RecordedFuture-IOC_Enrichment

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Microsoft Sentinel incident <img alt="Microsoft Sentinel incident comment" src="https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%20Future/Playbooks/Enrichment/RecordedFuture-IOC_Enrichment/images/

Attribute	Value
Type	Playbook
Solution	Recorded Future
Source	View on GitHub

Logic App Connectors

This playbook uses 3 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azuresentinel`	Managed	1	4
`recordedfuture`	Managed	0	4
`recordedfuturev2`	Managed	1	0

Action parameters (URLs, paths, function IDs)

`azuresentinel` (Managed)

Action	Method	Endpoint	Other
Add_comment_to_incident_(V3)_-_Domain	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_-_Hash	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_-_Link	post	`/Incidents/Comment`	—
Add_comment_to_incident_(V3)_-_IP	post	`/Incidents/Comment`	—

`recordedfuture` (Managed)

Action	Method	Endpoint	Other
Domain_Enrichment	get	`/lookup/domain/@{encodeURIComponent(body('Parse_JSON_-_DNS_Resolution')?['domainName'])}`	—
Hash_Enrichment	get	`/lookup/hash/@{encodeURIComponent(body('Parse_JSON_-_File_Hash')?['hashValue'])}`	—
URL_Enrichment	get	`/lookup/url/@{encodeURIComponent(if(or(startsWith(body('Parse_JSON_-_Url')?['url'], 'http://'), startsWith(body('Parse_JSON_-_Url')?['url'], 'https://')), body('Parse_JSON_-_Url')?['url'], concat('https://', body('Parse_JSON_-_Url')?['url'])))}`	—
IP_Enrichment	get	`/lookup/ip/@{encodeURIComponent(body('Parse_JSON_-_Ip')?['address'])}`	—

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Playbooks · Back to Recorded Future

RecordedFuture-IOC_Enrichment

Logic App Connectors

azuresentinel (Managed)

recordedfuture (Managed)

`azuresentinel` (Managed)

`recordedfuture` (Managed)