Configuring Playbook Connections
After deployment - create/validate the Connections in each of deployed Playbooks. The logic app will have errors and save is disabled until all connectors are authorized.
API Connector Authorization
| Connector | Description |
| /recordedfutureidenti | Microsoft power platform connector |
| /RFI-CustomConnector | RecordedFuture-CustomConnector |
| /azureloganalyticsdatacollector |
Azure Log Analytics Data Collector How to find Log Analytics Workspace key |
| /azuremonitorlogs | Azure Monitor Logs |
| /azuread | Microsoft Entra ID power platform connectors |
| /azureadip | Azure AD Identity Protection |
Configuring Search Playbook Parameters
Search playbooks are configured using Playbooks Parameters. Parameters can be found and set in the Logic App designer.
Playbook parameters for Search Playbooks:
You need to create a Microsoft EntraID Group, and provide the Object ID as a parameter to the Playbook. For more information, see Microsoft EntraID Groups documentation.
You need to create a Log Analytics Workspace and provide the ID as a parameter to the playbook.
Recorded Future must be authorize organization_domain to search for connected to the API Tokens. This is done during the API request process
Note: Make sure to set lookup_lookback_days same or larger than search_lookback_days. Otherwise, you can encounter a situation when you get empty results on Lookup for the compromised credentials from the search.
| Parameter | Description |
| organization_domain | Organization domain to search exposures for. |
| search_lookback_days | Time range for Search / number of days before today to search (e.g. input "-14" to search the last 14 days). |
| malware_logs_log_analytics_custom_log_name | Name for Log Analytics Custom Log to save Credential Dumps Search results at (needs to end with "_CL"). |
| credential_dumps_log_analytics_custom_log_name | Name for Log Analytics Custom Log to save Malware Logs Search results at (needs to end with "_CL"). |
| active_directory_security_group_id | Object ID of Microsoft EntraID Group for users at risk. You need to pre-create it by hand: search for "Groups" in Service search at the top of the page. For more information, see Microsoft EntraID Groups documentation. |
| lookup_lookback_days | Time range for Lookup / number of days before today to search (e.g. input "-14" to search the last 14 days). Make sure to use lookup_lookback_days same or larger than search_lookback_days. Otherwise you can encounter a situation when you get empty results on Lookup for the compromised credentials from the Search. |
| lookup_results_log_analytics_custom_log_name | Name for Log Analytics Custom Log to save Lookup results at (needs to end with "_CL"). |
| active_directory_domain | (Optional, can be left empty) - in case your Microsoft EntraID domain is different from your organization domain, this parameter will be used to transform compromised credentials to find corresponding user in your Microsoft EntraID (ex. Compromised email: leaked@mycompany.com), your Microsoft EntraID domain: @mycompany.onmicrosoft.com, so you set parameter active_directory_domain = mycompany.onmicrosoft.com (just domain, without "@"), and search playbooks will replace the domain from the leaked email with the provided domain from the active_directory_domain parameter, before searching for the corresponding user in your Microsoft EntraID: leaked@mycompany.com -> leaked@mycompany.onmicrosoft.com. (Lookup playbook - will still use the original email to Lookup the data). |
Playbook parameters for Search playbook "External use case" are the same as for "Workforce use case", except "External use case" does NOT need credential_dumps_log_analytics_custom_log_name parameter.
Remove base playbook steps from search playbooks if the actions are not valid for your use case. Actions like set user as risky requires additional licensing from Microsoft (RFI-confirm-EntraID-risky-user).
Run Playbooks
RFI-search-workforce-user or/and RFI-search-external-user are running on recurrence schedule. It's possible to reschedule or change interval.
Access Log Analytics Custom Logs
To see Log Analytics Custom Logs:
- From then Azure Portal, navigate to the Log Analytics workspaces service
- Select the Log Analytic Workspace in which you have deployed the Solution
- In the left-side menu click on Logs, and expand second left side menu, and select Custom Logs