Playbooks
Consider your organizational use cases and install the corresponding playbooks to fit your needs.
| Use Case | Playbook |
| Response | Enrichment Playbooks |
| Detect | Indicator Import/Risklist Playbooks |
| SOC Efficiency | Alert Playbooks |
| Sandbox | Sandbox Playbooks |
| Threat Hunt | Threat Hunt Playbooks |
| Custom Connectors | Custom Connector |
| Deprecated Playbooks | Deprecated Risk list Playbooks |
Workbooks
Workbook templates are installed as part of the Solution and and can be saved and configured in Sentinel's Workbook-Template section.
Analytic Rules
Recorded Future Solution includes Analytic Rule templates. That can be configured to trigger alerts related to our imported risk lists of threat hunts.
Collective Insights
Microsoft Sentinel is one of premier integrations from Recorded Future that has native support for Collective Insights. To enable this feature, set up the Recorded Future enrichment playbook inside of Sentinel. Instructions to set up the enrichment playbook can be found on the Recorded Future for Sentinel gitrepo. Once the enrichment playbook is set up, any incident that is created and enriched with Recorded Future data will be included in Collective Insights. The data points used for Collective Insights from Sentinel are:
- IOC Type
- IOC Value
- Incident ID
- Incident Category
Please note that Collective Insights is turned on by default in the enrichment playbook of MS Sentinel. It is possible to opt-out of Collective Insights and still continue to use the enrichment playbook inside MS Sentinel by marking the parameter 'Intelligence Cloud' in the enrichment playbook to 'false'.
Best Practices
This reference architecture aims to provide an understanding of the capabilities that can be achieved with Recorded Futures integration into the Microsoft Azure suite accompanied with use cases that our customers have implemented in the field.