Getting Started - Microsoft Sentinel for Sandbox

Introduction
The Recorded Future Sandbox for Microsoft Sentinel integration lets users upload and detonate samples in Recorded Future's Sandbox from Microsoft Sentinel.

Prerequisites

    • Recorded Future API Token

Installation 

1. Deploy RecordedFuture-Sandbox_Enrichment-Url
Azure.svg AzureGov.svg

2. Deploy RecordedFuture-Sandbox_Outlook_Attachment
Azure.svg AzureGov.svg

To set up automatic enrichment, map alerts to a custom analytic rule.sandbox1.png

3. Deploy RecordedFuture-Sandbox_StorageAccount
Azure.svg AzureGov.svg

To set up automatic enrichment, map alerts to a custom analytic rule.sandbox2.png

4. Deploy Automate Incident Enrichment
After enrichment playbooks is installed and all connections are configured. Create an automation rule to automate enrichment of known entities with Recorded Future intelligence in all incidents.

sandbox3.png

In Microsoft Sentinel, go to Automation and create Automation rule. Give the new rule a name, select the trigger When incident is created, select the action Run playbook and finally select RecordedFuture-IOC_Enrichment or RecordedFuture-Sandbox_Enrichment-Url as the playbook.

sandbox4.png

This will trigger the Recorded Future playbook to run when any incident is created. Recorded future will then enrich the incident if it contains entities of types IP, Domain, Url or FileHash.

Support
Please reach out to Recorded Future Support at support@recordedfuture.com for further queries or assistance needed during the installation process.

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more