Query Risk lists
After successfully running and importing one or more Risk Lists it is possible to query the imported data in your Log Analytics Workspace.
Example queries:
// List 10 rows from ThreatIntelligenceIndicator log imported from Recorded Future ThreatIntelligenceIndicator | where Description contains "Recorded Future" | take 10 // List 10 rows from ThreatIntelligenceIndicator log imported from the // IP - Actively Communicating C&C Server Risk List ThreatIntelligenceIndicator |where Description == "Recorded Future - IP - Actively Communicating C&C Server" | take 10 // List 10 rows from ThreatIntelligenceIndicator log imported from Recorded Future ThreatIntelligenceIndicator |where Description == "Recorded Future - IP - Actively Communicating C&C Server" and AdditionalInformation contains "Cobalt Strike" | take 10
Errors in RecordedFuture-IOC_Enrichment
If Recorded Future is missing data for a specific entity, when viewed within the Logic App "Previous Run" section, a error might be seen.
If the last box (Add Comment to incident (V3)) is green, then a comment has been created on the incident explaining what has happened.
If http:// or https:// is missing from URL entities, we will add https:// to our URL Enrichment.
Reporting Issues/Errors
When reporting issues or errors to Recorded Future on logic apps. Please include logic app version identifier that can be found in the <Logic App> -> Development Tools -> Versions section in the Azure portal.
Known Issues
Version 3.0
Microsoft Sentinel playbook upgrade experience can result in the following error:
A workaround is to reinstall and overwrite the playbooks from the template in Playbook Template tab and not using the upgrade wizard. Before overwriting an active playbook make note of the risk list downloaded, the description, cadence of downloading.