Introduction
This integration with Microsoft Defender for Endpoint has two components - Block IPs and Domains on Microsoft Defender for Endpoint with Recorded Future and Command and Control Security Control Feed
Prerequisites
- Recorded Future API Token
- (Specifically, a Recorded Future for Microsoft Sentinel API token)
- The following Azure roles and permissions will be needed at various stages of installation:
- Security Administrator (AD role, not the RBAC role)
- Global Administrator
- Logic app contributor
Installation
Component - Block IPs and Domains
1. Deploy the RecordedFuture-ImportToDefenderEndpoint playbook template
2. Deploy the RecordedFuture-TIforDefenderEndpoint playbook template
Component - Command and Control Security Control Feed
1. Deploy the RecordedFuture_IP_SCF_ImportToDefenderATP playbook template
2. Deploy the RecordedFuture_IP_SCF_IndicatorProcessor playbook template
Support
Please reach out to Recorded Future support at support@recordedfuture.com for any queries and assistance needed during the installation.