Introduction
The Recorded Future Sandbox for Microsoft Sentinel integration lets users upload and detonate samples in Recorded Future's Sandbox from Microsoft Sentinel.
Prerequisites
-
- Recorded Future API Token
Installation
1. Deploy RecordedFuture-Sandbox_Enrichment-Url
2. Deploy RecordedFuture-Sandbox_Outlook_Attachment
To set up automatic enrichment, map alerts to a custom analytic rule.
3. Deploy RecordedFuture-Sandbox_StorageAccount
To set up automatic enrichment, map alerts to a custom analytic rule.
4. Deploy Automate Incident Enrichment
After enrichment playbooks is installed and all connections are configured. Create an automation rule to automate enrichment of known entities with Recorded Future intelligence in all incidents.
In Microsoft Sentinel, go to Automation and create Automation rule. Give the new rule a name, select the trigger When incident is created, select the action Run playbook and finally select RecordedFuture-IOC_Enrichment or RecordedFuture-Sandbox_Enrichment-Url as the playbook.
This will trigger the Recorded Future playbook to run when any incident is created. Recorded future will then enrich the incident if it contains entities of types IP, Domain, Url or FileHash.
Support
Please reach out to Recorded Future Support at support@recordedfuture.com for further queries or assistance needed during the installation process.