Recorded Future Intelligence for Microsoft Sentinel
Solution: Recorded Future
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Recorded Future Support Team |
| Support Tier | Partner |
| Support Link | http://support.recordedfuture.com/ |
| Categories | domains |
| Version | 3.2.19 |
| Author | Recorded Future Premier Integrations - support@recordedfuture.com |
| First Published | 2021-11-01 |
| Last Updated | 2026-04-21 |
| Solution Folder | Recorded Future |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (56%) |
Recorded Future is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.
Underlying Microsoft Technologies used: This solution depends on underlying Microsoft technologies. Some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: * Log Analytics * Logic apps * Threat Indicators
Contents
Data Connectors
This solution does not include data connectors.
This solution may contain other components such as analytics rules, workbooks, hunting queries, or playbooks.
Tables Used
This solution queries 2 table(s) from its content items:
| Table | Used By Content |
|---|---|
RecordedFuturePlaybookAlerts_CL |
Playbooks (writes) |
RecordedFuturePortalAlerts_CL |
Playbooks (writes) |
Internal Tables
The following 3 table(s) are used internally by this solution's content items:
| Table | Used By Content |
|---|---|
RecordedFutureThreatMapMalware_CL |
Playbooks (writes), Workbooks |
RecordedFutureThreatMap_CL |
Playbooks (writes), Workbooks |
ThreatIntelIndicators |
Analytics, Hunting, Workbooks |
Content Items
This solution includes 37 content item(s) (33 in solution, 4 discovered 🔍):
| Content Type | Total | In Solution | Discovered |
|---|---|---|---|
| Playbooks | 21 | 21 | - |
| Workbooks | 8 | 8 | - |
| Analytic Rules | 4 | 4 | - |
| Hunting Queries | 4 | 0 | 4 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| RecordedFuture Threat Hunting Domain All Actors | Medium | InitialAccess, CommandAndControl | Internal use:ThreatIntelIndicators |
| RecordedFuture Threat Hunting Hash All Actors | Medium | InitialAccess, Execution, Persistence | Internal use:ThreatIntelIndicators |
| RecordedFuture Threat Hunting IP All Actors | Medium | Exfiltration, CommandAndControl | Internal use:ThreatIntelIndicators |
| RecordedFuture Threat Hunting Url All Actors | Medium | Persistence, PrivilegeEscalation, DefenseEvasion | Internal use:ThreatIntelIndicators |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| RecordedFuture Threat Hunting Domain All Actors ⚠️ | - | Internal use:ThreatIntelIndicators |
| RecordedFuture Threat Hunting Hash All Actors ⚠️ | - | Internal use:ThreatIntelIndicators |
| RecordedFuture Threat Hunting IP All Actors ⚠️ | - | Internal use:ThreatIntelIndicators |
| RecordedFuture Threat Hunting URL All Actors ⚠️ | - | Internal use:ThreatIntelIndicators |
Workbooks
| Name | Tables Used |
|---|---|
| RecordedFutureAlertOverview | - |
| RecordedFutureDomainCorrelation | Internal use:ThreatIntelIndicators |
| RecordedFutureHashCorrelation | Internal use:ThreatIntelIndicators |
| RecordedFutureIPCorrelation | Internal use:ThreatIntelIndicators |
| RecordedFutureMalwareThreatHunting | Internal use:RecordedFutureThreatMapMalware_CL |
| RecordedFuturePlaybookAlertOverview | - |
| RecordedFutureThreatActorHunting | Internal use:RecordedFutureThreatMap_CL |
| RecordedFutureURLCorrelation | Internal use:ThreatIntelIndicators |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| RecordedFuture-ActorThreatHunt-IndicatorImport | This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator lo... | - |
| RecordedFuture-Alert-Importer | This playbook imports alerts from Recorded Future and stores them in a custom log in the log analyti... | RecordedFuturePortalAlerts_CL (read/write) |
| RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor | [Deprecated] Deprecated due to changes in the Threat Intelligence Platform. Use the new Indicato... | - |
| RecordedFuture-Domain-IndicatorImport | This playbook imports Domain risk lists from Recorded Future and stores them as Threat Intelligence ... | - |
| RecordedFuture-HASH-Obs_in_Underground-TIProcessor | [Deprecated] Deprecated due to changes in the Threat Intelligence Platform. Use the new Indicato... | - |
| RecordedFuture-Hash-IndicatorImport | This playbook imports Hash risk lists from Recorded Future and stores them as Threat Intelligence In... | - |
| RecordedFuture-IOC_Enrichment | This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found i... | - |
| RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor | [Deprecated] Deprecated due to changes in the Threat Intelligence Platform. Use the new Indicato... | - |
| RecordedFuture-IP-IndicatorImport | This playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indi... | - |
| RecordedFuture-ImportToSentinel | [Deprecated] Deprecated due to changes in the Threat Intelligence Platform. Use the new Indicato... | - |
| RecordedFuture-MalwareThreatHunt-IndicatorImport | This playbook will write Recorded Future threat hunting indicators to ThreatIntelligenceIndicator lo... | - |
| RecordedFuture-Playbook-Alert-Importer | This playbook imports alerts from Recorded Future and stores them in a custom log in the log analyti... | RecordedFuturePlaybookAlerts_CL (write) |
| RecordedFuture-Sandbox_Enrichment-Url | This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The ... | - |
| RecordedFuture-Sandbox_Outlook_Attachment | This playbook will trigger on emails with attachmets and send them to Recorded Future Sandbox. The r... | - |
| RecordedFuture-Sandbox_StorageAccount | This playbook will trigger on files in a Storage Account and send them to Recorded Future Sandbox. T... | - |
| RecordedFuture-ThreatIntelligenceImport | This playbook will write indicators in batch to ThreatIntelligenceIndicator log analytics table. | - |
| RecordedFuture-ThreatMap-Importer | This playbook will import Threat Map data from Recorded Future and store it in a custom log. | Internal use:RecordedFutureThreatMap_CL (write) |
| RecordedFuture-ThreatMapMalware-Importer | This playbook will import Threat Map data from Recorded Future and store it in a custom log. | Internal use:RecordedFutureThreatMapMalware_CL (write) |
| RecordedFuture-URL-IndicatorImport | This playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Ind... | - |
| RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor | [Deprecated] Deprecated due to changes in the Threat Intelligence Platform. Use the new Indicato... | - |
| RecordedFuture-Ukraine-IndicatorProcessor | [Deprecated] Deprecated due to changes in the Threat Intelligence Platform. Use the new Indicato... | - |
⚠️ Items marked with ⚠️ are not listed in the Solution JSON file. They were discovered by scanning the solution folder and may be legacy items, under development, or excluded from the official solution package.
Additional Documentation
📄 Source: Recorded Future/README.md
Recorded Future Intelligence for Microsoft Sentinel
Instructions how to install and use Recorded Future Solution for Microsoft Sentinel or how to install individual playbooks can be found in the main readme.md in the Playbook sub directory in this repository.
Recorded Future also provide standalone Playbooks in this repository for EntraID (identity) and Defender for endpoints.
Recorded Future Intelligence Solution - Installation guide
Recorded Future Defender Integrations - Recorded Future Defender playbooks - Recorded Future Defender SCF playbooks
Recorded Future for Identity - Recorded Future Identity
About Recorded Future
Recorded Future is the world's largest provider of intelligence for enterprise security. By seamlessly combining automated data collection, pervasive analytics, and expert human analysis, Recorded Future delivers timely, accurate, and actionable intelligence.
Benefits of Recorded Future integrations - Detect indicators of compromise (IOCs) in your environment. - Triage alerts faster with elite, real-time intelligence. - Respond quickly with transparency and context around internal telemetry data. - Maximize your investment in Microsoft Sentinel.
Learn more about Recorded Future for Microsoft Sentinel
Start a 30-day free trial of Recorded Future for Microsoft Sentinel from here!
Key Features
Recorded Future for Microsoft Sentinel offers a range of powerful intelligence capabilities, some of the key features include:
IOC Detection (Detect)
The TI-IndicatorImport playbooks pulls risk lists from Recorded Future and writes the contained indicators to the Microsoft Sentinel ThreatIntelligenceIndicator table via the RecordedFuture-ThreatIntelligenceImport playbook.
\
Microsoft Sentinel analytic rules correlates threat intelligence indicators with logs provided to Microsoft Sentinel and creates alerts/incidents for matches found.\
IOC Enrichment (Respond)
Automation rules triggers on each incident and enriches incidents with Recorded Future intelligence.
[Content truncated...]
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.2.19 | 13-04-2026 | Added functionality to choose Sandbox region, changed to optional Enterprise Sandbox API token. Updated Indicator Import, moving evidence details from "labels" to "external_references". |
| 3.2.18 | 03-02-2026 | To reduce noise in incident comments: updated RecordedFuture-IOC_Enrichment logic app with a RiskScoreThreshold parameter that defaults to 5. If an entity has a risk score lower than this threshold, we will not leave a comment on the incident. |
| 3.2.17 | 12-08-2025 | Updated Indicator imports with deterministic STIX ID that should reduce the number duplicate IOCs. Updated RecordedFuture-Playbook-Alert-Importer to improve the description formatting. Updated documentation with typo fixes and clarifications. |
| 3.2.16 | 08-05-2025 | Updated workbooks, analytic rules and hunting queries to new ThreatIntelIndicators schema. Removed deprecated analytic rules. Updated documentation to reflect changes. |
| 3.2.15 | 12-03-2025 | Fixed description of Playbooks. |
| 3.2.14 | 30-01-2025 | Fix the name of IntelligenceCloud parameter in RecordedFuture-CustomConnector + other minor renames. |
| 3.2.13 | 08-01-2025 | Removed Custom Entity mappings from Analytic rules. |
| 3.2.12 | 28-11-2024 | Fix API connection bug in RecordedFuture-AlertImporter Playbook. |
| 3.2.11 | 31-10-2024 | Fix API connection bug in RecordedFuture-ThreatMap-Importer Playbook, documentation improvements. |
| 3.2.10 | 01-10-2024 | Updated install README for multiple Playbooks, added protocol check for URL enrichments in RecordedFuture-IOC_Enrichment Playbook, moved parameters from important to advanced and internal in RecordedFuture-CustomConnector. |
| 3.2.9 | 23-09-2024 | Updated RecordedFuture-Alert-Importer Playbook improved text encoding and added utm links. |
| 3.2.8 | 23-08-2024 | Updated RecordedFuture-Alert-Importer Playbook added text encoding and latest_event_date bugfix. |
| 3.2.7 | 01-08-2024 | Updated Analytic rules for entity mappings. |
| 3.2.6 | 03-08-2024 | Added incident creation to RecordedFuture-Alert-Importer Playbook. Update concurrency in RecordedFuture-IOC_Enrichment Playbook. |
| 3.2.5 | 24-06-2024 | Added missing AMA Data Connector reference in Analytic rules. |
| 3.2.4 | 08-03-2024 | Change default Recurrence for pulling data in Fix parse json in RecordedFuture-ThreatMap-Importer Playbook. Update solution description, referencing release notes. |
| 3.2.3 | 27-02-2024 | Fix parsing in RecordedFuture-PlaybookAlert-Importer Playbook. Added Recorded Future AI Summary to Alert workbook. Added Statues to Playbook alert Workbook. |
| 3.2.1 | 08-02-2024 | Fix parse json in RecordedFuture-Alert-Importer Playbook. Fixed broken links in readme.md |
| 3.2.0 | 27-12-2023 | Added (Recorded Future Malware Threat Map) Workbook Added (ThreatMapMalware-Importer) Playbook. Added (MalwareThreatHunt-IndicatorImport) Playbook. Fix defaults on RecordedFuture-ActorThreatHunt-IndicatorImport Playbook Fixed description on RecordedFutureThreatHuntingDomainAllActors Analytic Rules. Fixed description on RecordedFutureThreatHuntingHashAllActors Analytic Rules. Added Malware endpoints to RecordedFuture-CustomConnector Playbook. Fixed defaults on Playbook-Alert-Importer Playbook. Updated API connection names for all Playbooks to ease API connection configuration. Changed connectorId for Hunting Analytic Rules. Updated documentation. |
| 3.1.1 | 27-12-2023 | Minor fix, added Release Notes to Solution description. |
| 3.1.0 | 01-12-2023 | Added (Recorded Future Threat Actor Map) Workbook. Added (RecordedFuture-ThreatMap-Importer) Playbook. Added (RecordedFuture-ActorThreatHunt-IndicatorImport) Playbook. Added 4 Analytic Rules to be used for Recorded Future Threat Hunt. Documentation update. Removed 6 deprecated Playbooks from Solution package. |
| 3.0.2 | 02-11-2023 | Encoding Fix to the (RecordedFuture-Alert-Importer) Playbook. Changed defaults in (RecordedFuture-Playbook-Alert-Importer). |
| 3.0.1 | 26-10-2023 | Fix to the (RecordedFuture-ThreatIntelligenceImport) Playbook. |
| 3.0.0 | 20-09-2023 | Added Workbooks for correlating Recorded Future and logs containing IoC of type IP, DNS, URL and Hash Generate Markdown/HTML response for enrichment comments. (Recorded Future Playbook Alerts) Playbook and Workbook for visualization. (Recorded Future Classic Alerts) Playbook and Workbook for visualization. Leveraging new API for importing threat indicators and deprecating old Playbooks. |
| 2.4.0 | 29-05-2023 | (Sandbox URL enrichment) Playbook included in the solution. Sandbox( of outlook attachment Playbook) provided as an example outside the solution. Sandbox of files in Azure storage accounts provided as example outside the solution. Fix to (IOC enrichment playbook) don’t report 404 (not found) as an error. |
| 2.3.0 | 13-02-2023 | Layout improvements to the (incident enrichment Playbook). Added Detections from collective insights to enrichment playbooks. IncidentId and MITRE Att&ck code added to collective insights. Fix for image in incident comment. |
| 2.2.2 | 23-01-2023 | Fixes for all risk list import Playbooks. |
| 2.2.1 | 23-12-2022 | Display severity for risk rules in enrichment of IOCs. Sorting of risk rules, showing very malicious rules first. |
| 2.2.0 | 14-12-2022 | Improvements to the (incident enrichment playbook). Added Recorded Future links to enrichment comment. Improved layout of the enrichment, adding Recorded Future logo, table layout. |
| 2.1.0 | 20-09-2022 | Updated all Playbooks to use RecordedFutureV2 connector, which requires new API keys. Added Playbooks for importing Ukraine Russia conflict risk lists. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊