RFI-Playbook-Alert-Importer-LAW-Sentinel (DEPRECATED)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Content Index

DEPRECATED: This playbook creates incidents via the Azure Microsoft Sentinel Logic Apps connector, which do not appear in the unified Microsoft Defender portal. Use RFI-Playbook-Alert-Importer-LAW instead and create incidents using a Scheduled Analytics Rule. This playbook fetches identity compromises from Recorded Future, places users in a security group and confirms them as 'risky users' in Entra ID.

Attribute Value
Type Playbook
Solution Recorded Future Identity
Source View on GitHub

Logic App Connectors

This playbook uses 5 Logic App connectors / built-in actions:

Connector / Action Type Connections Actions
azuread Managed 1 2
azureadip Managed 1 1
azureloganalyticsdatacollector Managed 1 1
azuresentinel Managed 1 2
RFI-CustomConnector-0-2-0 Custom 1 5
Action parameters (URLs, paths, function IDs)

azuread (Managed)

Action Method Endpoint Other
Add_risky_user_to_Active_Directory_security_group_for_users_at_risk post /v1.0/groups/@{encodeURIComponent(parameters('entra_id_security_group_id'))}/members/$ref
Get_User_-_Check_if_the_user_exists_in_Active_Directory get /v1.0/users/@{encodeURIComponent(outputs('Compute_user_principal_name'))}

azureadip (Managed)

Action Method Endpoint Other
Confirm_a_risky_user_as_compromised post /beta/riskyUsers/confirmCompromised

azureloganalyticsdatacollector (Managed)

Action Method Endpoint Other
Send_Data_-_Save_Playbook_alert_to_LogAnalytics_Custom_Log post /api/logs

azuresentinel (Managed)

Action Method Endpoint Other
Add_comment_to_incident_(V3) post /Incidents/Comment
Create_incident put [concat('/Incidents/subscriptions/', subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/workspaces/',parameters('sentinel_workspace_name') ) ]

RFI-CustomConnector-0-2-0 (Custom)

Action Method Endpoint Other
Playbook_Alerts_-_Detailed_Identity_Novel_Exposures_alert_data get /playbook-alerts/@{encodeURIComponent(item()?['alert_id'])}
Playbook_Alerts_-Update_Playbook_Alert-_Incident_created put /playbook-alerts/update
Playbook_Alerts_-_Update_Playbook_Alert-_If_user_found put /playbook-alerts/update
Playbook_Alerts_-Update_Playbook_Alert-_If_user_not_found put /playbook-alerts/update
Playbook_Alerts_-_Search_for_novel_identity_exposures post /playbook-alerts/search

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Playbooks · Back to Recorded Future Identity