinel, follow the instructions to set up the Recorded Future Enrichment Playbook. Instructions are found here on the the Recorded Future for MS Sentinel GitRepo
See 'Getting Started with Collective Insights' to learn more about the benefits of Collective Insights